The attack appear to be relatively straightforward and involves little more than visiting an exposed router’s internet address and running a device list request. It works whether or not the router’s firewall is turned on, Mursch told Ars Technica, and isn’t affected by a patch Linksys released in 2014.
There are potentially serious consequences. Complete connection histories could tell hackers if there are juicy targets on a given network, such as a phone running outdated software, while stalkers might find out if their victim had visited a given location. The password status, meanwhile, could make it easy to hijack devices for the sake of botnets and other online crimes.
It might not be as clear-cut a situation as it appears, though. Linksys has posted a security advisory saying that it had “not been able to reproduce” the vulnerability, and suggested that the routers Mursch found online were either using outdated firmware or had their firewalls turned off. Clearly, there’s some disagreement here — and that could be a problem when it’s not certain that affected Linksys routers are truly safe. For now, the best bet is to ensure that you’re running up-to-date router firmware and that the device’s firewall remains active.