Low-Probability Linksys Security issue reported by Testaankoop
Any report of a potential Security issue is taken seriously and acted upon by Linksys. As the company that pioneered Home Routers and has been operating globally for almost 4 decades, our Security procedures and responses are always factual and transparent. This communication is a public response to a report of a Security issues first reported by Testaankoop, although it does not appear to have originated with them nor have they confirmed or shown proof they reproduced the issue. To date nobody other than Rapid7, who Linksys contracted to test our products, has ever been able to reproduce the issue and only in a special lab circumstance, using specialized tools, and with unrestricted permissions for both the LAN and WAN.
Prior to reading through the below response, it is critical to understand that Linksys' architecture and operations are unique to the industry. We DO NOT collect or store any device or user data generated by our Home Routers or the Linksys Mobile App. If using the Linksys Mobile App, select data elements are used during installation and configuration, but are never stored or observed by Linksys. If using the Browser-based Local User Interface, none of the data used for installation, configuration, or ongoing operation is ever seen, much less stored by Linksys; it all stays local in your device.
Timeline of Low-Probability Linksys Security issue reported by Testaankoop
Prior to reading through the below response, it is critical to understand that Linksys' architecture and operations are unique to the industry. We DO NOT collect or store any device or user data generated by our Home Routers or the Linksys Mobile App. If using the Linksys Mobile App, select data elements are used during installation and configuration, but are never stored or observed by Linksys. If using the Browser-based Local User Interface, none of the data used for installation, configuration, or ongoing operation is ever seen, much less stored by Linksys; it all stays local in your device.
Timeline of Low-Probability Linksys Security issue reported by Testaankoop
- September 19th, 2023: Received Rapid7 report, executed on behalf of Linksys, regarding low-probability (Priorty 3/Severity 3) security configuration concern on two (2) Linksys Retail SKUs
- November 28th, 2023: Linksys Marketing forwarded an email from Which? reporting this same vulnerability (using the same exact wording as Rapid7) to Linksys Development
- November 28th, 2023: Linksys Development responded to Which? the same day and provided a Security Form for Which to submit back to Linksys Development
- November 30th, 2023: Which? answered Linksys November 28th request, but provided no additional details and could/did not confirm he could reproduce the issue
- December 4th, 2023: Which? submitted public report via Bug Crowd, upgrading the issue to Moderate-Probability, but provided no additional/actionable details
- December 5th, 2023: BugCrowd confirmed they were not able to reproduce the issue and asked Which for more information. Which did not respond to the BugCrowd request
- December 5th, 2023: A Market Researcher from Belgium emailed Linksys Marketing, referencing the BugCrowd Report that Which submitted, but provided no additional details and did not confirm they could
- Limited Exposure: Two (2) affected SKUs (Linksys Velop Pro 6E and Linksys Velop Pro 7) - to exploit the Security configuration issue, which is confined to the WAN/ISP side, the “bad-actor” would require highly specialized tools along with real-time physical access to the Home Router and full visibility and permission to traverse the ISP network
- Low-Probability Real-World Risk: Potential exploitation would require multiple and highly improbable conditions to align:
- Physical and wired access to the Home Router (requires the hacker to be in the Home with specialized tools)
- Access to ISP infrastructure and encryption (requires the ISP permission or for the network to be hacked)
- Use of the Linksys Mobile App (majority of Linksys Users use the Local UI/Browser to configure the affected SKUs, not the Mobile App)
- Discovery: Linksys contractor Rapid7 discovered and reported the issue that was classified as Priority 3/Severity 3
- P3/S3 issues are routinely fixed in 6 to 9 months after being reported
- Linksys Server-side change (firmware independent) Linksys has already started a controlled roll-out of a server-side configuration change that prevents the reported Security configuration issue. No downtime is expected for the rollout
- Linksys Client-side change: Client-side firmware for the two (2) affected Retail SKUs includes additional protection to the server-side change noted above and will be available by July 26th . Customers can open a support ticket to request an engineering build today
- Local UI/Browser-based Router Configuration: Linksys continues to promote Local UI/Browser-based installation and configuration instead of using the Linksys Mobile App
- Note the Low-Probability Linksys Security issue was never present when the Local UI/Browser was used to install and configure the affected SKUs instead of the Linksys Mobile App
- Linksys is currently shipping 150+ SKUs globally, two (2) Retail SKUs are affected, but are currently considered safe to operate because the server-side change has already been implemented and will be doubly safe once the Client-side firmware is updated by July 30th
- The SKUs affected are all Retail SKUs - MX62xx, MBE7xxx
- Note that no Internet Service Provider (ISP) SKUS or the 100+ other Retail SKUs are affected
Media Contact
For media inquiries, interview requests, or additional information, please don't hesitate to reach out to our dedicated press team.
