Lovett found the vulnerable routers through Internet scans and by using SHODAN, a specialized search engine for Internet-connected devices. According to him, 700,000 is a conservative estimate and only covers devices that can be targeted remotely because they have their Web-based administration interfaces exposed to the Internet.
There are likely many more devices that have the same flaws, but are not configured for remote management. Those can be attacked from within local networks, from example by malware or through cross-site request forgery (CSRF), a technique for hijacking a user's browser to perform unauthorized actions.
The affected device models include ZTE H108N and H108NV2.1; D-Link 2750E, 2730U and 2730E; Sitecom WLM-3600, WLR-6100 and WLR-4100; FiberHome HG110; Planet ADN-4101; Digisol DG-BG4011N; and Observa Telecom BHS_RTA_R1A. Other vulnerable devices had been branded for specific ISPs and their real make or model number couldn't be determined.
However, Lovett found one commonality: the vast majority of affected routers were running firmware developed by a Chinese company called Shenzhen Gongjin Electronics, that also does business under the T&W trademark.
Shenzhen Gongjin Electronics is an OEM (original equipment manufacturer) and ODM (original design manufacturer) for networking and telecommunications products. It manufactures devices based on its own specifications, as well on the specifications of other companies.
According to a search on WikiDevi, an online database of computer hardware, Shenzhen Gongjin Electronics is listed as manufacturer for networking devices from a large number of vendors, including D-Link, Asus, Alcatel-Lucent, Belkin, ZyXEL and Netgear. It's not clear how many of the listed devices also run firmware developed by the company that might contain the vulnerabilities identified by Lovett.
It's also unclear if Shenzhen Gongjin Electronics is aware of the flaws or if it has already distributed patched versions of the firmware to its partners.
The company did not respond to a request for comment and according to Lovett, his attempts to notify the company went unanswered as well.
The researcher also notified the affected device vendors that he managed to identify, as well as the United States Computer Emergency Readiness Team (US-CERT).
He disclosed some of his findings Wednesday at a security conference in the U.K. as part of a larger presentation about vulnerable SOHO embedded devices — routers, network attached storage appliances, IP cameras, etc. The talk was focused on research by Cisco Systems which found that over 25 million SOHO devices are exposed to attacks from the Internet because of default credentials and other well known vulnerabilities.
Sign up for CIO Asia eNewsletters.