Researcher Troy Mursch claims that over 25,000 Linksys Smart Wi-Fi routers currently in use have a security flaw allowing hackers to access data about devices that have connected to them.
In an article published on the Bad Packets Report website, Mursch says sensitive information is being leaked. However, Linksys denies this.
Mursch says the flaw could have been leaking data since 2014 exposes the data on routers that haven’t had the default passwords changed. The flaw can supposedly aid hackers in physically locating devices in the real world.
Linksys, which is owned by Apple supplier Foxconn, says that its researchers haven’t been able to reproduce Mursch’s findings.
“Linksys responded to a vulnerability submission from Bad Packets on May 7th, 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014),” said Linksys in an online security advisory.” We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique. JNAP commands are only accessible to users connected to the router’s local network.”
The router maker encourages users to update to the latest firmware.
“We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled.”
Mursch disagrees that the flaw was fixed in 2014.
“While [this flaw] was supposedly patched for this issue, our findings have indicated otherwise,” says Bad Packets. “Upon contacting the Linksys security team, we were advised to report the vulnerability… After submitting our findings, the reviewing analyst determined the issue was ‘not applicable/won’t fix’ and subsequently closed.”
If the routers are leaking this information, then the details available could include the MAC address of every device ever connected to the router.
It can also include other information, such as device names and the type of device, which could be used in combination with the MAC address and Linksys Smart Wi-Fi routers’ public IP address can mean that hackers could geo-locate or track users, claims Mursch.
The security flaw was first reported by Ars Technica. That publication says the number of affected routers appears to be shrinking, as the affected routers initially counted in at 25,617, but some days later, a new run of the same test showed 21,401 vulnerable devices were in use.
If you’d like to see if your Linksys router is affected, a complete list of the Linksys router models reportedly affected is available on the Bad Packets site.