You might not think about the brand of your router, but that could all change after security experts warned that not all are created equal.
And one brand in particular – Totolink – appears to be plagued by a worrying number of vulnerabilities in its products, including some very serious ones.
For example, the Totolink A3300R wireless router has command injection vulnerabilities that were recently discovered, and the Totolink A8000RU was found to have a hardcoded password that anyone could access.
Troubled past
What’s also worrying is that, as of this writing, the SSL certificate for the company’s official website isn’t even trusted by Chrome browsers, possibly indicating a sign of compromise, or at least poor maintenance of the site by Totolink.
The National Vulnerability Database (NVD) maintained by NIST shows a large number of recently added bugs in the Totolink hardware. The A3300R in particular appears to be affected, with many command injection vulnerabilities.
Two critical vulnerabilities were also found in the N200RE, both of which could lead to buffer overflow attacks. Both listings also include a note stating that the supplier was contacted about the defects, “but did not respond in any way.”
The problems with Totolink routers date back years and have been involved in large-scale attacks. For example, there was a variant of the infamous Mirai botnet known as Beastmode found it exploiting flaws in Totolink routers in spring 2022. Another botnetknown as Zerobot, also exploited flaws in it and routers from other manufacturers, such as D-Link and Huawei, in late 2022.
In 2021, several flaws were also discovered in the Totolink software, which could enable remote attacks. This software was part of the A300R2 router. It was noted to be easily exploitable via a remote attack, allowing threat actors to execute arbitrary code.
Even problems with Totolink routers go as far back as 2015when it turned out that many of his routers had flaws, some dating back as much as six years before the date of this particular discovery.
Totolink is owned by the Hong Kong company Zioncom Holdings Limited. This company’s website is also flagged by Chrome for not having a valid SSL certificate.