The National Cyber Security Centre under the Ministry of National Defence has conducted an investigation and found a vulnerability in the kind of net routers that are popular in Lithuania: it might be used to generate the Wi-Fi password within a relatively short time. It would give hackers access to the user’s home internet connection, spy on the incoming and outgoing data, and pursue other criminal activities.
As UAB Critical Security reported, home Wi-Fi users have net routers that get primary default password constituting 10 random characters – digits, and capital letters A to F. Below is the current security standard: the size of the sample of different characters is insufficient and vulnerable to brute-force attacks. Primary factory password of such routers can be hacked within up to 30 days with just an ordinary home computer, depending on what other equipment is used. And if more powerful computing capacity is used, the shortest hacking time may take no more than a few hours. Home internet users may fall victims to hackers as a result of failing to change the primary default Wi-Fi password set by the manufacturer of their Wi-Fi router.
Security experts notified the National Cyber Security Centre under the MoD about their discovery on account of responsible disclosure policy: the NSCC analysed the provided material and assessed security effectiveness of factory settings of other Wi-Fi devices on the market. The assessment revealed that there were more vulnerable types of net routers, offered by other service providers and vendors of electronic merchandise.
According to the NCSC, there may be quite a high number of vulnerable devices in Lithuania: the bug was found in tested Technicolor TG389ac and TG789vac v2 models, D-Link DIR-825/AC/G1, and many of the TP-LINK models. However, not every router on the market was put to trial because of the scope of the investigation it would require, yet more makes with similar vulnerabilities may still be there on the market. It should be particularly concerning for the users whose Wi-Fi password comprises only digits: that is a particularly weak type of password that presents a great risk to users and a great hacking opportunity for malignant actors. If hackers got into the internal network, they would gain access to uncoded data flow, sensitive data, or they would be able to use the hacked devices to carry out other cyber-attacks. Users may be blackmailed threatening leak of private information or private data may be encoded and ransom might be demanded for deciphering. Criminals can also use additional means and steal money from bank accounts.
The NCSC encourages all router users to revise settings on their devices. If the password of your Wi-Fi connection is comprised of digits only, or digits and any capital letters from A to Z, and the total length of the password is 8–10 characters, then you need to improve the security of your Internet access and change the password into a stronger one. A secure password includes at least 12–14 characters: upper and lower-case letters, digits and special characters.
The NCSC sees the situation as dangerous and requiring swift response in order to protect Internet users from the risk of cyber incidents. Service providers and electronic merchandise suppliers were informed about the findings and given concrete recommendations concerning technical and organisations measures they should apply.
“The NCSC applauds the actions of UAB Critical Security experts after discovering the bug. Responsible disclosure practices are still in the process, and this example demonstrates how the public and the private sector are able to cooperate in practice on cyber security. Submission of the information has given us the time to carry out additional investigation and inform the affected entities who then took action ahead of making the information public. We hope that making the issue of factory passwords in Wi-Fi networks public will help users to take a better care of their security,” Director of the NCSC Dr. Rytis Rainys said.