In the recent days it has been discovered that over 25,000 Linksys smart routers are believed to have a vulnerability which means the sensitive data can be accessed.
It turns out they are not just leaking MAC addresses, but device names, operating systems and in extreme cases firewall settings, firmware and much more. This means that they are open to data thieves and botnet setups.
The security flaw which is to blame is CVE-2014-8244 which was released in 2014. Even though a patch was put in place, this issue is still active and very much in existence.
Linksys provided a statement to ZDNet which is as follows:
"We responded to a vulnerability submission from Bad Packets on May 7th, 2019 regarding a potential sensitive information disclosure flaw: CVE-2014-8244 (which was fixed in 2014). We quickly tested the router models flagged by Bad Packets using the latest publicly available firmware (with default settings) and have not been able to reproduce CVE-2014-8244; meaning that it is not possible for a remote attacker to retrieve sensitive information via this technique.
JNAP commands are only accessible to users connected to the router's local network. We believe that the examples provided by Bad Packets are routers that are either using older versions of firmware or have manually disabled their firewalls. Customers are highly encouraged to update their routers to the latest available firmware and check their router security settings to ensure the firewall is enabled."
Overall Linksys are confident this is not a critical issue and will not affect the customers in any way, although you would like to think they would fully remove this update or secure it even further? We will soon see if this is a further issue or not now this news is out.