Linksys routers bug allows viewing connections to other devices

A large number of Linksys routers would not be properly secured, so outsiders can easily read online which devices they are connected to. However, Linksys itself states that it cannot reproduce the vulnerability.

The findings were posted online by security researcher Troy Mursch, who explains on his website how the vulnerability can be exploited. With a relatively easy trick, an outsider can find out on a Linksys router’s login page what devices are connected, now and in the past, including what type it is and what the MAC address is. It is also possible to find out whether the routers still use their default password.

According to Mursch, at the time of his research there were just over 25,000 routers online that contained the vulnerability, revealing a total of three-quarters of a million MAC addresses of once connected devices. A few thousand of the routers found still had the default password. According to Mursch, about 33 router models are susceptible to the vulnerability.

Linksys itself states that it was made aware of Mursch’s findings earlier this month. However, the company is unable to reproduce the issues and refers to the 2014 patched vulnerability CVE-2014-8244. The company suspects that the routers found online still have an older version of the firmware, and advises users to update their software. However, in a response to Ars Technica, Mursch states that the issues were not fixed with the fix released in 2014. As a result, it is still unclear what the exact cause is and whether Linksys will fix the problems.