We All Replace Our Routers Frequently, Right?
There are four small/medium business routers which were made by Cisco, as recently as five years ago, which have a flaw in their password validation algorithm. If leveraged, an attacker can use it to access the device’s IPSec VPN without needing any of that pesky authentication most people expect is required to do so. Indeed it gives full administrative access to the that portion of the router, and once they have control of the VPN then they can wreak all sorts of havoc.
Cisco will not be patching this.
Their reasoning is that the kit is old, the most recent reaching EOL this year and so Cisco feels justified in no longer supporting the four effected routers, even though some continued to be sold after their official EOL. Those four models are the RV110W Wireless-N VPN Firewall, RV130 VPN Router, RV130W Wireless-N Multifunction VPN Router, and RV215W Wireless-N VPN Router.
There is a small problem in is that the majority of medium and small businesses, not to mention your ISP, do not upgrade their routers on any sort of schedule apart from replacing broken ones. How old is the one your ISP provided, and when is the last time you upgraded any routers you might have in addition to it? This sort of planned obsolescence is bad enough in a smart lightbulb, but for the hardware VPN you depend upon to provide security to be treated the same by it’s manufacturer is rather worrying.
