llebkcir
38045
723
5
Oh Joy of Joys...
https://stackdiary.com/linksys-velop-routers-send-wi-fi-passwords-in-plaintext-to-us-servers/
According to Testaankoop, the Belgian equivalent of the Consumers’ Association, two types of Linksys routers are sending Wi-Fi login details in plaintext to Amazon (AWS) servers.
This discovery involves the Linksys Velop Pro 6E and Velop Pro 7 mesh routers.
During routine installation checks, Testaankoop detected several data packets being transmitted to an AWS server in the US. These packets included the configured SSID name and password in clear text, identification tokens for the network within a broader database, and an access token for a user session, potentially paving the way for a man-in-the-middle (MITM) attack.
An MITM attack is a security breach in which an attacker intercepts the communication between your Linksys router and the Amazon server without either party’s knowledge. In this context, it means the attacker could capture your Wi-Fi network name (SSID) and password as they are transmitted in plaintext, allowing them to read or alter these sensitive details and potentially gain unauthorized access to your network.
The consumer organization conducted these tests using the latest firmware available at the time. Despite warning Linksys in November, no effective measures have been taken.
The Velop 6E and 7 we tested had the most recent firmware. The Velop 6E was tested several times, the last time with firmware V 1.0.8 MX6200_1.0.8.215731 and the new Velop Pro 7 was tested with firmware 1.0.10.215314.
Testaankoop
Linksys released a firmware update after the initial warning, but it did not address the concerns raised. “We regret the lack of response from Linksys and expected more from such a renowned brand,” Testaankoop expressed.
Testaankoop suspects the security issue might stem from third-party software used in the Linksys firmware. However, they emphasize that this does not excuse the vulnerability. For those who already own the affected routers, they have recommended changing the Wi-Fi network name and password via the web interface instead of the app. This precaution prevents the SSID name and password from being transmitted in readable text.
Mesh routers like the Velop series are designed to improve Wi-Fi distribution in large or multi-story homes by creating a wireless network through multiple connected nodes. These nodes communicate either wirelessly or through cables to ensure better Wi-Fi coverage. However, the Velop Pro WiFi 6E and Pro 7’s data transmission practices undermine the security benefits they should provide.
Testaankoop contacted Linksys again just days before today’s publication in response to the ongoing issue, giving them a brief window to respond. However, they have not received any acknowledgment or solution from the manufacturer.
The vulnerability persists even in the latest Linksys 7 Pro, highlighting a critical security lapse. “After our long and intensive tests, we strongly advise against buying the Linksys Velop Pro WiFi 6E and Pro 7 because there is a serious risk of network intrusion and data loss,” the researchers concluded.
While breaching a network requires effort and technical skill (Linksys has done a lot of the heavy lifting here!), the attacker can cause extensive damage once inside. Linksys themselves recommend the Velop product line for small offices, making this issue particularly concerning for both personal and professional environments.
Stack Diary reached out to Linksys on July 9 to see if they plan on responding; as of July 14, we have yet to hear from them.
CyberpunkEnthusisast
Jokes on them, I don’t have passwords.
circlebreaker
Ah yes, the classic admin admin.
JustDeathAndTaxes
Up vote for awareness.
LincLoud
.
mike13815
Adding: Open source firmware is not only available for most routers, but usually adds features you can usually only get from high-end models
Elrohn
Amazon AWS. Why am I not surprised. This was probably part of the same cunty bullshit backdoor agreement to originally allow sidewalk to be automatically on....
Sidewalk..in case you have Amazon shit and don't know shit or keep up with shit )
https://www.reddit.com/r/HomeNetworking/s/GI7AxNi0Qi
Santorrr
The EU should smack them in the face
hwatL4bloopy
Now if only I knew how to ping them to reply with the unprotected password..
cousteau
Systems that don't encrypt passwords should be illegal.
triffidhunter
Aand this sort of thing is why I only buy routers I can put OpenWRT or similar on
Wirefish
Linksys has been kinda crap for decades now.
The701
"The consumer organization conducted these tests using the latest firmware available at the time. Despite warning Linksys in November, no effective measures have been taken."
