A popular Wi-Fi extender for the home has multiple unpatched vulnerabilities, including the use of a weak, default password, according to researchers. Also, two of the bugs could allow complete remote control of the device.
The flaws have been found in Tenda PA6 Wi-Fi Powerline extender, version 126.96.36.199, which extends the wireless network throughout the house using HomePlug AV2 technology.
“A compromised device can become part of an internet of things (IoT) botnet that launches distributed denial-of-service (DDoS) attacks, used to pivot to other connected devices, leveraged to mine for cryptocurrency or used in various other unauthorized ways,” explained researchers at IBM X-Force, in a posting last week.
There are for now no patches for the issues.
“Unfortunately, despite repeated attempts to contact Tenda, IBM is yet to receive any reply to its emails and phone calls,” the researchers said. “It remains unknown whether the company is working on patches.”
Threatpost has also reached out to the vendor for more information.
To protect themselves, users should change default passwords on all devices that connect to the internet; update firmware regularly; and use use internal filtering controls or a firewall.