If you were looking for more proof that all of your connected devices were out to get you, look no further than a new report from Bad Packets chief research officer Troy Mursch, who revealed last week that dozens of Linksys Smart Wi-Fi routers are leaking full records of all the devices that have ever connected to them. Some of the information that is possible to dig up by exploited this flaw includes the MAC address, the name of the device, WAN settings, firewall status, and even whether or not the default password for the router has ever been changed.
With the help of the BinaryEdge cybersecurity team, Bad Packets was able to find 25,617 Linksys routers that were leaking sensitive information to the public internet. As Mursch says, exploiting the flaw doesn’t require authentication “and can be exploited by a remote attacker with little technical knowledge.”
If you’re wondering what hackers might do with the information they steal by exploiting this flaw, Mursch explains that a MAC address is a unique identifier for a networked device, and can be used to track a device as it moves between networks. Plus, if there is identifying information in the device name (such as the owner’s full name), a hacker could determine the identity of the device’s owner and geolocate them with a public IP address.
In a strange twist, Linksys released a statement regarding the security flaw, claiming that not only had it been fixed by an update in 2014 (which Mursch specifically says is not the case), but that it was unable to replicate the exploit that Mursch described in his report. Here’s the full statement:
Linksys responded to a vulnerability submission from Bad Packets on May 7th, 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014). We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique. JNAP commands are only accessible to users connected to the router’s local network. We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled.
If you have any of the Linksys routers Mursch names in his report, you should first make sure that your firmware is up to date, but you might also consider replacing it with a device that isn’t on the list.