
Over 25k Linksys routers vulnerable to sensitive information disclosure flaw - bad_packets
https://badpackets.net/over-25000-linksys-smart-wi-fi-routers-vulnerable-to-sensitive-information-disclosure-flaw/
======
gambiting
Linksys just doesn't give a shit. At all. I specifically bought one of their
top end routers to use it as a NAS with USB storage, only to discover that
their best of the best router serves files over.....Samba 1.0. Even though
Samba 2.0 has been available for over a decade and Samba 3.0 is common place
now. Which means that Windows 10 doesn't allow you to actually browse it by
default anymore, since it's a huge security risk. And even when you manually
install SMB 1.0 suppport, it's still not going to work on Windows 10 Pro
editions. Which means that the main selling point of the router is now useless
for me. Linksys of course remains completely silent, they don't see anything
wrong there.

~~~
alimbada
You bought a router to use as a NAS? I think that's your problem right there.

How is this even voted to the top?

Edit: Looks like I hit a nerve. God forbid anyone buy hardware for a purpose
it was actually designed for.

~~~
markovbot
You may be lucky enough to have avoided learning about the shitshow that is
consumer grade "routers". They seem to constantly be trying to come up with
stupid shit they can do. Many of the "high end" of the spectrum of garbage
have things like OpenVPN servers and samba shares off the included USB port.

They are all hot garbage and should not be used.

~~~
alimbada
I have no problem with a router offering a VPN server; it's another network
service after all and I see a router as a device that offers network services.
On the other hand, I wouldn't trust the default software stack and wouldn't
use it myself personally.

However, a router acting as a file server just sounds plain wrong.

~~~
gambiting
But....why. What is it about it that makes it wrong. These are really powerful
devices, sometimes with dual or quad core CPUs and gigabytes of ram, so what's
wrong with using them as a NAS? Especially since all I want to do is share a
single USB drive on the network so I can watch some films on my TV or just run
a backup from my main PC to it. Using my router as a NAS allows me to do that
with very little space taken, and most importantly it's completely quiet.
Dedicated NAS devices not only use considerably more power(and it does
actually add up) but they are almost inevitably louder, with at least one fan
and 3.5" disks.

~~~
alimbada
You've already experienced it yourself. Once you find yourself in a situation
that needs more than what is offered by the device you find yourself trapped.
A dedicated NAS device, even a really basic one, wouldn't have the issues you
have.

Also, there are small, quiet[er] NAS devices around. A bit of searching found
me this: [https://nascompares.com/top-5-silent-and-low-noise-nas-of-
th...](https://nascompares.com/top-5-silent-and-low-noise-nas-of-the-year/)

~~~
gambiting
>>. A dedicated NAS device, even a really basic one, wouldn't have the issues
you have.

How so? What's stopping a NAS maker providing shitty support and/or firmware?
I actually used to own a Netgear ReadyNAS Duo and I got rid of it mostly
because of how loud it was and Netgear stopped releasing updates, which meant
that things like Timemachine backup stopped working. And it was super slow for
transfer speeds compared to what the drives could do.

For comparison sake, that Linksys router I have is super duper quick - it can
actually do 100MB/s reads and writes on the connected drives which is very
impressive(I thought) - this Samba issue is the only thing separating it from
being great at it. And then I could install OpenWRT and then just install the
newest version of Samba - it's just that I'm a bit lazy to do that.

------
StudentStuff
Once again embedded device security is a joke. Firmware updates are provided
for 2 years or less on devices that end up lingering, acting as the core of
networks for 5 to 15 years.

Repeat offenders should be held accountable, standards should be enforced
(like running point releases of OpenWRT, providing vendor skins as a package,
thus the vendor doesn't have to deal with software updates).

~~~
ChuckNorris89
> _Once again embedded device security is a joke._

Have you seen the state of salaries in the firmware dev industry?

That pretty much explains why firmware security is such a mess. You pay
peanuts you get peanuts.

~~~
StudentStuff
The state of salaries in hardware/embedded roles is quite poor, along with the
decision making process of most companies that create embedded hardware.

Only TI ever really went all in with a fully open stack that had support
mainlined, problem being by the time their chips had full support upstream
they'd be lagging 1 to 2 years behind Qualcomm, Nvidia, Mediatek, Allwinner,
Spreadtrum, etc while having a much higher cost per chip, most of said cost
being the decently written and upstreamed drivers.

For longer lived architectures (eg: AMD/Intel CPUs) totally new device drivers
aren't needed on launch day, in part due to older upstreamed drivers still
mostly working with newer hardware.

None of the aforementioned vendors besides TI ever got into this virtuous
cycle of having upstreamed drivers, thus they've trapped their devices on
sketchy, unstable & insecure BSPs that hurt the reliability, performance and
sometimes the market image of the final product (eg: when the device randomly
crashes or gets exploited due to latent bugs).

