More Than 25,000 Linksys Smart Wi-Fi Routers Found Leaking Sensitive Data

Some 25,617 Linksys Smart Wi-Fi routers are currently leaking detailed technical data to the public internet, apparently due to an incomplete fix for a five-year-old issue, according to researchers.

Computer security firm Bad Packets said the data includes MAC addresses, device names and operating system information on devices such as smartphones and PCs connected to the routers.

WAN settings, firewall status, firmware update settings and DDNS settings are also being leaked, Bad Packets said.

The information could be used to determine where users are physically located and could help an attacker carry out a more serious targeted attack, such as taking over the router, the firm said.

Information leak

A MAC address is a unique identifier assigned to every network-connected device.

Associating a MAC address with a particular individual could be used as a “fingerprint” allowing an attacker to track that individual from network to network, said Bad Packets researcher Troy Mursch.

He said the issue was discovered when the firm’s honeypots detected scans targeting the affected Linksys routers, indicating that the issue is probably being actively exploited.

“This sensitive information disclosure vulnerability requires no authentication and can be exploited by a remote attacker with little technical knowledge,” Mursch wrote in an advisory.

He said the issue allows attackers to access the historical record of every device that has ever connected to the affected router.

“This information allows attackers to gain visibility inside your home or business network, enabling them to conduct targeted attacks,” Mursch wrote.

Some 756,565 individual MAC addresses are currently being leaked, he said.

Mursch noted that the issue allows attackers to compile a list of which affected Linksys routers are still using the default password, facilitating further attacks.

Bad Packets’ scans indicated that thousands of the routers are indeed using the default password.

The majority of the affected routers are in the US, with others spread across 146 countries.

Incomplete fix

The issue involves the HNAP protocol used to manage home routers, which was exploited on a large scale in 2014 by a botnet called TheMoon, Mursch said.

He said the vulnerability involved appears to be CVE-2014-8244, which Linksys patched in 2014.

As a result, when Bad Packets reported the issue to Linksys, the firm responded that the issue had already been fixed.  It is not planning a further patch, Mursch said.

Bad Packets’ findings indicate Linksys’ patch may have been incomplete, he said.

“While CVE-2014-8244 was supposedly patched for this issue, our findings have indicated otherwise,” Mursch wrote.

Linksys’ built-in firmware does not allow remote access to be turned off, as it is required for the Linksys App to function.

Mursch noted that more than half of the vulnerable routers have automatic updates enabled, meaning that if Linksys does issue a fix it would be applied right away.

Mursch said that most of the affected models allow the use of third-party firmware, meaning those affected have the option of applying firmware such as that distributed by the OpenWrt Project.

OpenWrt’s firmware allows remote access to be disabled, which would block the information leak, Mursch said.