Over 25,000 Linksys Smart Wi-Fi routers leaked device connection histories
Security researcher Troy Mursch has reported that over several Linksys router models globally are revealing entire device connection histories online, 440 of them are from the UAE.
Linksys users, especially those in the UAE, may have something to be concerned about. Specific Linksys Wifi routers have been found to be sharing their entire device connection histories (including MAC addresses, device names and OS versions) online.
Security researcher Troy Mursch, writing in in Bad Packets, has reported that 33 models have been affected by the vulnerability. They also share if their default passwords have been changed or not and this has affected between 21,401 and 25,617 vulnerable routers online, 4,000 of which were still using their default passwords. Linksys, however claim it fixed the flaw in 2014 can't replicate the flaw.
The attack can be done by visiting an exposed router's internet address and running a device list request and it supposedly works whether or not the router's firewall is on. Mursch told Ars Technica,
"While [this flaw] was supposedly patched for this issue, our findings have indicated otherwise," says Bad Packets. "Upon contacting the Linksys security team, we were advised to report the vulnerability... After submitting our findings, the reviewing analyst determined the issue was 'not applicable/won't fix' and subsequently closed." It can also include device names like "William's iPhone" plus whether the device is a Mac, PC, iOS or Android device. The combination of a MAC address and Linksys Smart Wi-Fi routers' public IP address can mean that hackers could geo-locate or track "William," claims Mursch.