A bug in Wi-Fi ‘extenders’ could give a hacker full control over the devices

The vulnerability in a piece of TP-Link gear is just the latest bug to be found in popular home networking equipment.
Wi-Fi extender, TP-Link
A Wi-Fi extender from TP-Link. (TP-Link Technologies)

If you’re looking to strengthen the Wi-Fi signal in your home or business, be sure the equipment you use doesn’t have a vulnerability that could give free rein to hackers.

IBM X-Force researcher Grzegorz Wypych has found such a firmware flaw, one that would let an attacker execute code remotely without having to log into the wireless device. The vulnerability is in an “extender” — a piece of gear used to expand Wi-Fi coverage — made by networking company TP-Link Technologies. Often available for cheap through electronics retailers, Wi-Fi extenders are used in homes and small businesses to boost connectivity. But, as Wypych pointed out, the extenders can also make their way into larger businesses looking for easy internet access for employees.

The research is another reminder that internet of things (IoT) devices, although prized for their convenience, can come with big security risks.

Wypych found that by altering an HTTP request to an extender, a hacker could remotely execute any shell command on the device. The entire device would be at the mercy of the attacker because the processes running on it all include “root-level access” to the device, he said. In terms of impact, the attacker could, for example, conscript the compromised device into a botnet.


“Running as root by default is quite risky because anyone who may compromise the device could perform any action on it,” Wypych wrote in a blog post Tuesday.

The vulnerability is just the latest bug to be found in popular home networking equipment. Last year, the cybersecurity industry came to appreciate how attackers could abuse home internet routers at scale with the discovery of the malware VPNFilter, reportedly authored by Russia-backed hackers, which infected half a million devices in 2018 before U.S. officials disrupted the botnet. And this past April, cybersecurity company Tenable published a warning about vulnerabilities in Verizon Fios routers that, if exploited, could allow a hacker full control of a wireless home network and access to devices connected to them.

The insecurity of IoT devices has been a concern for policymakers for some time. A report issued last May by the departments of Commerce and Homeland Security warned that IoT vendors do not have the cost incentives to build more security into their products. Lawmakers are trying to correct that perceived market failure. A bill approved by the House Oversight and Reform Committee last week would require minimum security standards for IoT products sold to the government.

In terms of fixing the vulnerability in TP-Link Wi-Fi extenders, Wypych referred readers to the company’s website for firmware updates.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts