The Misfortune Cookie vulnerability allows an attacker to remotely take over a gateway device with administrative privileges, according to Tel Aviv-based network security vendor Check Point Software Technology, Inc.
The scale of the problem is unprecedented, said Shahar Tal, Check Point's malware and vulnerability research manager.
"In previous cases, there were 200,000 or 300,000 vulnerable gateways," he said. "This time, it's 12 million, and 200 different models of devices, with some very big names in there."
Those names include models from Asus and TP-Link -- but not Check Point itself, he added. The full list is posted online at mis.fortunecook.ie.
The vulnerability allows attackers to control the gateway, and to steal data from all the devices on the network.
"If you get hold of the router, you get a wide-open access to start attacking computer devices like smartphones, printers, security cameras and everything else you have on your wired or wireless network," he said.
A compromised router also makes man-in-the-middle attacks "almost trivial," he added. "That's what was typically done in previous compromises of residential gateways."
The compromised routers all use the embedded web server software RomPager from AllegroSoft, he said.
Meanwhile, he suggested that users tighten security on devices such as webcams if they had previously been relying on the router to protect them instead of blocking access with a password.
"Other than that, of course, there's good security advice that's always appropriate," he said. "Have good endpoint protections in place, a freshly updated operating system, install a firewall on your computer."
Check Point also recommends that users encrypt any folders or documents containing sensitive information, and using
And, of course, users should install a firmware update when its released by the manufacturer.
"If you are a technical user, some users might want to refresh the router with alternative firmware," he added.
However, this may void the router's warranty.
One problem, he said, is that devices such as routers rarely have an update process in place.
"With desktops and servers, we have automatic upgrades," he said. "But with embedded devices, we rarely see automatic updates."
In fact, because of the way the software is built into the supply chain itself, it might take years for a fix to make its way to the final product.
AllegroSoft, for example, actually fixed the vulnerability back in 2005.
"But they did not know what the ramifications of the bug was," he added. "We just found it out now."
According to Check Point, some countries have up to 50 percent of devices that are vulnerable to Misfortune Cookie, so named because it's based on an error in the HTTP cookie management mechanism of the old software.
To exploit the vulnerability, all a hacker needs to do is send a single packet to the user's public IP adress -- no hacking tools required, just a browser.
Users can also replace the router with a more secure one, or use the existing router as a bridge and add a second, secure router that would serve as the Internet gateway.