Japan’s Computer Emergency Response Team (CERT) has issued a warning regarding the exploitation of zero-day vulnerabilities in I-O Data router devices. These security flaws allow malicious actors to alter device settings, execute unauthorized commands, and even disable firewalls.
The manufacturer has recognized these vulnerabilities in a security bulletin on their website. However, users remain at risk until fixes are implemented, which are anticipated to be available by December 18, 2024.
Overview of Vulnerabilities
On November 13, 2024, three significant vulnerabilities were identified:
- CVE-2024-45841: This flaw involves misconfigured permissions on sensitive resources that permit low-privilege users to access critical files. For instance, an individual with knowledge of guest account credentials could potentially retrieve files containing sensitive authentication data.
- CVE-2024-47133: This vulnerability enables authenticated administrative users to inject and execute arbitrary operating system commands due to inadequate input validation within the configuration management system.
- CVE-2024-52564: The presence of undocumented features or backdoors in the firmware allows remote attackers to disable the device’s firewall and modify its settings without requiring authentication.
These issues affect both the UD-LT1 hybrid LTE router and its industrial-grade counterpart, UD-LT1/EX.
The most recent firmware version available is v2.1.9; however, it only addresses CVE-2024-52564. I-O Data has indicated that solutions for the other two vulnerabilities will be included in version v2.2.0 set for release on December 18, 2024.
As confirmed by I-O Data’s bulletin, customers have already reported instances where these vulnerabilities have been exploited during attacks.
In their security advisory statement regarding this issue—accessible here—the company noted: “We have received inquiries from customers using our hybrid LTE routers ‘UD-LT1′ and ’UD-LT1/EX’, indicating that access to the configuration interface was possible from the internet without VPN.” They further stated that these customers experienced potential unauthorized access from external sources.
Recommended Mitigation Strategies
Until official updates are released by I-O Data, they recommend implementing several precautionary measures:
Disable Remote Management across all internet connection methods including WAN Port configurations as well as Modem and VPN settings.
Limit access exclusively to networks connected via VPN in order to thwart unauthorized external attempts.
Change default passwords for guest accounts into more complex alternatives consisting of over ten characters.
Regularly monitor device settings for any unauthorized alterations; if any compromise is detected reset your device back to factory defaults before reconfiguring it again.
Market Presence
The I-O DATA UD-LT1 and UD-LT1/EX LTE routers are primarily marketed within Japan where they support multiple carriers such as NTT Docomo and KDDI while also being compatible with major MVNO SIM cards throughout the country.
In light of these developments surrounding cybersecurity threats targeting network devices like those produced by I-O Data—where statistics indicate a rise in cyberattacks against IoT devices—it is crucial for users not only to stay informed but also take proactive steps towards securing their networks against potential breaches until comprehensive patches become available later this year.
As a skilled Content Writer with a focus on Politics and Tech, and a proficient Photographer, Priyanshu Kotapalli blends technical expertise with insightful analysis to create engaging digital content that resonates with diverse audiences.