And one brand in particular – Totolink – seems to have been plagued with a worrying amount of vulnerabilities found in its products, including some very severe ones.
The Totolink A3300R wireless router, for example, has command injection vulnerabilities that have recently been discovered, and the Totolink A8000RU was found to have a hardcoded password that could be accessed by anyone.
What’s also worrying is that, at time of writing, the SSL certificate for the company’s official website isn’t even trusted by Chrome browsers, possibly suggesting a sign of compromise, or at least poor site maintenance on the part of the Totolink.
The National Vulnerability Database (NVD) maintained by NIST shows a large number of recently added flaws to Totolink hardware. The A3300R seems to be particularly affected, with many command injection vulnerabilities.
Two critical vulnerabilities were also found in the N200RE, both of which can lead to buffer overflow attacks. Both entries also contain a note stating that the vendor was contacted about the flaws, “but did not respond in any way.”
The issues with Totolink routers date back years, and have been implicated in large scale attacks. For instance, a variant of the infamous Mirai botnet, known as Beastmode, was found exploiting flaws in Totolink routers in Spring 2022. Another botnet, known as Zerobot, also exploited flaws in them and routers from other manufacturers, such as D-Link and Huawei, in late 2022.
In 2021, multiple flaws were also discovered in Totolink software, which could allow for remote attacks. This software was part of the A300R2 router. It was noted as being easily exploitable via a remote attack, letting threat actors execute arbitrary code.
Problems with Totolink routers even go as far back as 2015, when many of its routers were found to have flaws, some even reaching back six years before the date of this particular discovery.
Totolink is owned by Hong-Kong company Zioncom Holdings Limited. The website for this firm is also flagged by Chrome as not having a valid SSL certificate.