TP-Link’s M5350 3G/Wi-Fi router, has a huge bug, making it extremely insecure.
Sending an SMS to the router containing the following text
Results in the device replying with admin username, admin password, its Wifi Name (SSID), and its Wifi password.
It’s unlikely that the vulnerability has been patched, since according to TP-Link’s current firmware download page for the M5350, the most-current version is M5350_V2_140115, released in January 2015.
A German company called Securai descovered the bug, the issue as a cross-site scripting (XSS) bug triggered by an SMS containing the aforementioned attack script
The bugs were revealed at last week’s Kaspersky Security Analyst Summit.
Anyone owning one of these devices should consider upgrading, and keeping their fingers crossed that the new device doesn’t have similar issues. Unfortunately when it comes to The Internet-of-Things we’re all at the mercy of the developers.