Linksys home Wi-Fi routers are in some trouble.
Security researcher Troy Mursch last week revealed that more than 25,000 Linksys home Wi-Fi routers around the world are secretly leaking sensitive information about themselves, and the devices on their networks, to anyone who knows what to look for. There's a full list of the roughly three dozen affected models here.
According to Mursch, those routers are leaking everything from the MAC addresses -- unique network IDs -- of all the devices that have ever connected to their networks to the operating-system versions your smartphones and computers are using. That doesn't mean the devices can be remotely hacked, or even that the router can be, but it would let online criminals get an idea of what you're using and who had visited your home.
In some cases, however, you can even tell whether the Linksys router owner is using factory-default credentials to secure the Wi-Fi router. If so, then the stakes are significantly raised: The router can be completely hijacked remotely, and everything you do online can be visible to a remote intruder.
The process to obtain this information is surprisingly simple. You need only to go to the Linksys router's public IP address, which Linksys provides as part of its "Smart Wi-Fi" functions so that users can access the routers remotely. (Accessible Linksys routers belonging to strangers can quickly be found with automated internet scans.) Open the browser's developer console, choose the Network tab, and open the JNAP tab in that page. If the router is leaking information, it'll share it readily without requiring authentication.
"In some cases additional metadata is logged such as device type, manufacturer, model number, and description," Mursch wrote. "Unfortunately, our typical recommendation of keeping your router's firmware up-to-date is not applicable in this case as no fix is available."
What to Do Now
So, what can you actually do in response to protect yourself? Normally, we would tell you to update your router now to the latest firmware and make sure the router's firewall is enabled under security settings, but Mursch said neither of those options will work. You also can't turn off Linksys' remote-access feature, Mursch said.
Technically, this issue was fixed in a Linksys firmware update in 2014. So this shouldn't be happening. But according to Mursch, it still is. He said that he contacted Linksys about the ongoing issue and was told that "the issue was 'not applicable/won't fix' and subsequently closed."
If anything, you should minimize the risk by making sure that your Linksys router's username and password are not the default factory-set credentials. That will at least prevent your router from being hijacked. Mursch also said you should turn on automatic updates, if that option exists on your router, so if Linksys pushes a firmware fix to the device, the firmware will automatically be updated.
Linksys provided the following statement to TechRadar on this issue:
"Linksys responded to a vulnerability submission from Bad Packets on 7th May 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014).
We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique.
JNAP commands are only accessible to users connected to the router's local network. We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls."
Mursch disagrees in his blog posting -- he said the flaw still permits remote access over the internet.
How Bad Is This?
It's unclear whether the leak is worse than the 25,000 or so routers that Mursch has discovered. But it's clearly an issue with the affected routers and something that users are not intentionally sharing. And in some especially concerning cases, Mursch found the routers sharing firewall settings, dynamic DNS settings and other network information.
Worst of all, it appears the problem affects a slew of different models, including several of the company's most powerful routers, including its XAC1900 router and its Velop line of routers.
The routers also don't appear to be in any one area. Instead, Mursch found the problem across North America, Europe, South America, and Asia. In total, the vulnerability was discovered in 146 countries, across 1,998 Internet Service Providers.