Thousands of Linksys routers leaked detailed device connection records

If you were looking for more proof that all of your connected devices were out to get you, look no further than a new report from Bad Packets chief research officer Troy Mursch, who revealed last week that dozens of Linksys Smart Wi-Fi routers are leaking full records of all the devices that have ever connected to them. Some of the information that is possible to dig up by exploited this flaw includes the MAC address, the name of the device, WAN settings, firewall status, and even whether or not the default password for the router has ever been changed.

With the help of the BinaryEdge cybersecurity team, Bad Packets was able to find 25,617 Linksys routers that were leaking sensitive information to the public internet. As Mursch says, exploiting the flaw doesn’t require authentication “and can be exploited by a remote attacker with little technical knowledge.”

Related Stories:

Netgear unveils the Nighthawk AX4: The first Intel-based Wi-Fi 6 router
The hole in the International Space Station isn't the first serious space misstep from Russian manufacturer
The International Space Station has sprung a leak after being hit by a meteorite

If you’re wondering what hackers might do with the information they steal by exploiting this flaw, Mursch explains that a MAC address is a unique identifier for a networked device, and can be used to track a device as it moves between networks. Plus, if there is identifying information in the device name (such as the owner’s full name), a hacker could determine the identity of the device’s owner and geolocate them with a public IP address.

In a strange twist, Linksys released a statement regarding the security flaw, claiming that not only had it been fixed by an update in 2014 (which Mursch specifically says is not the case), but that it was unable to replicate the exploit that Mursch described in his report. Here’s the full statement:

Linksys responded to a vulnerability submission from Bad Packets on May 7th, 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014).  We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique.  JNAP commands are only accessible to users connected to the router’s local network.  We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls.  Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled.

If you have any of the Linksys routers Mursch names in his report, you should first make sure that your firmware is up to date, but you might also consider replacing it with a device that isn’t on the list.

BGR Top Deals:

  1. Surprise: Amazon’s early Prime Day sale with $25 Fire TV Sticks is somehow still going

  2. Order right now to lock in Amazon’s rare AirPods 2 discount

Trending Right Now:

  1. Everything new coming to Netflix this week, and everything leaving (week of May 19)

  2. David Spade’s ‘Game of Thrones’ review is the best we’ve seen yet

  3. It’s official: The ‘Game of Thrones’ series finale was the worst episode in the show’s history

See the original version of this article on