33 Linksys router models leak full historic record of every device ever connected

33 Linksys router models leak full historic record of every device ever connected

(credit: US Navy)

More than 20,000 Linksys wireless routers are regularly leaking full historic records of every device that has ever connected to them, including devices' unique identifiers, names, and the operating systems they use. The data can be used by snoops or hackers in either targeted or opportunistic attacks.

(credit: Troy Mursch)

Independent researcher Troy Mursch said the leak is the result of a persistent flaw in almost three dozen models of Linksys routers. It took about 25 minutes for the Binary Edge search engine of Internet-connected devices to find 21,401 vulnerable devices on Friday. A scan earlier in the week found 25,617. They were leaking a total of 756,565 unique MAC addresses. Exploiting the flaw requires only a few lines of code that harvest every MAC address, device name, and operating system that has ever connected to each of them.

The flaw allows snoops or hackers to assemble disparate pieces of information that most people assume aren’t public. By combining a historical record of devices that have connected to a public IP addresses, marketers, abusive spouses, and investigators can track the movements of people they want to track. The disclosure can also be useful to hackers. The Shadowhammer group, for instance, recently infected as many as 1 million people after hacking the software update mechanism of computer maker ASUS. The hackers then used a list of about 600 MAC addresses of specific targets that, if infected, would receive advanced stages of the malware.

Read 6 remaining paragraphs | Comments

To catch a drug thief, hospital secretly recorded births, women’s surgeries

Not where you want a hidden camera.

Enlarge / Not where you want a hidden camera. (credit: Getty | Brendan Hoffman)

A California hospital faces a lawsuit from 81 women who allege they were secretly filmed by hidden cameras in labor and delivery operating rooms while undergoing extremely intimate procedures, including Caesarean births, sterilizations, and operations to resolve miscarriages.

The women claim that their privacy was egregiously violated by the hospital, Sharp Grossmont Hospital in La Mesa, California, which is run by Sharp HealthCare. The women say they did not consent to be filmed during the procedures—and would not have done so if given the choice.

Moreover, they allege that their sensitive videos were insecurely stored on various desktop computers, some of which were not even password protected, and that numerous non-medical staff members—including security guards and attorneys—were able to watch the videos. The lawsuit further alleges that the hospital made no effort to log or monitor who viewed the footage and did not ensure proper deletion of the data. In all, the lawsuit estimates that the hospital had secret recordings of around 1,800 procedures that took place in the women’s center.

Read 5 remaining paragraphs | Comments

Epic says its Game Store is not spying on you

Despite what you may have read, Epic says this is not spyware.

Enlarge / Despite what you may have read, Epic says this is not spyware.

This week, certain corners of the gaming Internet have been abuzz with a bit of self-described "amateur analysis" suggesting some "pretty sketchy," spyware-like activity on the part of the Epic Game Store and its launcher software. Epic has now stepped in to defend itself from those accusations, while also admitting to an "outdated implementation" that can make unauthorized access to local Steam information.

The Reddit post "Epic Game Store, Spyware, Tracking, and You!" points to a wide-ranging set of implications based on some broad file and network access traffic observations when the Epic Game Store is running. But much of the post is focused on Epic's association with Chinese gaming giant Tencent, which owns a share of the company.

"Tencent is a significant, but minority shareholder in Epic," co-founder and CEO Tim Sweeney wrote in response to the conspiracy theory in one Reddit thread. "I'm the controlling shareholder of Epic... The decisions Epic makes are ultimately my decisions, made here in North Carolina based on my beliefs as a game developer about what the game industry needs!"

Read 6 remaining paragraphs | Comments

Bay Area: Join us 1/9 to talk about personal data security in 2019

Askhan Soltani has worked with the FTC and as an independent researcher, exploring data privacy issues. Recently, he testified about Facebook's privacy policies before the US and UK governments.

Enlarge / Askhan Soltani has worked with the FTC and as an independent researcher, exploring data privacy issues. Recently, he testified about Facebook's privacy policies before the US and UK governments. (credit: Ashkan Soltani)

The Cambridge Analytica scandal. Data breaches at hotels, banks, rideshare companies, and hospitals. Facial recognition. DNA databases. We're living through the data privacy apocalypse and now it's time to figure out what happens next. Here to discuss that with us at the next Ars Technica Live is Ashkan Soltani, an independent researcher and technologist who specializes in data privacy.

Recently, Soltani testified before the US and UK governments about Facebook's privacy practices and how they make user data available to third parties. Soltani also authored the California Consumer Privacy Act of 2018, which regulates large companies that make more than 50 percent of their revenues from selling California residents' personal information. The CCPA was signed into law earlier this year.

Soltani will be in conversation with Ars Technica editors Cyrus Farivar and Annalee Newitz.

Read 4 remaining paragraphs | Comments