------
svacko
Pity that the author didn't mention alternative firmwares as an option to fix
the vulnerability. I recommend everyone with the affected device to go to
[https://openwrt.org/toh/start?dataflt%5BBrand*%7E%5D=Linksys](https://openwrt.org/toh/start?dataflt%5BBrand*%7E%5D=Linksys)
and install the OpenWRT firmware, it's pretty easy.

~~~
IntelMiner
+1 for OpenWRT

I've had a Linksys WRT1900AC since its release (specifically on the promise of
OpenWRT support)

The device has gradually gotten better and better with each OpenWRT release.
These days I get a blistering 60MB/s file transfers over Wi-Fi to my laptop.
Even with newer, "faster" specced devices on the market, I really can't see
any compelling reason to upgrade

------
bjt2n3904
Confirmed this happens on my router -- but the saving grace is that my ISP
doesn't allow port 80. Whoof.

------
duxup
It would be nice if there was a home commercial product that cut out all the
remote access or even local access, reduced feature set (I don't need NAS on
my router), allowed admin access via a physical port only and thus cut out a
lot of the attack surface area....

It shouldn't even be hard for Linksys (granted with their history I wouldn't
trust them) or someone to provide that option. With a reduced feature set and
etc maybe updates would be easier too.

Granted when it comes to home commercial routing products it looks like it is
all about a bazillion new features (at least the way they look on the box /
shopping sites) ... not less.

~~~
Jonnax
Ubiquiti Networks have their Unifi product line that sells to business but
since they don't charge licence fees have become quite popular with keen home
users.

There's regular firmware updates and the feature set is quite standard.

Though their routers and access points are separate: Eg: Their smallest
router: [https://www.ui.com/unifi-routing/usg/](https://www.ui.com/unifi-
routing/usg/)

Their cheap WiFi AP: [https://www.ui.com/unifi/unifi-ap-ac-
pro/](https://www.ui.com/unifi/unifi-ap-ac-pro/)

To configure the network you use their controller software, can be deployed on
a raspberry pi but I just run it ad hoc on my laptop when I need to change
some configuration.

~~~
duxup
I keep meaning to try them out, although I have a bit of trouble parsing their
product lines / names at times ;)

------
frf37
At least I thought that you could opt out of the remote management at least on
some models. This is what this seems to indicate as well:
[https://community.linksys.com/t5/Wireless-
Routers/EA8300-can...](https://community.linksys.com/t5/Wireless-
Routers/EA8300-can-t-re-enable-remote-administration-smart-
wifi/m-p/1182872#M338770) When remote admin is disabled the info leak does not
occur as far as I can tell. Not sure if anyone can confirm that as well.

------
tasubotadas
Are there any routers that come out by default with Tomato or OpenWRT?

~~~
MrBingley
The Turris Omnia and soon-to-be Turris Mox are the only ones that I'm aware
of. I know Linksys has a special line of WRT "open source ready" routers that
are supposedly OpenWRT compatible, but the Amazon reviews are completely
trash. They're a little more pricey, but my next router will be a Turris.

[https://www.turris.cz/en/turris-omnia/](https://www.turris.cz/en/turris-
omnia/)

~~~
tasubotadas
Now that I think about it, probably the new Raspberry Pi would do a phenomenal
job.

------
PretzelFisch
Just incase you are not sure who owns Linksys. Cisco sold them in 2013 and
Belkin is their new parent company.

------
smnra
This is not a problem if you are behind a CG-NAT. If you are not (that should
be the default) then ask your ISP to put you behind one. If they don't offer
that service, then it's time to shop around.

~~~
wtallis
Asking your ISP to cripple your connection like that is a horrible "solution",
and usually isn't a change they're prepared to make by request. If you have
the option of shopping around for ISPs, the one that _doesn 't_ do CG-NAT is
usually the _best_ choice.

~~~
smnra
I disagree with you. The majority of users don't care about being behind a CG-
NAT (what you call "crippling"), and CG-NAT offers a very big layer of
protection that avoids problems like the one on this article.

~~~
tenebrisalietum
NAT is _not_ a security layer. It's possible through techniques like STUN and
such to discover and reach hosts behind a NAT.

CG-NAT is crippling because I want to receive incoming connections like anyone
else who has a connection to the Internet should be able to. Router
manufacturers can do better. The world does not _have_ to consist solely of
cloud-based middle-men who take full advantage of the fact that all your data
has to pass through them, and that you have to trust them.

~~~
srfilipek
What's somewhat ironic to this discussion is that some Linksys routers modify
STUN responses, which breaks legitimate functionality if the router is used
with dual-NAT or CG-NAT:

[https://www.voip-info.org/stun](https://www.voip-info.org/stun)

Both Linksys and CG-NAT need to be avoided.

