Linksys Routers Found Transmitting Passwords in Cleartext

TechSpot writes: Users of the Linksys Velop Pro 6E and 7 mesh routers should change their passwords and Wi-Fi network names through an external web browser. The two models transmit critical information to outside servers in an insecure manner upon initial installation. New patches have emerged since the issue was discovered, but Linksys hasn't publicly responded to the matter, and it is unclear if the latest firmware leaves sensitive data exposed to interception.
The issue was discovered by Testaankoop, the Belgian equivalent of the Consumers' Association. And they warned Linksys back in November, according to the tech news site Stack Diary. (The practice could leave passwords and other information vulnerable to Man-in-the-Middle attacks.) Testaankoop suspects the security issue might stem from third-party software used in the Linksys firmware. However, they emphasize that this does not excuse the vulnerability.
Thanks to long-time Slashdot reader schwit1 for sharing the news.

Vulnerable?

[Ol Olsoc]

This isn't vulnerability, it is pointing how hopeless most computer security is.

I'm beginning to wonder if some folks have been financially enriched by putting this free for all feature in for personal profit.

Re:

[Z00L00K]

It's because the next stage is that they want to change all devices to being cloud managed and not locally managed so in a future upgrade the local web UI will cease to exist as soon as there's an internet connection and you will be redirected to the cloud service.

Security suicide.

Re:

[jhoegl]

The entire industry is going towards pay for service, the only way the industry can "justify" it is to have it online... as inherently insecure as that is.

Also, since LInksys is owned by Cisco... yes, like Meraki.

some ISP's force you use there one and they have h

[Joe_Dragon]

some ISP's force you use there one and they have hard coded remote access to it as well.

Re:

[shanen]

I'm having trouble understanding what you mean by "This isn't [a] vulnerability". Sending passwords in the clear seems to be rather bad.

But I don't that computer security is hopeless. It does need to be defined carefully. And most of the implementations do stink to high heaven.

I was going to note that a ZTE device does the same thing. Using a nameless admin account, to boot. So some of my computers refuse to talk to it because it isn't secure, while others refuse to save the password because there is no use

Re:Vulnerable? [To Preview failure]

[shanen]

s/I don't that/I don't think that/

State of routers

[sinij]

Routers such a universal dumpster fire across entire industry that running open source firmware, like OpenWRT, is mandatory.

Re:

[OrangeTide]

Yea. there is just no viable business model where a router manufacturer keeps on top of security updates for such an attractive attack target. Open source with a community taking ownership or professional grade equipment where there is a support contract in place are the only things we should be doing when it comes to routers.
The current standard practice of buying some home WiFi router on Amazon that has "good" reviews and is under $100 has to end.

Re:

[ctilsie242]

The days of having a trustworthy all in one unit are also numbered. You really want to have your CSU/DSU, firewall, router, and wireless AP all separate units, just so that a bug in one won't bring down everything, and the units can do just their tasks with no added features and expanded attack surface. For example, the firewall will run PFSense, and just have two NICs. The router would be something with one NIC going to the firewall and multiple NICs if one wants to VLAN, or the device can be configured

Re:

[organgtool]

You really want to have your CSU/DSU, firewall, router, and wireless AP all separate units, just so that a bug in one won't bring down everything, and the units can do just their tasks with no added features and expanded attack surface

I agree and it's a shame since this setup uses significantly more electricity and it makes troubleshooting network issues much more difficult since there are so many separate devices which could be causing the problem.

Re:

[tlhIngan]

I agree and it's a shame since this setup uses significantly more electricity and it makes troubleshooting network issues much more difficult since there are so many separate devices which could be causing the problem.

Well, for home users, it's not a lot more power. I mean, in the end it's really the cable/fiber/satellite modem, the router/firewall (most firewalls are just NAT) and a wireless AP.

None of these devices take a lot of power (even the latest WiFi APs are using maybe 30W). And network problems ar

Re:

[drinkypoo]

Having all that stuff in one thing is a miss, but having wireless in the same router with other stuff is not a big loss for an average home user.

What IS a big miss is buying a router that won't run openwrt. You need to have another option if the OEM doesn't update their software, or if it's all bad updated or not.

