Linksys Routers Found Transmitting Passwords in Cleartext (stackdiary.com) 29
TechSpot writes:
Users of the Linksys Velop Pro 6E and 7 mesh routers should change their passwords and Wi-Fi network names through an external web browser. The two models transmit critical information to outside servers in an insecure manner upon initial installation. New patches have emerged since the issue was discovered, but Linksys hasn't publicly responded to the matter, and it is unclear if the latest firmware leaves sensitive data exposed to interception.
The issue was discovered by Testaankoop, the Belgian equivalent of the Consumers' Association. And they warned Linksys back in November, according to the tech news site Stack Diary. (The practice could leave passwords and other information vulnerable to Man-in-the-Middle attacks.) Testaankoop suspects the security issue might stem from third-party software used in the Linksys firmware. However, they emphasize that this does not excuse the vulnerability.
Thanks to long-time Slashdot reader schwit1 for sharing the news.
The issue was discovered by Testaankoop, the Belgian equivalent of the Consumers' Association. And they warned Linksys back in November, according to the tech news site Stack Diary. (The practice could leave passwords and other information vulnerable to Man-in-the-Middle attacks.) Testaankoop suspects the security issue might stem from third-party software used in the Linksys firmware. However, they emphasize that this does not excuse the vulnerability.
Thanks to long-time Slashdot reader schwit1 for sharing the news.
Vulnerable? (Score:5, Interesting)
I'm beginning to wonder if some folks have been financially enriched by putting this free for all feature in for personal profit.
Re: (Score:3)
It's because the next stage is that they want to change all devices to being cloud managed and not locally managed so in a future upgrade the local web UI will cease to exist as soon as there's an internet connection and you will be redirected to the cloud service.
Security suicide.
Re: (Score:3)
Also, since LInksys is owned by Cisco... yes, like Meraki.
some ISP's force you use there one and they have h (Score:2)
some ISP's force you use there one and they have hard coded remote access to it as well.
Re: (Score:1)
I'm having trouble understanding what you mean by "This isn't [a] vulnerability". Sending passwords in the clear seems to be rather bad.
But I don't that computer security is hopeless. It does need to be defined carefully. And most of the implementations do stink to high heaven.
I was going to note that a ZTE device does the same thing. Using a nameless admin account, to boot. So some of my computers refuse to talk to it because it isn't secure, while others refuse to save the password because there is no use
Re:Vulnerable? [To Preview failure] (Score:2)
s/I don't that/I don't think that/
State of routers (Score:5, Informative)
Re: (Score:2)
Yea. there is just no viable business model where a router manufacturer keeps on top of security updates for such an attractive attack target. Open source with a community taking ownership or professional grade equipment where there is a support contract in place are the only things we should be doing when it comes to routers.
The current standard practice of buying some home WiFi router on Amazon that has "good" reviews and is under $100 has to end.
Re: (Score:2)
The days of having a trustworthy all in one unit are also numbered. You really want to have your CSU/DSU, firewall, router, and wireless AP all separate units, just so that a bug in one won't bring down everything, and the units can do just their tasks with no added features and expanded attack surface. For example, the firewall will run PFSense, and just have two NICs. The router would be something with one NIC going to the firewall and multiple NICs if one wants to VLAN, or the device can be configured
Re: (Score:2)
I agree and it's a shame since this setup uses significantly more electricity and it makes troubleshooting network issues much more difficult since there are so many separate devices which could be causing the problem.
Re: (Score:2)
Well, for home users, it's not a lot more power. I mean, in the end it's really the cable/fiber/satellite modem, the router/firewall (most firewalls are just NAT) and a wireless AP.
None of these devices take a lot of power (even the latest WiFi APs are using maybe 30W). And network problems ar
Re: (Score:3)
Having all that stuff in one thing is a miss, but having wireless in the same router with other stuff is not a big loss for an average home user.
What IS a big miss is buying a router that won't run openwrt. You need to have another option if the OEM doesn't update their software, or if it's all bad updated or not.
Re: (Score:2)
You better hope that these features keep coming in one device, because people will only ever upgrade their wifi and leave the rest to rot. If upgrading the wifi means they also have to upgrade router and firewall, there's at least a chance these things will get updates before their decades old PSUs give up the magic smoke.
Re: (Score:2)
More specifically, don't use their app. (Score:5, Informative)
Use a browser, not the Linksys app. From TFA:
Owners should change their SSID and password without using the Linksys app
Two Linksys mesh routers send sensitive information to an Amazon server without any encryption, according to Belgian consumer organization Testaankoop. The practice could leave passwords, wireless network IDs, and other information open to Man-in-the-Middle attacks.
Also, unless you're in a professional situation and need to manage many things from a central point, (a) use a browser on a local hard-wire connection to configure your devices and (b) don't use/enable any external configuration/management for your router and pass on the device if the latter is required.
Re: (Score:3)
The router industry (Score:2)
I really don't trust the commercial routers. They are poorly designed, poorly secured, and use obsolete technology.
Outside the routers designed for industry, there's no network intrusion detection, firewalling is primitive to non-existent, IPv6 support is spotty, wireless is two or three generations behind the curve - as is wired, boot times are absurdly long, admin logins are via passwords not certs, diagnostics (if any) are feeble, and they're built as self-contained sealed units so can't be upgraded or e
Re: (Score:2)
Nobody contacted Linksys. They're just a brand. (Score:5, Insightful)
Linksys the company hasn't existed in 21 years. They sold to Cisco Systems.
Cisco then sold the Linksys brand to Belkin.
So, nobody "contacted Linksys" who "didn't respond". There is no Linksys.
Now go call your Aunt Jemimah and see how that goes.
Re:Nobody contacted Linksys. They're just a brand (Score:5, Informative)
Re: (Score:2)
When you try and establish your geek cred by listing a bunch of acquisitions that no one cares about you just look pathetic. Try and up your game.
Re: (Score:2)
Perhaps you missed... FTFA:
The comment you are responding to described why "Linksys hasn't publicly responded" is nonsensical.
I still don't get it (Score:1)
All these years and there are still never ending streams of painfully stupid vulns in these consumer router devices. Personally I use a small Linux box with two NICs and a handful of iptables commands as my "router".
While I'm a fan of Hanlon ... sometimes can't help but half jokingly think these companies must be getting paid off by spooks or something to do this level of stupid shit.
Re: (Score:2)
Fellow linux router user here... It just blows my mind the level of incompetence here. Local network configuration data should never leave the local network.
Folks Still Buying Cisco Products? (Score:1)
Or anything owned by them? Doesn't anyone know how to roll your own? Just gotta buy that pre-built back-doored shit because of laziness?
Real nerds know better.
Why are passwords transmitted AT ALL?! (Score:2)
The ONLY reason a consumer router should be talking to the Internet at all is for firmware updates. Period.
Stuff like WiFi passwords and configuration data should NEVER leave the local network. Why is it being sent at all? What kind of shenanigans are afoot?
As if I needed more of a reason to distrust consumer networking equipment. My continued usage of a hand-configured Linux-based router is once again vindicated. Friends have called me needlessly paranoid about this stuff in the past; I should send them th