More Than 25,000 Linksys Smart Wi-Fi Routers Found Leaking Sensitive Data

Some 25,617 Linksys Smart Wi-Fi routers are currently leaking detailed technical data to the public internet, apparently due to an incomplete fix for a five-year-old issue, according to researchers.

Computer security firm Bad Packets said the data includes MAC addresses, device names and operating system information on devices such as smartphones and PCs connected to the routers.

WAN settings, firewall status, firmware update settings and DDNS settings are also being leaked, Bad Packets said.

The information could be used to determine where users are physically located and could help an attacker carry out a more serious targeted attack, such as taking over the router, the firm said.

Information leak

A MAC address is a unique identifier assigned to every network-connected device.

Associating a MAC address with a particular individual could be used as a “fingerprint” allowing an attacker to track that individual from network to network, said Bad Packets researcher Troy Mursch.

He said the issue was discovered when the firm’s honeypots detected scans targeting the affected Linksys routers, indicating that the issue is probably being actively exploited.

“This sensitive information disclosure vulnerability requires no authentication and can be exploited by a remote attacker with little technical knowledge,” Mursch wrote in an advisory.

He said the issue allows attackers to access the historical record of every device that has ever connected to the affected router.

“This information allows attackers to gain visibility inside your home or business network, enabling them to conduct targeted attacks,” Mursch wrote.

Some 756,565 individual MAC addresses are currently being leaked, he said.

Mursch noted that the issue allows attackers to compile a list of which affected Linksys routers are still using the default password, facilitating further attacks.

Bad Packets’ scans indicated that thousands of the routers are indeed using the default password.

The majority of the affected routers are in the US, with others spread across 146 countries.

Incomplete fix

The issue involves the HNAP protocol used to manage home routers, which was exploited on a large scale in 2014 by a botnet called TheMoon, Mursch said.

He said the vulnerability involved appears to be CVE-2014-8244, which Linksys patched in 2014.

As a result, when Bad Packets reported the issue to Linksys, the firm responded that the issue had already been fixed.  It is not planning a further patch, Mursch said.

Bad Packets’ findings indicate Linksys’ patch may have been incomplete, he said.

“While CVE-2014-8244 was supposedly patched for this issue, our findings have indicated otherwise,” Mursch wrote.

Linksys’ built-in firmware does not allow remote access to be turned off, as it is required for the Linksys App to function.

Mursch noted that more than half of the vulnerable routers have automatic updates enabled, meaning that if Linksys does issue a fix it would be applied right away.

Mursch said that most of the affected models allow the use of third-party firmware, meaning those affected have the option of applying firmware such as that distributed by the OpenWrt Project.

OpenWrt’s firmware allows remote access to be disabled, which would block the information leak, Mursch said.

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Gloucester City Council Confirms ‘Cyber Incident’

Council IT services hit by so called 'sleeper' malware, with media reports pointing the finger…

7 hours ago

Gigabyte Broadband Pledge At Risk, Warns Spending Watchdog

UK pledge to close the digital divide of broadband services for urban and rural customers…

9 hours ago

UK To Address Marketing Of High Risk Crypto Investments

British financial watchdog says it will curb the marketing of cryptoassets and other high-risk investments,…

12 hours ago

Tesla Driver Charged With Manslaughter After Autopilot Crash

Criminal charges for the first time in fatal crash involving Tesla's Autopilot, as driver is…

13 hours ago

Airport 5G Towers Switched Off In Temporary Aviation Compromise

AT&T and Verizon agree to temporarily switch off 5G towers near certain airports, as operators…

14 hours ago