2 min read

Known vulnerability stays unpatched for five years, exposes router info

Ionut ILASCU

May 30, 2019

Ad One product to protect all your devices, without slowing them down.
Free 90-day trial
Known vulnerability stays unpatched for five years, exposes router info

For years, security professionals have sounded like a broken record with warnings to keep Internet of Things devices up to date. Yet their message was not heeded, and vulnerabilities that should no longer exist can still be used to harm device owners.

A security issue in Linksys Smart WiFi routers lets an unauthenticated hacker anywhere in the world obtain device information that can be used to pinpoint geographical location. The gadget also leaks data that can help prepare an attack to compromise it.

At the moment of the discovery, over 25,000 vulnerable devices were exposed on the internet. This is not a new vulnerability that hackers are rushing to exploit. On the contrary, it has been public since 2014, identified as CVE-2014-8244, but it has remained unpatched ever since.

Researcher Troy Mursch, co-founder of security company Bad Packets, found that almost half of the affected Linksys routers were in the United States. Multiple models are impacted, including AC gigabit routers released in 2016 that still have high price tags, such as WRT3200ACM, which sells for $249.

According to Mursch, an unskilled remote hacker can not only learn the geographical location of a vulnerable router (based on its public IP address) but they can also find the full history of MAC addresses for gadgets that connect to it. This address is a unique identifier that also reveals the name of the device maker.

Mursch says that the operating system powering it is also revealed to the attacker. He adds that, in some cases extra details are available, such as the type of the device, manufacturer, model number, and description.

Even if the vulnerability does not directly lead to compromise, the information it leaks is valuable as it accelerates the reconnaissance stage of an attack. The data shows what devices a user may have on the network and makes hacking it easier.

The worst part is that these Linksys devices may never be patched. Although the flaw has been public knowledge for five years, the maker did not patch it. Mursch reported it and the reply he received was that the issue was “not applicable” and wouldn’t be fixed.

The researcher says that, if Linksys decides to issue a patch, more than half of the affected routers would immediately stop leaking the sensitive data because they have automatic firmware updates turned on. A different solution that could mitigate such a risk is a hardware security appliance that protects all devices in the house at network level and defends against hacker attacks.

Image credit: Linksys

tags


Author



Right now

Top posts

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

Abode IoT Security Camera Vulnerabilities Would Let Attackers Insert Images, Bitdefender Finds

December 21, 2021

2 min read
Online Shoppers Beware, Mobile Scams Are on the Rise

Online Shoppers Beware, Mobile Scams Are on the Rise

December 17, 2021

2 min read
The Holiday Guide to Tech Support: Fixing the Family Computer

The Holiday Guide to Tech Support: Fixing the Family Computer

November 24, 2021

2 min read
Bitdefender Celebrates 20 Years of Cybersecurity Leadership

Bitdefender Celebrates 20 Years of Cybersecurity Leadership

November 04, 2021

3 min read
Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

Bitdefender Study Reveals How Consumers Like (and Dislike) Managing Passwords

October 26, 2021

3 min read
What are drive-by download attacks and how do you prevent them?

What are drive-by download attacks and how do you prevent them?

October 25, 2021

2 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Apple Patches New Zero-Day and Nasty Privacy Bug with iOS 15.3 and macOS 12.2 Apple Patches New Zero-Day and Nasty Privacy Bug with iOS 15.3 and macOS 12.2
Filip TRUȚĂ

January 27, 2022

2 min read
Microsoft Uncovers New SolarWinds Vulnerability While Analyzing Log4j Exploit Activity Microsoft Uncovers New SolarWinds Vulnerability While Analyzing Log4j Exploit Activity
Silviu STAHIE

January 26, 2022

1 min read
Take Your QNAP NAS Offline! DeadBolt Ransomware Locks Devices via Alleged Zero-Day Flaw Take Your QNAP NAS Offline! DeadBolt Ransomware Locks Devices via Alleged Zero-Day Flaw
Filip TRUȚĂ

January 26, 2022

1 min read