OH FFS
Sakkura
That feels like it should merit one of those really big GDPR fines.
vegivamp
Given that the data is being sent to the US, that's exactly where this is going. You can't just send customer data out of the EU.
jimicus
I suspect they'll argue that it's not personally identifiable data.
vegivamp
I could be wrong, but I don't think any consumer data can be stored outside of the EU without an agreement.
Evi1Gav
Do. Not. Buy. Things. That. Insist. On. The. Cloud. Tplink Deco stuff insists you configure using their app and a cloud account, yet they sell the exact same routers (that don't look quite as stylish), with a local web front end and no cloud connection needed. The companies will keep doing this, as long as people keep buying this shit.
Degarafarat
This is going to go so well in the EU
kinarism
Lynksys went to shit when they were bought by Cisco. D. They have been dog shit ever since. Do not buy Linksys anything.
bgsteiner
They arr owned by foxconn now so even worse
in9119iwas
a 200+ million fine from the European Union seems appropriate
Elrohn
Nah....
Assets frozen and no protection.
Executives charges with felony fraud x number of units sold.
Imprisonment for each charge can be 10 years. Let's serve them concurrently.
New board appointed by judge as oversight for transition period.
The company survives along with employees who work...not executives who don't take action...cause being a leader...well that's what you are supposed to be.
VincentV189
So this is not good, but also not really bad. First off this has nothing to do with Amazon, AWS is just a hosting platform. Anyone can buy AWS server space and use it for w/e. Secondly having a SSID and passcode does you no good if you are not near the network that is using it. Could this be used for something bad? Maybe? But it would take alot. If you had the IP you could geolocate the general area, maybe with more data and some data dumps you could get a address, but then what? Any important
Mithi
You do not store passwords plain-text... EVER. No exceptions.
n0gal
You do not store passwords. Ever. What should have been sent was a salted hash of the password. Even encrypting them would be asinine. There is no reason for 1) it to be sent over plain text, and 2) for it to be any more than the salted hash.
VincentV189
Cool, getting downvoted for providing perspective as to what can and cant be done with a wifi password on a post that is clearly trying to incite panic for a situation that doesnt need panic, just caution. got it. With op talking about a mitm attack, which makes 0 sense at all. Of all the leaks going on right now this is so nothing to write home about. Tickmaster on the otherhand....
VincentV189
data is going to be encrypted with HTTPS anyways, the reason why doing things like banking across the internet is "secure". The encryption is from your PC to their server, not from your router to their server.
trasneoir
It's quite bad in several ways.
1. There's a certain amount of stolen data _about you_ available for sale on the darkweb right now. If you ever owned one of these routers, there's now one more way that data could include your wifi password.
2. If this router was failing at such basic security hygene, what other incompetent bullshit is going on with it?
3. When linksys are told their product's security is broken, they fail to respond (or fix) for 10 months.
trasneoir
I'd accept the general premise of your point - wifi is generally pretty insecure, and I'd never trust it absolutely.
My bigger concern with this disclosure is as a canary in the coalmine - it suggests that security is a much much lower priority for linksys than i'd consider acceptable for a networking company.
perlninja
Big IT company sucks at IT security, news at 11. Nothing new under the sun here folks, you really honestly don't want to know the kind of idiocy that goes on behind the scenes at larger firms.
sdrawkcabmIpleH
I wouldn't count on the smaller firms either, at least not without some evidence first.
perlninja
Oh for sure, but smaller firms do it better on average. (there's a pun in here somewhere...). Besides the whole "in plain text" thing in this case there's also the question of "why the fuck you sending that info out to begin with". So either someone at Linksys backdoored the firmware, or Linksys is farming it for their own purposes. Both are incredibly bad...
lovehandlesmessiah
What is this, CD Universe circa 1996? We can create AI but not encrypt our security information.
Nizedk
First, that info should not be sent to anybody. Not even encrypted. Encrypted is wrong, passwords should be hashed (and salted). So, this is wrong on multiple levels.
lovehandlesmessiah
Agreed. The fact plain text files are still used in this manner is insane.
