25,000 Linksys routers are reportedly leaking details of any device that has ever connected to it
The flaw that may have been leaking data since 2014 reportedly exposes routers that haven't had their default passwords changed, and it can even help lead hackers to physically locate devices and users in the real world.
Researcher Troy Mursch claims that in excess of 25,000 Linksys Smart Wi-Fi routers currently in use have a flaw that means significant data is accessible by hackers. Writing in Bad Packets Report, a "cyber threat intelligence" company, he says sensitive information is being leaked, although the manufacturer now denies this.
Linksys was bought in 2013 by Belkin — and that firm was then bought by Foxconn in 2018 — and that firm says that its staff haven't been able to reproduce Mursch's findings.
"We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce [it]," said Linksys in an online security advisory, "meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique."
Linksys further says that this is because the flaw was fixed in 2014. However, Mursch disagrees.
"While [this flaw] was supposedly patched for this issue, our findings have indicated otherwise," says Bad Packets. "Upon contacting the Linksys security team, we were advised to report the vulnerability... After submitting our findings, the reviewing analyst determined the issue was 'not applicable/won't fix' and subsequently closed."
If your router is one of those leaking information in this way, then the details that may be available to hackers include the MAC address of every device connected now — or ever.
It can also include device names like "William's iPhone" plus whether the device is a Mac, PC, iOS or Android device. The combination of a MAC address and Linksys Smart Wi-Fi routers' public IP address can mean that hackers could geo-locate or track "William," claims Mursch.
More easily and immediately discovered, though, is whether a router's default admin password has been changed or not.
This flaw and Linksys/Belkin's response were first reported by Ars Technica which notes that the number of affected routers appears to be reducing. After the initial report of 25,617, a repeat of the test some days later revealed 21,401 vulnerable devices.
A complete list of the Linksys router models reported affected is on the Bad Packets site.