Google security engineer discloses zero-day flaw in TP-Link smart home routers

[silversurfer]

A zero-day vulnerability impacting TP-Link SR20 smart home routers has been exposed publicly after the company allegedly failed to respond to a researcher's private disclosure.
 
Matthew Garrett, a Google security engineer, revealed the bug after the company failed to fix the issue within 90 days, a timeframe now established within cybersecurity which is considered to be a reasonable amount of time offered to vendors to fix reported security issues.

The security flaw is a zero-day arbitrary code execution (ACE) bug in TP-Link SR20 routers, which are dual band 2.4 GHz / 5 GHz products touted as routers suitable for controlling smart home and Internet of Things (IoT) devices while lessening the risk of bottlenecks. The SR20 also supports devices which make use of the ZigBee and Z-Wave protocols.

As documented in this Twitter conversation feed, Garrett disclosed his findings to TP-Link over 90 days ago via the firm's online security disclosure form.
 
Despite TP-Link promising researchers they would hear back within three business days, weeks later, there was no response. Attempts to contact TP-Link through other channels also failed.  

SOURCE: https://www.zdnet.com/article/google-dev...e-routers/

[Deep900]

Hope this will be fixed soon, this vulnerability could allow attackers to deal with files and in general to data related to the routers and this could be very dangerous. This is also worrying because IoT devices are becoming quite popular and used.