Over 25,000 Linksys Smart Wi-Fi routers are believed to be vulnerable to remote exploit by attackers, leading to the leak of sensitive information.
According to Bad Packets’ security researcher Troy Mursch, the security problem was discovered after the firm’s honeypots flagged the persistent flaw, which “allows unauthenticated remote access to sensitive information.”
Subsequent scans revealed that 25,617 Linksys Smart Wi-Fi routers are vulnerable and are leaking not only MAC addresses, but also device names, operating system types, and in some cases WAN settings, firewall status, firmware update settings, and DDNS configurations.
The leak of such information may assist attackers in compromising the Internet of Things (IoT) routers for the purposes of not only data theft but potentially enslavement into botnet setups.
The MAC address alone, an identifier issued to networked devices, could be used to track the router. Should the name of the owner be included in the device name, this could also be used to unmask the owner’s identity and potentially geolocate them via the Linksys Smart Wi-Fi router’s public IP address, according to Mursch.
“While geolocation by IP address is not precise, services like WiGLE allow anyone to get the exact geographical coordinates of a WiFi network based solely on its MAC address or SSID,” the researcher says. “An attacker can query the target Linksys Smart Wi-Fi router, get its MAC address, and immediately geolocate it.”
The leaked information can be accessed by opening a browser session and going to the Linksys Smart Wi-Fi router’s public IP address, opening the developer console, selecting the network tab, and scrolling down to JNAP. No authentication is required and the issue can be exploited remotely.
The majority of impacted routers are in the United States. However, vulnerable devices were found in a total of 146 countries.
The security flaw at fault is CVE-2014-8244, a severe vulnerability which was disclosed in 2014 that is present in Linksys firmware on a variety of router products. A patch was issued, but the cybersecurity firm says the vulnerability is still active and in very much in existence.
Vulnerable devices are listed below.
TechRepublic: Top 5 challenges keeping IT pros up at night
On Linksys’ side, however, the company has chosen to dismiss the report by Bad Packets, deeming the issue as “Not applicable / Won’t fix” and therefore closing the case.
However, over half of the affected devices do have automatic firmware updates enabled, and so if the patch confusion is cleared, they will be protected without user interaction.
As no fix is available and Linksys Smart Wi-Fi routers require remote access to be enabled by default for the Linksys App to function, impacted users could consider third-party options to patch their firmware in order to disable remote access.
Some, but not all, of the impacted Linksys devices can be installed with OpenWrt firmware to prevent these data leaks.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0