More Than 25,000 Linksys Smart Wi-Fi Routers Found Leaking Sensitive Data

Some 25,617 Linksys Smart Wi-Fi routers are currently leaking detailed technical data to the public internet, apparently due to an incomplete fix for a five-year-old issue, according to researchers.

Computer security firm Bad Packets said the data includes MAC addresses, device names and operating system information on devices such as smartphones and PCs connected to the routers.

WAN settings, firewall status, firmware update settings and DDNS settings are also being leaked, Bad Packets said.

The information could be used to determine where users are physically located and could help an attacker carry out a more serious targeted attack, such as taking over the router, the firm said.

Information leak

A MAC address is a unique identifier assigned to every network-connected device.

Associating a MAC address with a particular individual could be used as a “fingerprint” allowing an attacker to track that individual from network to network, said Bad Packets researcher Troy Mursch.

He said the issue was discovered when the firm’s honeypots detected scans targeting the affected Linksys routers, indicating that the issue is probably being actively exploited.

“This sensitive information disclosure vulnerability requires no authentication and can be exploited by a remote attacker with little technical knowledge,” Mursch wrote in an advisory.

He said the issue allows attackers to access the historical record of every device that has ever connected to the affected router.

“This information allows attackers to gain visibility inside your home or business network, enabling them to conduct targeted attacks,” Mursch wrote.

Some 756,565 individual MAC addresses are currently being leaked, he said.

Mursch noted that the issue allows attackers to compile a list of which affected Linksys routers are still using the default password, facilitating further attacks.

Bad Packets’ scans indicated that thousands of the routers are indeed using the default password.

The majority of the affected routers are in the US, with others spread across 146 countries.

Incomplete fix

The issue involves the HNAP protocol used to manage home routers, which was exploited on a large scale in 2014 by a botnet called TheMoon, Mursch said.

He said the vulnerability involved appears to be CVE-2014-8244, which Linksys patched in 2014.

As a result, when Bad Packets reported the issue to Linksys, the firm responded that the issue had already been fixed.  It is not planning a further patch, Mursch said.

Bad Packets’ findings indicate Linksys’ patch may have been incomplete, he said.

“While CVE-2014-8244 was supposedly patched for this issue, our findings have indicated otherwise,” Mursch wrote.

Linksys’ built-in firmware does not allow remote access to be turned off, as it is required for the Linksys App to function.

Mursch noted that more than half of the vulnerable routers have automatic updates enabled, meaning that if Linksys does issue a fix it would be applied right away.

Mursch said that most of the affected models allow the use of third-party firmware, meaning those affected have the option of applying firmware such as that distributed by the OpenWrt Project.

OpenWrt’s firmware allows remote access to be disabled, which would block the information leak, Mursch said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Tesla Wins Case Against Former Staffer Who Stole Data

Tesla wins court case against former employee at Tesla's Giga Nevada factory, who hacked systems…

2 days ago

Patient Dies In Germany After Hospital Ransomware Attack

Real world consequence of ransomware attacks. A female patient has died as a result of…

3 days ago

Tesla Driver Charged For Sleeping As Car Drove At 90mph

Unbelievable! Driver in Canada charged with dangerous driving, after he slept in fully reclined seat…

3 days ago

ByteDance Majority Stake Puts Oracle-TikTok Deal At Risk – Report

Plan to keep majority stake in TikTok, will hinder White House approval reports suggest, as…

3 days ago

Nintendo Shuts the Lid On 3DS

Nearly a decade after it first launched, Japanese gaming giant Nintendo discontinues its popular 3DS…

3 days ago

Aussie Regulator Refuses To Back Down After Facebook News Warning

Blunt warning from Facebook about blocking news sharing down under, receives equally blunt response from…

4 days ago