MANILA, Philippines – More than 25,000 Linksys routers were found to have been leaking the full historical records of devices connected to them.
The information leaked includes unique identifiers for those devices, as well as their names and operating systems.
In a post on Bad Packets last Monday, May 13, researcher Troy Mursch added that the "sensitive information disclosure vulnerability requires no authentication and can be exploited by a remote attacker with little technical knowledge."
The significance of the issue lies in the disclosure of information that people think isn't supposed to be public. Hackers and other interested parties can use the information to help them track people whose devices were disclosed by the issue.
Linksys responded on Tuesday, May 14, following Mursch's post, saying the flaw was patched in 2014 as part of CVE-2014-8244.
Linksys said, "We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique."
The company added, "We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled."
An Ars Technica report suggests the existence of the flaw until now would be due to people failing to apply the patch or the patch being ineffective in some cases.
Mursch has listed the full list of vulnerable devices here. Users may want to upgrade their router firmware and then check if the issue persists, following advice on the Bad Packets post linked above. If it does, it may be better to get a different router or to replace the firmware with one from a third party. – Rappler.com