Around 25,000 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public internet, according to security researchers.
In a blog post by IT security firm Badpackets, researchers said that the data leaking from routers included MAC addresses, device names and operating system information on devices such as smartphones and computers connected to the routers. In some cases additional metadata is logged such as device type, manufacturer, model number, and description.
Other sensitive information about the router such as the WAN settings, firewall status, firmware update settings, and DDNS settings have also leaked.
Researchers said that this flaw allows attackers to determine the identity of owner and geolocate them via the Linksys Smart Wi-Fi router’s public IP address.
"While geolocation by IP address is not precise, services like WiGLE allow anyone to get the exact geographical coordinates of a WiFi network based solely on its MAC address or SSID. An attacker can query the target Linksys Smart Wi-Fi router, get it’s MAC address, and immediately geolocate it," researchers said.
Bad Packets researcher Troy Mursch said that the problem was found when the firm’s honeypots detected scans targeting various home automation protocol endpoints.
"This sensitive information disclosure vulnerability requires no authentication and can be exploited by a remote attacker with little technical knowledge," Mursch said.
"This information allows attackers to gain visibility inside your home or business network, enabling them to conduct targeted attacks," he added.
Approximately 756,565 individual MAC addresses are currently being leaked now. The flaw involves the HNAP protocol used to administer home routers, which was exploited in 2014 by a botnet called TheMoon.
The vulnerability is closely linked to CVE-2014-8244 which allowed "remote attackers to obtain sensitive information or modify data via a JNAP action in a JNAP/ HTTP request."
Mursch said that while that flaw was fixed about five years ago, the vulnerability is still there. He added that the Linksys security team determined the issue as "Not applicable / Won’t fix" and closed the issue.
While the flaw appears to remain unfixed, Mursch noted that 14,387 of the 25,617 vulnerable routers "currently have automatic firmware updates enabled."
"If Linksys eventually patches this vulnerability, these routers will be protected automatically," he said.
Deral Heiland, research lead at Rapid7, told SC Media UK that the information disclosure referenced in this report on Linksys vulnerability highlights several common issues related to consumer grade IoT technology.
"First and foremost is the lack of any automated mechanism for patching such technology or at least an effective way to alert consumers that their products need to be patched. Consumers are forced to be proactive in monitoring for the availability of security patches and installing the patches in a timely manner. This leads to many devices never being regularly patched, which exposes them to possible compromise," he said.
"Second, it is not uncommon when given the ability to expose services of their products to the internet for remote management and control, that some owners will sometime implement these services without truly understanding the possible security implications of making such changes to their products. In this case upwards of 25k devices having being exposed to the internet combined with lack of proper security patches in place has led to high risk exposure."
Gary Cox, technology director, Western Europe at Infoblox, told SC Media UK that "it’s pretty poor that such a seemingly simple flaw made its way through Linksys/Belkin’s QA process".
"From a mitigation perspective it’s somewhat challenging for ‘Joe Public’ to protect against this, they would need to leverage a firewall to block all inbound traffic to the public IP," he added.