More than 20,000 Linksys routers hit by serious security exploit

null
Image credit: Shutterstock

Update: Linksys has released the following statement about the security exploit:

"Linksys responded to a vulnerability submission from Bad Packets on 7th May 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014). 

We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique. 

JNAP commands are only accessible to users connected to the router’s local network. We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. 

Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled."

It appears that over 21,000 Linksys routers have been leaking sensitive data about what devices have connected to them – including MAC addresses, device names and what operating system they use.

Perhaps most worryingly, information about whether or not the default admin passwords have been changed on the router has also been made accessible. This could allow malicious users to easily gain access to these routers.

The leak was spotted by Troy Mursch last week, and it affects a large number of Linksys router models, including the Linksys AC3200 Tri-Band Smart Wi-Fi Router, the Linksys MAX-STREAM series and the Velop range of Mesh Wi-Fi routers. 

Mursch has published the full list of affected routers, so if you own a Linksys router, make sure you check to see if your model is listed.

How bad is this?

Pretty bad. You don’t want your router making any details about the devices you use public, but the fact that this leak offers up such detailed device connection histories is very troubling.

The MAC address of each device essentially works as a unique ‘fingerprint’ for identifying it when it connects to a Wi-Fi network. Knowing the MAC address of a device such as a smartphone would allow people to track the device as it connected to different networks.

Meanwhile, leaking the device name could give attackers personal information that could help identify you – for example, if the device name contains your name.

There have been examples in the past of malicious users – such as the Shadowhammer group – using leaked MAC addresses to attack over a million Asus laptops earlier this year.

And, of course, by letting people know if the router still uses the default admin password is a huge security risk. If you haven’t changed the default admin password yet – make sure you do, no matter what make of router you use.

What should I do?

If you own a Linksys router, the first thing you should do is check the list above to see if your model is affected. Most Linksys routers have automatic updates installed, so when Linksys releases a fix, the routers should automatically apply the patch.

Still, it’s worth logging on to your router and making sure automatic updates are enabled. While you’re there, make sure you change the default admin password if you haven’t already.

Linksys actually released a patch for this problem back in 2014, so you can check to see if you have it installed, but it looks like many routers remain vulnerable.

According to Arstechnica, Linksys has said that its researchers couldn’t reproduce the exploit on routers that have that 2014 patch installed.

If you’re still concerned, then we recommend replacing the router (check out our list of the best wireless routers for guidance), or installing third-party firmware like OpenWrt.