Linksys MR9600 and MX4200 Missing Authentication Vulnerability Allowing Access to Sensitive Information

A vulnerability exists in the Linksys MR9600 (firmware 1.0.4.205530) and MX4200 (firmware 1.0.13.210200) routers, allowing a user with physical access to the device to exploit the mesh functionality. This exploitation can lead to unauthorized access to sensitive information, such as the admin password for the web interface and Wi-Fi passwords. The issue arises from missing authentication in the mesh device-adding process, which can be manipulated to retrieve confidential data.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive information, including administrative passwords and Wi-Fi credentials.

Reproduction

The vulnerability can be reproduced by physically accessing the affected router and using Bluetooth Low Energy (BLE) to add a new mesh device. After advertising the correct BLE data to be recognized as a Linksys mesh device, the router can be made to connect and transfer hidden Wi-Fi network credentials and TLS-SRP authentication details. Once connected to the hidden Wi-Fi network, a service running on TCP port 6060 can be accessed, which responds with the sensitive data including the admin and Wi-Fi passwords.