Nizedk
My primary point; They should not send it in any way, because it should not be sent. That they do it insecurely is just even more stupid.
lovehandlesmessiah
I remember a job years ago where they began for the first time securing SQA servers across the three geo units due to a hack. Turns out all the SQL servers at our one site had two unused but accessible admin accounts that still used the vendor default passwords. The default accounts had never been disabled nor were they made compliant with then-existing security policies on IT systems. Just one of those gaps because no one did a full audit of those systems.
PileOfWalthers
Why I’m still on the good ole Linksys WRT54G.
WhichIsIt
lol I think I had that one. I must’ve bought it…20 years ago? All I really remember is endlessly putting them on the shelf when I worked at Best Buy.
GiantFlyingLabia
Which probably has even worse overall security than the Velop
[deleted]
[deleted]
GiantFlyingLabia
OK well if you were using the stock firmware I’d be correct
LeifTheUnlucky
That's what DD-WRT is for.
HeadJamistan
Please tell me you've got 3rd party firmware like ddwrt or tomato.
PileOfWalthers
Man if you believe I really run a 20 year old router and didn’t just say that for teh lulz I don’t know what to tell you.
HeadJamistan
Awww I was hoping.....
FishieStardust
As a non IT person... It feels like they shouldn't be doing that
Freak0zoid
As a sysadmin I can't tell you everything about for example networks. But I know they SHOULD NOT DO THIS!! Plaintext passwords are bad m'kay?
vegivamp
Um. Sending my fucking password to an external server is bad, mkay? I don't care what they think is a good excuse, the router is in range of my damn phone, send it directly. Hell, of their exist is that the router downloads it's configuration from their server, that just means that they could change my network settings without my consent as well.
This is enough to make me not buy anything Linksys for the next decade or so.
jimicus
It's pretty much the fashion for a lot of high-end home network equipment these days.
They bill it as "cloud managed" (read: you can buy two of our devices and they'll automagically get the same SSID/pw); in reality it's a transparent attempt to lock people into an ecosystem.
vegivamp
Oh, it is, and it can be done in a way that those credentials never even leave my home, which would still help her people into the ecosystem.
This is incompetence bordering on malice. And no, that's not hyperbole, you can be damn sure that the execs love that this particular flow means that your device will stop working soon after they turn off the cloud service.
Rockafella83
https://youtu.be/1u5jO57eD-U
FishieStardust
Rockafella83
PocketCleric
as an IT person... They should NOT be doing that
DSREX
As an IT person who has done some infosec work. There are hackers world wide who are now intercepting this data. Likely there were many before, but now everyone is doing it.
And given the rate that routers are patched by their owners, thsi will be a long term issue.
AK90
As a non IT person but very tech savvy, they should NOT be doing that.
cavymeister
As a person that does that, I should not be an IT.
Nykau
And as a non-IT person, you would know enough to be right about it. Some security auditor for companies handling paiement information in the UK could learn a thing or two from you https://serverfault.com/questions/293217/our-security-auditor-is-an-idiot-how-do-i-give-him-the-information-he-wants
PicassoCT
Swiss cheese man, wrapped with ducttape. Good thing you cant see shoddy work when its just bits and bytes...
FishieStardust
I like Swiss cheese... With rye and pastrami...
FlyingButtPliers
It's the equivalent of writing your username and password on a post card and mailing it back home
Beezlebubble
Reminds me of the guy that robbed a bank and used his gasbill as the note. Different but the example you gave reminded me of it
ProfFurryPaws
Worse, it's mailing it to a third party to then sell to anyone they want
SirJimmothy
"Signed, hunter2"
NappaTheFriendlyGhost
A bit more: Doing what this guy said while putting a sign on your mail box saying you do so.
ZackWester
worse your not sending the post card to your home you send it to a business location. and it was not you that wrote/sent that password.
pianostacatto
Even that method is more secure. It's a coin toss should a later section sorter decide to review the note on the card. Because by that point it has already been regionally and timeframe sorted. So as to arrive by the level of investment it can afford.
DiedAndHauntingImgur
Oh I’m sorry, we shouldn’t be doing that?
definitelyanormalhuman
Do you also leave copies of your house key physical address and a list of hours you aren't at home laying around in bad neighborhoods?
JeremyDaniels
Only on Thursdays.