Zero-day flaw in TP-Link smart home routers disclosed by security engineer after failure to respond

Matthew Garrett, a Google security engineer, has revealed a zero-day vulnerability impacting TP-Link SR20 smart home routers bug after the company failed to fix the issue within 90 days, a timeframe now established within cybersecurity which is considered to be a reasonable amount of time offered to vendors to fix reported security issues.

The security flaw is a zero-day arbitrary code execution (ACE) bug in TP-Link SR20 routers, which are dual band 2.4 GHz / 5 GHz products touted as routers suitable for controlling smart home and Internet of Things (IoT) devices while lessening the risk of bottlenecks. 

The SR20 also supports devices which make use of the ZigBee and Z-Wave protocols.

As documented in this Twitter conversation feed, Garrett disclosed his findings to TP-Link over 90 days ago via the firm’s online security disclosure form.

It’s been over 90 days since I reported it and @TPLINK never responded, so: arbitrary command execution on the TP-Link SR20 smart hub and router (and possibly other TP-Link device)— Matthew Garrett (@mjg59) March 28, 2019

Despite TP-Link promising researchers they would hear back within three business days, weeks later, there was no response. Attempts to contact TP-Link through other channels also failed.  

Further technical details concerning the vulnerability have been published in a blog post written by the security engineer. Proof-of-concept (PoC) code has also been released.

TP-Link’s situation is not the only router-related security issue to appear this week. Cisco has also ended up in the hot seat after failing to properly patch Cisco RV320 and RV325 WAN VPN routers against remote attacks.