Latest in Gear

Image credit: Roberto Baldwin/Engadget

Over 21,000 Linksys routers leaked their device connection histories

Linksys, however, says it can't replicate the apparent flaw.
663 Shares
Share
Tweet
Share
Save

Sponsored Links

Roberto Baldwin/Engadget

Certain Linksys WiFi routers might be sharing far more data than their users would like. Security researcher Troy Mursch has reported that 33 models, including some Max-Stream and Velop routers, are exposing their entire device connection histories (including MAC addresses, device names and OS versions) online. They also share whether or not their default passwords have changed. Scans have shown between 21,401 and 25,617 vulnerable routers online, 4,000 of which were still using their default passwords.

The attack appears to be relatively straightforward and involves little more than visiting an exposed router's internet address and running a device list request. It works whether or not the router's firewall is turned on, Mursch told Ars Technica, and isn't affected by a patch Linksys released in 2014.

There are potentially serious consequences. Complete connection histories could tell hackers if there are juicy targets on a given network, such as a phone running outdated software, while stalkers might find out if their victim had visited a given location. The password status, meanwhile, could make it easy to hijack devices for the sake of botnets and other online crimes.

It might not be as clear-cut a situation as it appears, though. Linksys has posted a security advisory saying that it had "not been able to reproduce" the vulnerability, and suggested that the routers Mursch found online were either using outdated firmware or had their firewalls turned off. Clearly, there's some disagreement here -- and that could be a problem when it's not certain that affected Linksys routers are truly safe. For now, the best bet is to ensure that you're running up-to-date router firmware and that the device's firewall remains active.

All products recommended by Engadget are selected by our editorial team, independent of our parent company. Some of our stories include affiliate links. If you buy something through one of these links, we may earn an affiliate commission.
Comment
Comments
Share
663 Shares
Share
Tweet
Share
Save

Popular on Engadget

Engadget's 2019 Back-to-School Guide

Engadget's 2019 Back-to-School Guide

View
Hideo Kojima debuts six-minute 'Death Stranding' gameplay video

Hideo Kojima debuts six-minute 'Death Stranding' gameplay video

View
NVIDIA's game streaming service comes to Android this fall

NVIDIA's game streaming service comes to Android this fall

View
Study finds US carriers aggressively throttle video streams

Study finds US carriers aggressively throttle video streams

View
Two Halo characters are joining ‘Gears 5’

Two Halo characters are joining ‘Gears 5’

View

From around the web

Page 1Page 1ear iconeye iconFill 23text filevr