Over 25,000 Linksys Smart Wi-Fi routers are believed to be vulnerable to remote exploit by attackers, leading to the leak of sensitive information.
According to Bad Packets' security researcher Troy Mursch, the security problem was discovered after the firm's honeypots flagged the persistent flaw, which "allows unauthenticated remote access to sensitive information."
Subsequent scans revealed that 25,617 Linksys Smart Wi-Fi routers are vulnerable and are leaking not only MAC addresses, but also device names, operating system types, and in some cases WAN settings, firewall status, firmware update settings, and DDNS configurations.
The leak of such information may assist attackers in compromising the Internet of Things (IoT) routers for the purposes of not only data theft but potentially enslavement into botnet setups.
The MAC address alone, an identifier issued to networked devices, could be used to track the router. Should the name of the owner be included in the device name, this could also be used to unmask the owner's identity and potentially geolocate them via the Linksys Smart Wi-Fi router's public IP address, according to Mursch.
"While geolocation by IP address is not precise, services like WiGLE allow anyone to get the exact geographical coordinates of a WiFi network based solely on its MAC address or SSID," the researcher says. "An attacker can query the target Linksys Smart Wi-Fi router, get its MAC address, and immediately geolocate it."
The leaked information can be accessed by opening a browser session and going to the Linksys Smart Wi-Fi router's public IP address, opening the developer console, selecting the network tab, and scrolling down to JNAP. No authentication is required and the issue can be exploited remotely.
The majority of impacted routers are in the United States. However, vulnerable devices were found in a total of 146 countries.
The security flaw at fault is CVE-2014-8244, a severe vulnerability which was disclosed in 2014 that is present in Linksys firmware on a variety of router products. A patch was issued, but the cybersecurity firm says the vulnerability is still active and in very much in existence.
Vulnerable devices are listed below.
TechRepublic: Top 5 challenges keeping IT pros up at night
On Linksys' side, however, the company has chosen to dismiss the report by Bad Packets, deeming the issue as "Not applicable / Won't fix" and therefore closing the case.
However, over half of the affected devices do have automatic firmware updates enabled, and so if the patch confusion is cleared, they will be protected without user interaction.
As no fix is available and Linksys Smart Wi-Fi routers require remote access to be enabled by default for the Linksys App to function, impacted users could consider third-party options to patch their firmware in order to disable remote access.
Some, but not all, of the impacted Linksys devices can be installed with OpenWrt firmware to prevent these data leaks.
Update 8.09 BST: A Linksys spokesperson told ZDNet:
"We responded to a vulnerability submission from Bad Packets on May 7th, 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014). We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique.
JNAP commands are only accessible to users connected to the router's local network. We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled."
Previous and related coverage
- SIM hijacking ring which stole millions in cryptocurrency dismantled by feds
- 'Unhackable' eyeDisk flash drive exposes passwords in clear text
- North Korea debuts new Electricfish malware in Hidden Cobra campaigns
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0