Earlier this week a security researcher disclosed a vulnerability within Linksys routers that was thought to have been patched back in 2014.
TL DR: No fix for this vulnerability exists. It is made worse if your router is using the default password. With no fix from Linksys expected you may consider using OpenWrt firmware.
Why should this vulnerability be considered important?
This vulnerability is trivial to exploit and can be carried out remotely by an un-skilled attacker. A list of affected Linksys routers is available in Mursch’s report At the time of writing, Linksys have deemed the vulnerability “Not applicable / Won’t fix” following responsible disclosure by Mursch. This information disclosure vulnerability leaks (among other details):
- MAC address (defined) of every device that’s ever connected to it (full historical record, not just active devices)
- Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
- Operating system (such as “Windows 7” or “Android”)
- WAN settings
- Firewall status
- Firmware update settings
- DDNS settings
A further example of the information disclosed is present in Mursch’s report. One of the more important elements disclosed is the MAC address. This unique “fingerprint” allows the tracking of a device as it moves across networks and allowing it’s geolocation using a service such as Wigle (we have mentioned Wigle before on this blog). Using this location data, an attacker could plan and conduct targeted attacks against your business/home.
As mentioned above; this vulnerability is made more severe if your Linksys router is using a default password; the following actions can be taken by an attacker (list courtesy of Mr. Troy Mursch):
- Obtain the SSID and Wi-Fi password in plaintext
- Change the DNS settings to use a rogue DNS server to hijack web traffic
- Open ports in the router’s firewall to directly target devices behind the routers (example: 3389/TCP for Windows RDP)
- Use UPnP to redirect outgoing traffic to the threat actors’ device
- Create an OpenVPN account (supported models) to route malicious traffic through the router
- Disable the router’s internet connection or modify other settings in a destructive manner
How can I protect my organisation/myself from this vulnerability?
If your router is one of the vulnerable models listed in Mursch’s report; please make certain the option for automatic firmware updates is enabled (if it is present). Should Linksys correct this vulnerability in the future, you will receive the fix automatically.
Please make certain your Linksys router is not using the default password it is supplied with. With no fix from Linksys expected you may consider using OpenWrt firmware.