U-SPEED AC1200 Gigabit Wi-Fi Router Incorrect Access Control Vulnerability via Exposed UART Interface

A vulnerability exists in the U-SPEED AC1200 Gigabit Wi-Fi Router, Model T18-21K, Version 1.0, due to incorrect access control on an exposed UART interface. The lack of authentication, authorization, or access restrictions allows an attacker with physical access to the device to connect to the UART pins and gain unrestricted access to the router's functionality. This could include access to system consoles, bootloaders, configuration files, logs, operating system shells, and internal services. The vulnerability could lead to unauthorized administrative access, extraction of sensitive information, modification of device settings, execution of arbitrary commands, tampering with firmware or boot processes, and complete compromise of the device.

Impact

Exploitation of this vulnerability could result in unauthorized access to the device's internals, allowing for full compromise of the router.

Reproduction

To reproduce this vulnerability, physical access to the router is required. After opening the device enclosure, the UART interface can be accessed by identifying the pinout on the PCB, soldering header pins or using pogo-pin adapters, and connecting a USB-to-UART adapter. Once connected, the serial console can be accessed directly without any authentication or authorization.

Remediation

The vendor should consider disabling UART functionality in production firmware, requiring authentication for UART console access, restricting access to privileged debug functions, removing or obfuscating UART headers on production hardware, and implementing secure boot and console protections.