Realtek vulnerabilities compromise hundreds of thousands of routers, IoT devices

News
By
published

Realtek has now patched the flaws

Image of padlock against circuit board/cybersecurity background
(Image credit: Future)

Cybersecurity analysts have discovered critical security vulnerabilities in Realtek chips that affect more than 65 hardware manufacturers and a variety of wireless devices.

The vulnerabilities were uncovered by IoT Inspector, the makers of the firmware security analysis platform of the same name, during an analysis of the binaries packaged as part of the Realtek SDK.

“We performed vulnerability research on those binaries and identified more than a dozen vulnerabilities – ranging from command injection to memory corruption affecting UPnP, HTTP (management web interface), and a custom network service from Realtek,” explained researchers in a blog post.

TechRadar needs you!

We're looking at how our readers use VPNs with streaming sites like Netflix so we can improve our content and offer better advice. This survey won't take more than 60 seconds of your time, and we'd hugely appreciate if you'd share your experiences with us.

>> Click here to start the survey in a new window <<

The vulnerabilities can be exploited remotely by attackers to fully compromise the vulnerable devices and execute arbitrary code with the highest level of privileges.

Supply chain transparency

According to IoT Inspector, Realtek provides the SDK to vendors and manufacturers that use the RTL8xxx system-on-a-chip (SoC).

The list of hardware manufacturers affected by the Realtek vulnerabilities includes Asus, Belkin, D-Link, Edimax, Logitech, Netgear, ZTE, and more, and cover an equally wide range of devices, from residential gateways to travel routers, Wi-Fi repeaters, IP cameras, smart lightning gateways and even connected toys.

“We identified at least 65 different affected vendors with close to 200 unique fingerprints, thanks both to Shodan’s scanning capabilities and some misconfiguration by vendors and manufacturers who expose those devices to the Internet,” the researchers observed.

Citing recent supply chain attacks such as SolarWinds and Kaseya, the researchers believe the vulnerabilities in the Realtek SDK are a prime example of how an obscure supply chain can lead to all kinds of attacks.

Florian Lukavsky, MD at IoT Inspector, says the researchers notified Realtek about the vulnerabilities and a patch was issued promptly. Lukavsky urges manufacturers who use the vulnerable Wi-Fi modules to check their devices and provide security patches to their users without delay.

TOPICS
Mayank Sharma
Mayank Sharma

With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’s TechRadar Pro’s expert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.

Read more
MediaTek
MediaTek reveals host of security vulnerabilities, so patch now
cables going into the back of a broadband router on white background
Netgear urges users to patch major router security issues now
An image of network security icons for a network encircling a digital blue earth.
Industrial networks exposed to attack by faulty Moxa devices
A hacker wearing a hoodie sitting at a computer, his face hidden.
I just learned something awful about my home Wi-Fi setup thanks to iFixit’s ‘worst of CES 2025’ awards
A VPN runs on a mobile phone placed on a laptop keyboard
Major new online tunneling vulnerability could put millions of devices at risk
Security
Zyxel says it won’t patch security flaws in its old routers
Latest in Pro
A young man working on laptop in office writing notes
Ending the fix/break cycle of End User Computing support
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
Application Security Testing Concept with Digital Magnifying Glass Scanning Applications to Detect Vulnerabilities - AST - Process of Making Apps Resistant to Security Threats - 3D Illustration
Google bug bounty payments hit nearly $12 million in 2024
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
How decision makers can overcome analysis paralysis with AI
Scam alert
A new SMS energy scam is using Elon Musk’s face to steal your money
Representational image of a cybercriminal
Allstate sued for exposing personal customer information in plaintext
Latest in News
A close up of Captain America with Thor and Hulk in the background during the Assemble scene in Avengers: Endgame
'We will draw inspiration': Joe and Anthony Russo reveal which of Marvel's Secret Wars comic book series have influenced Avengers 5 and 6's plot
Ai tech, businessman show virtual graphic Global Internet connect Chatgpt Chat with AI, Artificial Intelligence.
Nation-state threats are targeting UK AI research
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
Want to buy an RX 9070 or 9070 XT but fed up of the GPUs being out of stock? AMD promises that “more supply is coming ASAP”
Cece Carroway (Sara Silva), Caroline Merteuil (Sarah Catherine Hook), and Lucien Belmont (Zac Burgess) in Cruel Intentions.
Cruel Intentions has been canceled after one season on Prime Video, but I'm not surprised by its cruel fate
iOS 18 Control Center
iOS 19: the 3 biggest rumors so far, and what I want to see
Doom: The Dark Ages
Doom: The Dark Ages' director confirms DLC is in the works and says the game won't end the way 2016's Doom begins: 'If we took it all the way to that point, then that would mean that we couldn't tell any more medieval stories'
More about pro
security

Ransomware gangs allegedly hit two major US healthcare firms, 300,000 patients have data stolen
A young man working on laptop in office writing notes

Ending the fix/break cycle of End User Computing support
GMTech

What is GMTech? Everything we know about the best AI model subscription service
See more latest
Most Popular
security
Ransomware gangs allegedly hit two major US healthcare firms, 300,000 patients have data stolen
Cece Carroway (Sara Silva), Caroline Merteuil (Sarah Catherine Hook), and Lucien Belmont (Zac Burgess) in Cruel Intentions.
Cruel Intentions has been canceled after one season on Prime Video, but I'm not surprised by its cruel fate
A close up of Captain America with Thor and Hulk in the background during the Assemble scene in Avengers: Endgame
'We will draw inspiration': Joe and Anthony Russo reveal which of Marvel's Secret Wars comic book series have influenced Avengers 5 and 6's plot
Representational image of a cybercriminal
Allstate sued for exposing personal customer information in plaintext
NYT Strands homescreen on a mobile phone screen, on a light blue background
NYT Strands hints and answers for Wednesday, March 12 (game #374)
Quordle on a smartphone held in a hand
Quordle hints and answers for Wednesday, March 12 (game #1143)
NYT Connections homescreen on a phone, on a purple background
NYT Connections hints and answers for Wednesday, March 12 (game #640)
An AMD Radeon RX 9070 XT made by Sapphire on a table with its retail packaging
Want to buy an RX 9070 or 9070 XT but fed up of the GPUs being out of stock? AMD promises that “more supply is coming ASAP”
Cowabunga, dude!
Teenage Mutant Ninja Turtles: Shredder’s Revenge, a nostalgic beat-em-up with beautiful pixel graphics, is finally coming to mobile next month
Empirical Health biomarkers
This new health protocol combines 40 smartwatch biomarkers and blood tests to give you a health score