Security

High-end router flinger DrayTek admits to zero day in bunch of Vigor kit

'It may be possible for an attacker to intercept your router'


Taiwanese network kit maker DrayTek has 'fessed up to a vulnerability in a large number of its routers which could allow miscreants to hijack internet traffic or steal personal data.

The flaw means attackers could remotely alter DNS settings on 28 Vigor model routers. DrayTek has released a series of firmware updates addressing the issue.

Users have complained about the problem for the last week on the AbuseIPDB forum. One noted the zero-day attack had infiltrated their servers, CRM and workstations.

"We now cannot log in as it is obvious this zero-day attack has changed our passwords including our VPN accounts [that] our remote users use to log in to the environment."

DrayTek routers are considered high end in the UK – retailing at around £200, more than twice the price of garden-variety alternatives – and are mostly used by businesses. In 2015, BT's Openreach accredited DrayTek for use of its very-high-bit-rate digital subscriber line 2 (VDSL2) fibre-to-the-cabinet products.

One business customer, who discovered his router was open to the vulnerability, told El Reg: "DrayTek routers are really expensive compared with other makes, they have an awful lot of features on them and this is the first known exploit I've come across."

In a statement, the company said:

We have become aware of security reports with DrayTek routers related to the security of web administration when managing DrayTek routers.

In some circumstances, it may be possible for an attacker to intercept or create an administration session and change settings on your router.

The reports appear to show that DNS settings are being altered. Specific improvements have been identified as necessary to combat this and we are in the process of producing and issuing new firmware. You should install that as soon as possible.

Until you have the new firmware installed, you should check your router's DNS settings on your router and correct them if changed (or restore from a config backup).

A survey by Broadband Genie recently found the vast majority of punters are potentially leaving themselves exposed by failing to change the password and security setting on their routers. ®

Send us news
34 Comments

Red team hacker on how she 'breaks into buildings and pretends to be the bad guy'

Alethe Denis exposes tricks that made you fall for that return-to-office survey

So how's Microsoft's Secure Future Initiative going?

34,000 engineers pledged to the cause, but no word on exec pay

NIST's security flaw database still backlogged with 17K+ unprocessed bugs. Not great

Logjam 'hurting infosec processes world over' one expert tells us as US body blows its own Sept deadline

T-Mobile US to cough up $31.5M after that long string of security SNAFUs

At least seven intrusions in five years? Yeah, those promises of improvement more than 'long overdue'

Recall the Recall recall? Microsoft thinks it can make that Windows feature palatable

AI screengrab service to be opt-in, features encryption, biometrics, enclaves, more

Internet Archive user info stolen in cyberattack, succumbs to DDoS

31M folks' usernames, email addresses, salted-encrypted passwords now out there

Crooks stole personal info of 77k Fidelity Investments customers

But hey, no worries, the firm claims no evidence of data misuse

Marriott settles for a piddly $52M after series of breaches affecting millions

Intruders stayed for free on the network between 2014 and 2020

Chinese cyberspies reportedly breached Verizon, AT&T, Lumen

Salt Typhoon may have accessed court-ordered wiretaps and US internet traffic

UK's Sellafield nuke waste processing plant fined £333K for infosec blunders

Radioactive hazards and cyber failings ... what could possibly go wrong?

That doomsday critical Linux bug: It's CUPS. May lead to remote hijacking of devices

No patches yet, can be mitigated, requires user interaction

The fix for BGP's weaknesses has big, scary, issues of its own, boffins find

Bother, given the White House has bet big on RPKI – just like we all rely on immature internet infrastructure that usually works