A troubling report from the Belgian consumer protection group Testaankoop: several models of Velop Pro routers from Linksys were found to be sending WiFi configuration data out to a remote server during the setup process. That would be bad enough, but not only are these routers reporting private information to the mothership, they are doing it in clear text for anyone to listen in on.
Testaankoop says that while testing out the Pro WiFi 6E and Pro 7 versions of Velop routers, they discovered that unencrypted packets were being sent to a server hosted by Amazon Web Services (AWS). In these packets, they discovered not only the SSID of the user’s wireless network, but the encryption key necessary to join it. There were also various tokens included that could be used to identify network and user.
While the report doesn’t go into too much detail, it seems this information is being sent as part of the configuration process when using the official Linksys mobile application. If you want to avoid having your information bounced around the Internet, you can still use the router’s built-in web configuration menus from a browser on the local network — just like in the good old days.
The real kicker here is the response from Linksys, or more accurately, the lack thereof. Testaankoop says they notified them of their discovery back in November of 2023, and got no response. There’s even been firmware updates for the affected routers since then, but the issue is still unresolved.
Testaankoop ends the review by strongly recommending users avoid these particular models of Linksys Velop routers, which given the facts, sounds like solid advice to us. They also express their disappointment in how the brand, a fixture in the consumer router space for decades, has handled the situation. If you ask us, things started going downhill once they stopped running Linux on their hardware.
Correction, first it’s sent to NSA, then AWS.
Amazon is the CIA
some linksys routers no longer have a web interface ! in my opinion, today’s linksys routers are absolute garbage. how far they have fallen.
At this point you really, really, have to not care to avoid using TLS for something like that.
It’s one thing for establishing encrypted communication with the new device to be a bit of a question: out-of-box hardware typically has either a non-unique cert that it got with its firmware or a unique-but-self-signed it generated itself on first boot; but The Mothership is presumably just a fairy ordinary HTTP server of the sort that is relatively trivial to set up with a certificate derived from one of the commonly trusted public CAs.
All that, of course, is leaving aside the distinct question of why config data has to be fed up rather than down in this scenario; but it’s not a great look when you aren’t even keeping potential 3rd party malice out of your first party intrusiveness.
Here is an English-language version of the story:
https://www.techspot.com/news/103783-linksys-routers-likely-transmitting-cleartext-passwords.html
Apparently using a browser instead of the (cr)app provided by Linksys sidesteps the phoning-home behaviour. If I had one of these routers though, I would carefully confirm that claim before deploying.
Increasingly, (cr)apps are the only way to configure such equipment. My cable ISP ‘updated’ their modem/router so I can no longer use a browser to configure it in any meaningful way. The browser can see configuration items which I change when we got the equipment, but now it can’t alter them.
At least with a (not-so)smart TV we usually have the option to simply not connect the thing to a network, but I suspect that will start to change soon, if it hasn’t already. Corporations are doing their damnedest to convert everything they can from something we own to something we either rent, or still pay for but don’t really own.
I wonder how many people here see themselves as resistance members – freedom-fighters in a kind of Cold War which could go ‘hot’ at some point. I think that’s what many of us are, in various degrees and capacities…
Most router sold these days are the low end, over-priced consumer grade garbage. No support after 1yr, crappy outdated kernels, software, under spec’d hardware, poor testing,etc. They have too much “bundled software” running on a router. A router should route, not be a DLNA server, etc.
Get a Mikrotik. They just route. RouterOS has a lot of updates, its small, compact, and it boots in under 1min. A router should not take 5 mins to boot, like the over-burdened ASUS does.
I jumped on the Ubiquity bandwagon and am rather happy with months of stability compared to big box stuff. Torrents and streaming don’t hurt gaming latency either
Alternatively, just flash OpenWRT. Also a fast boot, and all the functionality you could want.
For must consumers this crappy hardware is ok. But sending plain text passwords to a remote server is unforgivable, even for crappy hardware that has only 1yr support.
The first question to ask before buying a device like that is “Can I reflash it with firmware I totally control?”. And reflashing is the first thing to do when you actually get it.
If your ISP or whoever forces you to take a device, treat it as untrusted and put your own device in front of it.
*No* vendor of home networking equipment can or should be trusted.
This.
I run hardware that’s a couple years old. The loss of not running leading-edge gear is offset by the stability and security of running OpenWRT.
Unless a router/ap or whatever networking device supports openwrt or some other opensource alternative, i ain’t touchin’ it with a 20ft poll.
Even the old 1043ndV1 had updates to openwrt until a couple of years ago, and that’s a device from 2009.
Security through obscurity, or idiocy. Bunch of morons @Linksys. Second Ubiquiti,or ANY other company that is serious about security.
I’m glad that the first thing I’ve done was installing openwrt