Google security researcher Matthew Garrett publicly released a zero day vulnerability he discovered in the TP-Link SR20 router smart home hub in one device.
The device is designed to integrate with a user’s home automation kit that allows them to use the device as the core of their home network and to work with other smart devices.
The vulnerability could enable downgrade attacks that could allow an attacker to force a router to use a non-encrypted connection, according to a March 28 blog post.
The researcher reported the issue to TP-Link in December via their security disclosure form but did not get a response and said the process was made difficult by the site’s “detailed description” field being limited to 500 characters.
“The page informed me that I’d hear back within three business days – a couple of weeks later, with no response, I tweeted at them asking for a contact and heard nothing back,” Garrett said. “Someone else’s attempt to report tddp vulnerabilities had a similar outcome, so here we are.”
Fortunately the vulnerability isn’t remotely exploitable however, it is still a serious vulnerability.