Re:

[TheNameOfNick]

You better hope that these features keep coming in one device, because people will only ever upgrade their wifi and leave the rest to rot. If upgrading the wifi means they also have to upgrade router and firewall, there's at least a chance these things will get updates before their decades old PSUs give up the magic smoke.

Re:

[Rujiel]

Too bad setting up openwrt is prohibitively complicated unless you're a network admin..

More specifically, don't use their app.

[fahrbot-bot]

Use a browser, not the Linksys app. From TFA:

Owners should change their SSID and password without using the Linksys app

Two Linksys mesh routers send sensitive information to an Amazon server without any encryption, according to Belgian consumer organization Testaankoop. The practice could leave passwords, wireless network IDs, and other information open to Man-in-the-Middle attacks.

Also, unless you're in a professional situation and need to manage many things from a central point, (a) use a browser on a local hard-wire connection to configure your devices and (b) don't use/enable any external configuration/management for your router and pass on the device if the latter is required.

Re:

[Canberra1]

So, Why exactly is this being transmitted to a 3rd party? Your router, your problem - no offloading. And they should have some contract with the negligent party to meet defined specifications. OTOH I know one huge company that lost its source code and could not update its IOT locks because they were too cheap to pay experts, so doubled down on dumb clients saying is meets all relevant standards. I am going to predict 'Smart TVs' will transmit insecurely - with no fixes available.

The router industry

[jd]

I really don't trust the commercial routers. They are poorly designed, poorly secured, and use obsolete technology.

Outside the routers designed for industry, there's no network intrusion detection, firewalling is primitive to non-existent, IPv6 support is spotty, wireless is two or three generations behind the curve - as is wired, boot times are absurdly long, admin logins are via passwords not certs, diagnostics (if any) are feeble, and they're built as self-contained sealed units so can't be upgraded or e

Re:

[NoWayNoShapeNoForm]

And sometimes commerical routers do not even get updates over their lifecycle. Or if they do get updates they are few & far between and generally not timely.

Nobody contacted Linksys. They're just a brand.

[gavron]

Linksys the company hasn't existed in 21 years. They sold to Cisco Systems.

Cisco then sold the Linksys brand to Belkin.

So, nobody "contacted Linksys" who "didn't respond". There is no Linksys.

Now go call your Aunt Jemimah and see how that goes.

Re:Nobody contacted Linksys. They're just a brand

[Teckla]

According to Wikipedia, Belkin sold Linksys to Foxconn in 2018.

Re:

[Required Snark]

The graphic symbol for storage is still a 3.25 floppy drive. Everyone knows what it means. When you say Linksys router everyone knows what you mean.

When you try and establish your geek cred by listing a bunch of acquisitions that no one cares about you just look pathetic. Try and up your game.

Re:

[sabt-pestnu]

When you say Linksys router everyone knows what you mean. When you try and establish your geek cred by listing a bunch of acquisitions that no one cares about you just look pathetic.

Perhaps you missed... FTFA:

but Linksys hasn't publicly responded to the matter

The comment you are responding to described why "Linksys hasn't publicly responded" is nonsensical.

I still don't get it

[Anonymous Coward]

All these years and there are still never ending streams of painfully stupid vulns in these consumer router devices. Personally I use a small Linux box with two NICs and a handful of iptables commands as my "router".

While I'm a fan of Hanlon ... sometimes can't help but half jokingly think these companies must be getting paid off by spooks or something to do this level of stupid shit.

Re:

[ZorinLynx]

Fellow linux router user here... It just blows my mind the level of incompetence here. Local network configuration data should never leave the local network.

Folks Still Buying Cisco Products?

[zenlessyank]

Or anything owned by them? Doesn't anyone know how to roll your own? Just gotta buy that pre-built back-doored shit because of laziness?

Real nerds know better.

Why are passwords transmitted AT ALL?!

[ZorinLynx]

The ONLY reason a consumer router should be talking to the Internet at all is for firmware updates. Period.

Stuff like WiFi passwords and configuration data should NEVER leave the local network. Why is it being sent at all? What kind of shenanigans are afoot?

As if I needed more of a reason to distrust consumer networking equipment. My continued usage of a hand-configured Linux-based router is once again vindicated. Friends have called me needlessly paranoid about this stuff in the past; I should send them th