Hundreds of thousands of Realtek-based devices under attack from IoT botnet
Catalin Cimpanu August 23, 2021

Hundreds of thousands of Realtek-based devices under attack from IoT botnet

Hundreds of thousands of Realtek-based devices under attack from IoT botnet

A dangerous vulnerability in Realtek chipsets used in hundreds of thousands of smart devices from at least 65 vendors is currently under attack from a notorious DDoS botnet gang.

The attacks started last week, according to a report from IoT security firm SAM, and began just three days after fellow security firm IoT Inspector published details about the vulnerability on its blog.

Tracked as CVE-2021-35395, the vulnerability is part of four issues IoT Inspector researchers found in the software development kit (SDK) that ships with multiple Realtek chipsets (SoCs).

These chips are manufactured by Realtek but are shipped to other companies, which then use them as the basic System-on-Chip (SoC) board for their own devices, with the Realtek SDK serving as a configurator and starting point for their own firmware.

IoT Inspector said they found more than 200 different device models from at least 65 different vendors that had been built around these chips and were using the vulnerable SDK.

Estimated in the realm of hundreds of thousands of internet-connected devices, the list of vulnerable items includes routers, network gateways, Wi-Fi repeaters, IP cameras, smart lighting, and even internet-connected toys.

Of the four issues discovered by the IoT Inspector research team, the CVE-2021-35395 vulnerability received the highest severity rating, of 9.8 out of 10 on the CVSSv3 severity scale.

According to the research team, the vulnerability, which resided in a web panel used to configure the SDK/device, allowed a remote attacker to connect to these devices via malformed URL web panel parameters, bypass authentication, and run malicious code with the highest privileges, effectively taking over the device.

While Realtek released patches [PDF] before IoT Inspector published its findings last week, this was far too small of a time window for device vendors to deploy the security updates down the line to their own set of customers.

This means that today, the vast majority of these devices are still running outdated firmware (and an outdated Realtek SDK), being exposed to attacks.

A very busy botnet

Per SAM, exploitation started shortly after and came from the same Mirai-based botnet that a week before rushed to exploit a similar mega-bug in millions of routers running Arcadyan-based firmware.

The SAM research team said that based on their own scans, the most common device models currently running the vulnerable Realtek SDK include the likes of:

  • Netis E1+ extender
  • Edimax N150 and N300 Wi-Fi router
  • Repotec RP-WR5444 router

Owners of such devices should look or inquire their sellers for new firmware patches. The full list of vulnerable devices is included below:

