What's new

Ars: Linksys Routers Leak MAC Addresses Of Anything Ever Connected

D

Dan Goodin

Guest
Dan Goodin at Ars reports that pretty much all of Linksys EA, Velop, WRT and XAC Wi-Fi router models are regularly leaking full historic records of every device that has ever connected to them, including devices' unique identifiers, names, and the operating systems they use.

Continue reading on Ars
 

sfx2000

Part of the Furniture
The network map is the main culprit, and it's hard to clear it out.

One doesn't have to use the cloud service, rather set it up for local access only, but it's easy to miss that step on the initial setup of a Linksys SmartWiFi device, and if one wants to use the phone app, then one has to use the cloud.

There's other issues - for example, cannot disable Samba, even if no storage is attached, and then there's the well known issue with Guest Network where WiFi is open, and uses a captive portal approach.
 

loft

Occasional Visitor
The funny thing is that, at least in the case of the EA2750, the router's admin web page says there's no update and the latest firmware version on its support page is listed as problematic.
So the router will not update itself and even if the user insists the result is not that useful...
OpenWRT it is!... As soon as I visit my mother.
 

L&LD

Part of the Furniture

^Tripper^

Senior Member
One doesn't have to use the cloud service, rather set it up for local access only, but it's easy to miss that step on the initial setup of a Linksys SmartWiFi device, and if one wants to use the phone app, then one has to use the cloud.
In my experience, despite turning the cloud service off the router still connects to it. That and a multitude of other ridiculous issues makes these “smartwifi” routers a real pain at best and a considerable security risk at worse.
 

sfx2000

Part of the Furniture
It seems this badpackets article may not be accurate.
Security issues still remain... and these have not been addressed in their "SmartWiFi" platform.

NetworkMap is another issue - and yes, that's a problem, as to many, they won't know how to clear it.

There's other issues - for example, cannot disable Samba, even if no storage is attached, and then there's the well known issue with Guest Network where WiFi is open, and uses a captive portal approach.
Linksys CloudConnect is the default option, and this requires trust of their upstream platform (and required if one wants to use the smartphone app).

The JNAP/HNAP issue is still a problem, but not just for Linksys, but if one knows the sysinfo.cgi, certain things are still exposed, not just for HNAP, but to get the keys to the whole kingdom - which I pointed out in a round-about way with the Guest Network Captive portal.

Linksys needs to be aware that an attack can come in from the LAN side - BadPackets didn't tell the whole story on their Website.

To Linksys' credit, at least with the WRT's, they do rotate the initial admin password for first installs.

I'm a bit disappointed with Linksys' response - which is basically "cannot duplicate" -- someone reported a bug/issue, and they can reproduce it, if Linksys cannot, that means they're not trying hard enough, or just don't understand the entire context of the issue.

Linksys responded to a vulnerability submission from Bad Packets on May 7th, 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014). We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique. JNAP commands are only accessible to users connected to the router’s local network. We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled.
 

sfx2000

Part of the Furniture
@chadster766 - none of the issues I reported have been addressed - I've dived in deeper into this platform than most, and some of the things I've found will not be posted here, but have been reported back to Linksys with no response.

Goodbye WRT1900ac - comments below

I do like the WRT hardware, the weakness is the Linksys firmware, and OpenWRT isn't always the best option due to the state of the FOSS wireless drivers - as a router only, OpenWRT and the WRT1200/1900 is a great option.
 

RMerlin

Asuswrt-Merlin dev
Security "researchers" often jump at any chance for quick publicity without validating their own discovery. Someone raised a pretty important point: these reports were about vulnerable routers they found on the Internet. Who's saying that these routers they found weren't running outdated firmware versions? I don't recall that report mentioning that they (the researchers) had reproduced the issue in their own labs...

Kinda like someone claiming that Apache is still vulnerable to Heartbleed because a recent scan revealed a few thousand vulnerable websites.

The fact this is a CVE from 2014 makes me suspect this issue had been already fixed years ago, hence Linksys were unable to reproduce it.
 

chadster766

Very Senior Member
To see the issue open Google to your Linksys login page. Then open Google Developer Tools and refresh the login page. In developer tools Network tab click on the JNAP sections listed and have the Response tab open. You will see the information there.

This layer2 information can be scanned from any network you already have access to by many softwares and commands.

The WebUI login hint is exposed normally with all login processes because its to help you at the login screen before login not after.
 

RMerlin

Asuswrt-Merlin dev
To see the issue open Google to your Linksys login page. Then open Google Developer Tools and refresh the login page. In developer tools Network tab click on the JNAP sections listed and have the Response tab open. You will see the information there.

This layer2 information can be scanned from any network you already have access to by many softwares and commands.

The WebUI login hint is exposed normally with all login processes because its to help you at the login screen before login not after.
And you're telling us Linksys's devs can't follow such simple steps? That's... worrying. For Linksys owners, that is.
 

chadster766

Very Senior Member
And you're telling us Linksys's devs can't follow such simple steps? That's... worrying. For Linksys owners, that is.
I think what Linksys was saying is that they couldn't reproduce the claim that this issue was also on the WAN side of things which it isn't.
 

sfx2000

Part of the Furniture
I think what Linksys was saying is that they couldn't reproduce the claim that this issue was also on the WAN side of things which it isn't.
Someone should give it a try from the Captive Portal on the Guest Network ;)
 

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top