Security Flaw Found In Linksys Wireless Router

The popular Linksys WRT54G wireless router has a security flaw that enables unauthorized remote access to its administrative functions, an expert claims.

Independent consultant Alan W. Rateliff II said in a posted warning that the router will display its administrative Web over the Internet page via ports 80 and 443 -- even if the user turns off the remote administration function.

After intruders access the administrative log-on screen, they can then get into the management functions because the default user name and passwords are obvious. Most such devices use, by default, obvious user names and passwords like "admin."

"The implications are obvious: Out of the box the unit gives full access to its administration from the WAN using the default or, if the user even bothered to change it, an easily guessed password."

Rateliff said he reported the problem to Linksys, which is a division of Cisco, in April but did not receive a response. Nor has the company updated the firmware for the router to fix the problem, he noted. The most recent firmware for the router, as posted on the Linksys Web site, is dated March 17, 2004.Besides changing to a complex password, Rateliff said a workaround is to forward ports 80 and 443 to non-existent hosts.