ManufacturerAffected Models
A-Link Europe LtdA-Link WNAP WNAP(b)
ARRIS Group, IncVAP4402_CALA
Airlive Corp.WN-250R
WN-350R
Abocom System Inc.Wireless Router ?
AIgitalWifi Range Extenders
Amped WirelessAP20000G
AskeyAP5100W
ASUSTek Computer Inc.RT-Nxx models, WL330-NUL
Wireless WPS Router RT-N10E
Wireless WPS Router RT-N10LX
Wireless WPS Router RT-N12E
Wireless WPS Router RT-N12LX
BEST ONE TECHNOLOGY CO., LTD.AP-BNC-800
BeelineSmart Box v1
BelkinF9K1015
AC1200DB Wireless Router F9K1113 v4
AC1200FE Wireless Router F9K1123
AC750 Wireless Router F9K1116
N300WRX
N600DB
Buffalo Inc.WEX-1166DHP2
WEX-1166DHPS
WEX-300HPS
WEX-733DHPS
WMR-433
WSR-1166DHP3
WSR-1166DHP4
WSR-1166DHPL
WSR-1166DHPL2
Calix Inc.804Mesh
China Mobile Communication Corp.AN1202L
Compal Broadband Networks, INC.CH66xx cable modems line.
D-LinkDIR-XXX models based on rlx-linux
DAP-XXX models based on rlx-linux DIR-300
DIR-501
DIR-600L
DIR-605C
DIR-605L
DIR-615
DIR-618
DIR-618b
DIR-619
DIR-619L
DIR-809
DIR-813
DIR-815
DIR-820L
DIR-825
DIR-825AC
DIR-825ACG1
DIR-842 DAP-1155
DAP-1155 A1
DAP-1360 C1
DAP-1360 B1 DSL-2640U
DSL-2750U
DSL_2640U VoIP Router DVG-2102S
VoIP Router DVG-5004S
VoIP Router DVG-N5402GF
VoIP Router DVG-N5402SP
VoIP Router DVG-N5412SP
Wireless VoIP Device DVG-N5402SP
DASAN NetworksH150N
Davolink Inc.DVW2700 1
DVW2700L 1
Edge-coreVoIP Router ECG4510-05E-R01
EdimaxRE-7438
BR6478N
Wireless Router BR-6428nS
N150 Wireless Router BR6228GNS
N300 Wireless Router BR6428NS
BR-6228nS/nC
Edisonunknown
EnGenius Technologies, Inc.11N Wireless Router
Wireless AP Router
ELECOM Co.,LTD.WRC-1467GHBK
WRC-1900GHBK
WRC-300FEBK-A
WRC-733FEBK-A
Esson Technology Inc.Wifi Module ESM8196 – https://fccid.io/RKOESM8196 (therefore any device using this wifi module)
EZ-NET Ubiquitous Corp.NEXT-7004N
FIDAPRN3005L D5
Hamaunknown
Hawking Technologies, Inc.HAWNR3
MT-LinkMT-WR600N
I-O DATA DEVICE, INC.WN-AC1167R
WN-G300GR
iCoterai6800
IGD1T1R
LG InternationalAxler Router LGI-R104N
Axler Router LGI-R104T
Axler Router LGI-X501
Axler Router LGI-X502
Axler Router LGI-X503
Axler Router LGI-X601
Axler Router LGI-X602
Axler Router RT-DSE
LINK-NET TECHNOLOGY CO., LTD.LW-N664R2
LW-U31
LW-U700
LogitecBR6428GNS
LAN-W300N3L
MMC TechnologyMM01-005H
MM02-005H
MT-LinkMT-WR730N
MT-WR760N
MT-WR761N
MT-WR761N+
MT-WR860N
NetComm WirelessNF15ACV
NetisWF2411
WF2411I
WF2411R
WF2419
WF2419I
WF2419R
WF2681
NetgearN300R
Nexxt SolutionsAEIEL304A1
AEIEL304U2
ARNEL304U1
Observa TelecomRTA01
OcctelVoIP Router ODC201AC
VoIP Router OGC200W
VoIP Router ONC200W
VoIP Router SP300-DS
VoIP Router SP5220SO
VoIP Router SP5220SP
Omega TechnologyWireless N Router O31 OWLR151U
Wireless N Router O70 OWLR307U
PATECHAxler RT-TSE
Axler Router R104
Axler Router R3
Axler Router X503
Axler Router X603
LotteMart Router 104L
LotteMart Router 502L
LotteMart Router 503L
Router P104S
Router P501
PLANEX COMMUNICATIONS INC.
Planex Communications Corp.
MZK-MF300N
MZK-MR150
MZK-W300NH3
MZK-W300NR
MZK-WNHR
PLANET TechnologyVIP-281SW
RealtekRTL8196C EV-2009-02-06
RTL8xxx EV-2009-02-06
RTL8xxx EV-2010-09-20
RTL8186 EV-2006-07-27
RTL8671 EV-2006-07-27
RTL8671 EV-2010-09-20
RTL8xxx EV-2006-07-27
RTL8xxx EV-2009-02-06
RTL8xxx EV-2010-09-20
Revogi Systems
Sitecom Europe BVSitecom Wireless Gigabit Router WLR-4001
Sitecom Wireless Router 150N X1 150N
Sitecom Wireless Router 300N X2 300N
Sitecom Wireless Router 300N X3 300N
SkystationCWR-GN150S
Sercomm Corp.Telmex Infinitum
Shaghal Ltd.ERACN300
Shenzhen Yichen (JCG) Technology Development Co., Ltd.JYR-N490
Skyworth Digital Technology.Mesh Router
Smartlinkunknown
TCL Communicationunknown
TechnicolorTD5137
TelewellTW-EAV510
TendaAC6, AC10, W6, W9, i21
TotolinkA300R
TRENDnet, Inc.
TRENDnet Technology, Corp.
TEW-651BR
TEW-637AP
TEW-638APB
TEW-831DR
UPVELUR-315BN
ZTEMF253V, MF910
ZyxelP-330W
X150N
NBG-2105
NBG-416N AP Router
NBG-418N AP Router
WAP6804

Catalin Cimpanu is a cybersecurity reporter for The Record. He previously worked at ZDNet and Bleeping Computer, where he became a well-known name in the industry for his constant scoops on new vulnerabilities, cyberattacks, and law enforcement actions against hackers.