Google researcher finds zero day in TP-Link routers

Google security engineer Matthew Garrett has revealed a zero day vulnerability in TP-Link’s SR20 smart home routers. The company would not have responded when the investigator revealed the vulnerability to them.

The error is an arbitrary code execution (ACE) error in TP-Link SR20 routers. These are dual-band 2.4 GHz / 5 GHz products that are marketed as routers capable of controlling smart home and IoT devices, while reducing the risk of bottlenecks. The SR20 also supports devices that use the ZigBee and Z-Wave protocols.

According to Garrett, the problem lies in a process that is often carried out by TP-Link. It’s about “tddp”, the TP-Link Device Debug Protocol. This process runs at the root level and can initiate two types of commands. One type (type one) does not require authentication, and one type (type two) does.

The vulnerability makes a number of one-command types public. One of them – command 0x1f, request 0x01 – seems to be for configuration validation. With that command, it is possible for an attacker to work as a root user on a local network, which can eventually result in the complete takeover of a vulnerable device.

Publication

Garrett announced the bug after TP-Link failed to resolve the vulnerability within 90 days, reports ZDNet. Those 90 days are a timeframe in cyber security which is seen as a reasonable time to solve reported security problems.

Garrett says he reported the error to TP-Link over ninety days ago. The company promised to respond within three working days, but weeks later there was still no response. It also turned out that it was not possible to reach the company through other channels.

“If you have a web form to report security issues, make sure someone actually responds,” says Garrett.