YOUR LINKSYS ROUTER can't wait to gossip about who's been connecting to it, apparently. That's the verdict of security researcher Troy Mursch who found that 33 models would happily reveal a full connection history including MAC addresses, device names and OS versions, if asked by interested parties.
And to be clear: the only people who would be interested in something so tedious are those with bad intentions. Think stalkers trying to tell if their targets have visited somewhere, or your old common or garden hackers taking inventory of a router's connected devices to see if anything with a vulnerable OS has checked in lately.
Scans show 25,617 vulnerable routers online, 4,000 of which are using the default router password. Oh yeah, the exploit can reveal whether the password has changed too. Of the thousands of routers found, 13,049 were in the United States and Canada, with 4,942 in Chile and 2,068 in Singapore. All the rest were in the hundreds or lower, with the UK having just 87.
The vulnerability is very easy to exploit, according to Mursch: just visit a router's internet address and run a device list request. It'll work with or without firewall support, and should give results whether or not the target has applied a 2014 patch.
That's according to Mursch, anyway. Belkin, the company that bought Linksys in 2013, disputes this, saying it hasn't been able to reproduce the vulnerability. It has gently suggested that maybe the units found had their firewalls disabled or were using outdated firmware.
"Linksys responded to a vulnerability submission from Bad Packets on May 7th, 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014)," the company wrote.
"We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique. JNAP commands are only accessible to users connected to the router's local network.
"We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled."
It looks like they'll be agreeing to disagree on this point. Still, if you own one of the affected routers, don't take any chances. Make sure your firewall is enabled and it's patched to the latest version. And don't use the default password for anything, ever, okay? µ
Put a Ring-Con on it
We know. We're as surprised as you are
It's available across all major UK networks