25,000 Linksys routers are reportedly leaking details of any device that has ever connecte...
The flaw that may have been leaking data since 2014 reportedly exposes routers that haven't had their default passwords changed, and it can even help lead hackers to physically locate devices and users in the real world.
Researcher Troy Mursch claims that in excess of 25,000 Linksys Smart Wi-Fi routers currently in use have a flaw that means significant data is accessible by hackers. Writing in Bad Packets Report, a "cyber threat intelligence" company, he says sensitive information is being leaked, although the manufacturer now denies this.
Linksys was bought in 2013 by Belkin -- and that firm was then bought by Foxconn in 2018 -- and that firm says that its staff haven't been able to reproduce Mursch's findings.
"We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce [it]," said Linksys in an online security advisory, "meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique."
Linksys further says that this is because the flaw was fixed in 2014. However, Mursch disagrees.
"While [this flaw] was supposedly patched for this issue, our findings have indicated otherwise," says Bad Packets. "Upon contacting the Linksys security team, we were advised to report the vulnerability... After submitting our findings, the reviewing analyst determined the issue was 'not applicable/won't fix' and subsequently closed."
If your router is one of those leaking information in this way, then the details that may be available to hackers include the MAC address of every device connected now -- or ever.
It can also include device names like "William's iPhone" plus whether the device is a Mac, PC, iOS or Android device. The combination of a MAC address and Linksys Smart Wi-Fi routers' public IP address can mean that hackers could geo-locate or track "William," claims Mursch.
More easily and immediately discovered, though, is whether a router's default admin password has been changed or not.
This flaw and Linksys/Belkin's response were first reported by Ars Technica which notes that the number of affected routers appears to be reducing. After the initial report of 25,617, a repeat of the test some days later revealed 21,401 vulnerable devices.
A complete list of the Linksys router models reported affected is on the Bad Packets site.
Researcher Troy Mursch claims that in excess of 25,000 Linksys Smart Wi-Fi routers currently in use have a flaw that means significant data is accessible by hackers. Writing in Bad Packets Report, a "cyber threat intelligence" company, he says sensitive information is being leaked, although the manufacturer now denies this.
Linksys was bought in 2013 by Belkin -- and that firm was then bought by Foxconn in 2018 -- and that firm says that its staff haven't been able to reproduce Mursch's findings.
"We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce [it]," said Linksys in an online security advisory, "meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique."
Linksys further says that this is because the flaw was fixed in 2014. However, Mursch disagrees.
"While [this flaw] was supposedly patched for this issue, our findings have indicated otherwise," says Bad Packets. "Upon contacting the Linksys security team, we were advised to report the vulnerability... After submitting our findings, the reviewing analyst determined the issue was 'not applicable/won't fix' and subsequently closed."
If your router is one of those leaking information in this way, then the details that may be available to hackers include the MAC address of every device connected now -- or ever.
It can also include device names like "William's iPhone" plus whether the device is a Mac, PC, iOS or Android device. The combination of a MAC address and Linksys Smart Wi-Fi routers' public IP address can mean that hackers could geo-locate or track "William," claims Mursch.
More easily and immediately discovered, though, is whether a router's default admin password has been changed or not.
This flaw and Linksys/Belkin's response were first reported by Ars Technica which notes that the number of affected routers appears to be reducing. After the initial report of 25,617, a repeat of the test some days later revealed 21,401 vulnerable devices.
A complete list of the Linksys router models reported affected is on the Bad Packets site.
Comments
I used to use Linksys routers in the aughts. Not a pleasant experience.
Like Tht, I'm keeping it until it breaks.
The AirPort Extreme WiFi routers have been mostly trouble free, with maybe one incident per year or every two years. That’s better than the cable service. Thinking of getting a second AirPort Extreme just in case.
Count me also as a fan of the AirPort line of routers, and another advocate for the idea that Apple should re-enter the market with a new line that emphasizes features the previous one had but were never advertised -- ironclad firmware, optional strong encryption, and other security features that make some of their last routers **STILL** among the most secure around (albeit not capable of "mesh" or 802.11ac speeds).
A new line of "ultra-secure yet incredibly easy to use" routers would do more than well enough to justify costs/manufacture, and offer yet another portal for consumers to get "The Apple Experience" even if they are on lesser equipment.
This is called Darwinism.
Right now, I'm having an issue with my Beats headphones because they keep showing up with my real name, which I assume is pulled from my iCloud or primary contact card on my iPhone because my iPhone is simply named "iPhone". You can change it, but 10 minutes later it's back to the old name for reasons I can't figure out.
It should be, but people don't because they don't know how or understand the risks. People don't understand WiFi despite its ubiquitous use and I can't fault the users for that. I certainly don't understand everything about my automobiles despite owning several. The better router makers make you change it when you first set it up and have defaults for higher security.
It's looking like they're getting back into the monitor business with some newer technologies come WWDC. If that's the case, then having Apple getting back into the router business with, say, mesh networking and ease of setup similar to what Apples for devices connecting with a W1 or H1 chip could bring back superior routing to the market. There does seem to be a push for better and faster routers of the mesh variety that consumers are willing to pay good money for so there could be a worthwhile market for Apple.
Are you using any Wi-Fi Smart Plugs or smart lights that require you to log in their Wi-Fi network for connection before asking you to tender your Wi-Fi password, or requiring you to create a cloud account to Manage those devices?
Are you using any devices owned by a China- or Shenzhen-based company?
Have you connected those devices or accessories via Google Home or Google Assistant or Amazon Alexa or Apple HomeKit?
Then good luck on you.
"exposes routers that haven't had their default passwords changed”
So this is actually a Darwin award for those idiots who never changed the default password of their router. I would imagine any router used with the default password would be vulnerable to some sort of exploit. That’s the very first thing I do when configuring a router... change the damn password it shipped with. Duh....