The Google security engineer, Matthew Garrett, privately disclosed this zero-day vulnerability impacting the TP-Link SR20 smart home routers. The company failed to fix the issue within 90 days, so Garrett decided to go public with his findings. Cybersecurity has chosen this timeframe to be considered as a reasonable amount of time offered to vendors to fix reported security issues.
This type of security flaw is a zero-day arbitrary code execution (ACE) bug in TP-Link SR20 routers. These dual band routers are suitable for controlling smart home and Internet of Things (IoT) devices while lowering the risk of bottlenecks. The SR20 also supports the use of ZigBee and Z-Wave protocols.
TP-Link has an online security disclosure form when they promise researchers they would respond within three business days, weeks later, there was no response. Other attempts of contact also failed. The problem was found in the process that TP-Link routers frequently run called “tddp” the TP-Link Device Debug Protocol. This process runs at a root level and will initiate a type one command which does not require authentication.
The SR20 router vulnerability exposes some type one commands such as the os.execute() method which will permit as an attacker to run as root as execute whatever they wish on your local network, which could result in a full hijack of your device. TP-Link’s situation is not the only router-related security issue to be discovered recently. Cisco is also dealing with issues after they failed to properly patch Cisco RV320 and RV325 WAN VPN routers against remote attackers.