Tens of thousands of long-range Wi-Fi routers used to provide home wireless broadband, especially in remote or rural areas, are riddled with vulnerabilities that could let a hacker take over IT networks, security researchers said Tuesday.
The vulnerabilities, some of which can be exploited remotely if the router’s management interface is directly connected to the internet, were discovered in Cambium Networks’ ePMP and cnPilot product lines by independent researcher Karn Ganeshen earlier this year.
Although Cambium has made patches available, as many as 36,000 of the devices appear visible on the internet.
Ganeshan approached cybersecurity firm Rapid7 to coordinate disclosure with Cambium in September, Rapid7 Director of Research Tod Beardsley told CyberScoop.
“He had a great big pile of vulnerabilities,” Beardsley said. “A lot of them were variations on a theme. We triaged them out … and when we figured out what we had, there were really 11 of them, which we took to Cambium.”
“We jumped on them,” said Cambium Networks’ SVP of Product Management Scott Imhoff. “We appreciate it, from a manufacturer’s point of view, when an organization like Rapid7 does the right thing” and coordinates a responsible disclosure of the vulnerabilities they’ve found, waiting until the patch has been completed and tested.
He said the largest set of customers for the ePMP product were internet service providers, especially in rural or remote areas. One of the selling points of the product is its scalability, Imhoff said, and the subscriber number served by the device ranges from a few dozen to 200,000.
The other major customer base is providing connectivity to closed circuit TV cameras, he added.
He said the company was launching a major awareness campaign, “a big push,” to ensure its customers knew they needed to download the latest version.
“You’ve got to make sure the network operators know about the patch and are applying it,” he said.
According to a Rapid7 blog post, the company conducted a scan of web ports visible on the public internet identified 36,000 ePMP products potentially vulnerable to remote exploitation via one or more of the five firmware vulnerabilities. There was a much smaller number — 133 — of cnPilot devices visible and therefore possibly exploitable.
Beardsley noted the devices often com with rudimentary user credentials and passwords making it easy for hackers to potentially gain access to the devices.
Nonetheless, he said, there was no evidence that the vulnerabilities had been exploited in the wild.