1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.
Dismiss Notice

Welcome To SNBForums

SNBForums is a community for anyone who wants to learn about or discuss the latest in wireless routers, network storage and the ins and outs of building and maintaining a small network.

If you'd like to post a question, simply register and have at it!

While you're at it, please check out SmallNetBuilder for product reviews and our famous Router Charts, Ranker and plenty more!

Featured Ars: Linksys Routers Leak MAC Addresses Of Anything Ever Connected

Discussion in 'General Network Security' started by Dan Goodin, May 18, 2019.

  1. Dan Goodin

    Dan Goodin Guest

    Dan Goodin at Ars reports that pretty much all of Linksys EA, Velop, WRT and XAC Wi-Fi router models are regularly leaking full historic records of every device that has ever connected to them, including devices' unique identifiers, names, and the operating systems they use.

    Continue reading on Ars
     
    microchip and L&LD like this.
  2. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,216
    Location:
    San Diego, CA
    The network map is the main culprit, and it's hard to clear it out.

    One doesn't have to use the cloud service, rather set it up for local access only, but it's easy to miss that step on the initial setup of a Linksys SmartWiFi device, and if one wants to use the phone app, then one has to use the cloud.

    There's other issues - for example, cannot disable Samba, even if no storage is attached, and then there's the well known issue with Guest Network where WiFi is open, and uses a captive portal approach.
     
    avtella and L&LD like this.
  3. loft

    loft Occasional Visitor

    Joined:
    Dec 8, 2010
    Messages:
    19
    The funny thing is that, at least in the case of the EA2750, the router's admin web page says there's no update and the latest firmware version on its support page is listed as problematic.
    So the router will not update itself and even if the user insists the result is not that useful...
    OpenWRT it is!... As soon as I visit my mother.
     
    Makaveli, CrystalLattice and L&LD like this.
  4. L&LD

    L&LD Part of the Furniture

    Joined:
    Dec 9, 2013
    Messages:
    9,702
    I like your priorities! :D
     
  5. ^Tripper^

    ^Tripper^ Regular Contributor

    Joined:
    Aug 16, 2014
    Messages:
    135
    Location:
    Disneyland with the death penalty
    In my experience, despite turning the cloud service off the router still connects to it. That and a multitude of other ridiculous issues makes these “smartwifi” routers a real pain at best and a considerable security risk at worse.
     
    CrystalLattice and L&LD like this.
  6. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
  7. Paliv

    Paliv Regular Contributor

    Joined:
    Apr 27, 2018
    Messages:
    84
    It’s a tricky situation these days. Sites jump on big security panic stories, but big companies try to hush big problems. The result is uncertainty for the end user.
     
    Last edited: May 22, 2019
    sd70mac and L&LD like this.
  8. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,216
    Location:
    San Diego, CA
    Security issues still remain... and these have not been addressed in their "SmartWiFi" platform.

    NetworkMap is another issue - and yes, that's a problem, as to many, they won't know how to clear it.

    There's other issues - for example, cannot disable Samba, even if no storage is attached, and then there's the well known issue with Guest Network where WiFi is open, and uses a captive portal approach.
    Linksys CloudConnect is the default option, and this requires trust of their upstream platform (and required if one wants to use the smartphone app).

    The JNAP/HNAP issue is still a problem, but not just for Linksys, but if one knows the sysinfo.cgi, certain things are still exposed, not just for HNAP, but to get the keys to the whole kingdom - which I pointed out in a round-about way with the Guest Network Captive portal.

    Linksys needs to be aware that an attack can come in from the LAN side - BadPackets didn't tell the whole story on their Website.

    To Linksys' credit, at least with the WRT's, they do rotate the initial admin password for first installs.

    I'm a bit disappointed with Linksys' response - which is basically "cannot duplicate" -- someone reported a bug/issue, and they can reproduce it, if Linksys cannot, that means they're not trying hard enough, or just don't understand the entire context of the issue.

    Linksys responded to a vulnerability submission from Bad Packets on May 7th, 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014). We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique. JNAP commands are only accessible to users connected to the router’s local network. We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled.
     
  9. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,216
    Location:
    San Diego, CA
    @chadster766 - none of the issues I reported have been addressed - I've dived in deeper into this platform than most, and some of the things I've found will not be posted here, but have been reported back to Linksys with no response.

    Goodbye WRT1900ac - comments below

    I do like the WRT hardware, the weakness is the Linksys firmware, and OpenWRT isn't always the best option due to the state of the FOSS wireless drivers - as a router only, OpenWRT and the WRT1200/1900 is a great option.
     
    sd70mac, CrystalLattice and L&LD like this.
  10. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,174
    Location:
    Canada
    Security "researchers" often jump at any chance for quick publicity without validating their own discovery. Someone raised a pretty important point: these reports were about vulnerable routers they found on the Internet. Who's saying that these routers they found weren't running outdated firmware versions? I don't recall that report mentioning that they (the researchers) had reproduced the issue in their own labs...

    Kinda like someone claiming that Apache is still vulnerable to Heartbleed because a recent scan revealed a few thousand vulnerable websites.

    The fact this is a CVE from 2014 makes me suspect this issue had been already fixed years ago, hence Linksys were unable to reproduce it.
     
    sd70mac, CrystalLattice and L&LD like this.
  11. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    To see the issue open Google to your Linksys login page. Then open Google Developer Tools and refresh the login page. In developer tools Network tab click on the JNAP sections listed and have the Response tab open. You will see the information there.

    This layer2 information can be scanned from any network you already have access to by many softwares and commands.

    The WebUI login hint is exposed normally with all login processes because its to help you at the login screen before login not after.
     
    CrystalLattice likes this.
  12. RMerlin

    RMerlin Super Moderator

    Joined:
    Apr 14, 2012
    Messages:
    31,174
    Location:
    Canada
    And you're telling us Linksys's devs can't follow such simple steps? That's... worrying. For Linksys owners, that is.
     
    sfx2000 likes this.
  13. chadster766

    chadster766 Senior Member

    Joined:
    May 6, 2014
    Messages:
    491
    I think what Linksys was saying is that they couldn't reproduce the claim that this issue was also on the WAN side of things which it isn't.
     
    sd70mac likes this.
  14. sfx2000

    sfx2000 Part of the Furniture

    Joined:
    Aug 11, 2011
    Messages:
    14,216
    Location:
    San Diego, CA
    Someone should give it a try from the Captive Portal on the Guest Network ;)