Linksys Velop routers send Wi-Fi passwords in plaintext to US servers

Just reading these comments - is everyone OK with them sending your password to a server, but not with the lack of encryption?

I would not expect my password to be sent to the server in the first place.

Via the TR-69 mechanism, Verizon FiOS routers send your local wifi password to their central management system. The excuse I've heard for this is to "allow support agents to assist users who forgot their passwords"

:-/

I’ve really disliked the change in the router industry where the routers have become ‘smart devices’ instead of reliable local networking hardware. This has turned into the same abuse of customers we see from others. For example TP Link uses the same dark patterns in their routers as companies like Roku, where they make updates to the terms of service and force you to accept it in a pop up if you want to use the app. And the app is the ONLY way to access most of the router configuration features, as compared to the old method where routers would let you navigate to a password protected website to configure them. So if you don’t accept the new terms, you can’t control your router that you were able to control all this time. Additionally their app constantly pushes trials of their useless and unwanted services through nudges within the app like red circular badges next to menu items and user interface elements. It wouldn’t surprise me if their terms also let them abuse my privacy and security in the same way as Linksys.

But who else do we go to? Every company is doing this. Maybe they just cannot survive without it. It’s probably why we need regulation here (consequences for security breaches, limitations on terms of service abuse, etc).

Is this actually plaintext, or is this plaintext-inside-HTTPS? The article and source material don’t say.

It’s pretty normal for passwords to be “plaintext” inside an HTTPS request. That’s how practically every login to a web app works. If it’s not HTTPS, there’s a whole slew of other issues along with putting a plaintext password in the request.

If it is HTTPS, then the issue really is just that the password gets sent anywhere rather than staying local. This is a lot more debatable as a practice, but unfortunately is also common for a lot of routers to support their cloud/app management functionalities.

I'm impressed a consumer test organisation has the technical expertise to detect this. You don't find this by using it as a consumer would. They had to do the effort to hunt for security bugs to notice this.

I really wish wifi router OEMs would use OpenWRT. They could skin it (ala gli.net) if they wish, but at least use it. It's open. It works. You can still differentiate your product by making it have MOAR ANTENNAS! and continue to add up all the speed numbers to make it look REALLY FAST!!!!

This isn't limited to their Velop line. While converting my EA7500 to openWRT, I noticed this exact same information being sent as it tried to force me to login via the mylinksys web portal and tried to establish a link with the home server.

> Despite warning Linksys in November, no effective measures have been taken.

November? November?! OK, sure, there are a lot of holidays around then. But I would have expected public disclosure on something like this by end of January at the latest, unless the vendor is actively working / communicating about it.

Embarrassing. Not responding for months is actively malicious and should be punished as such, towards the entire company too, not just one throwaway developer to shift blame on to.

I wish Apple would get back into the WiFi router business again. I trust their privacy/security posture more than most other brands. Sadly they sell Linksys routers as the go to replacement for their previous products.

Consumers deserve far better than what they're getting from network gear manufacturers—crap, and grossly overpriced crap. I wish Apple would get back into the game and at least offer some grossly overpriced non-crap.

We've been here before. OE firmware needs to be assumed hostile and either replaced with open source aftermarket firmware, or the device sequestered in a subnet with no internet access.

Taking a step back and thinking about this, this vulnerability/bad decision was a result of systemic disorganization.

It's not just the developer who wrote said code, as well as the backend developers who receive these outputs, but further, the organization did not have any kind of test/check and balance/security mechanism in place.

It's terrible given the router, especially in a world of IoT, may be the device on your network that should be the most secure.

Finally, now that it's public how bad the organization at Linksys is, it is trivial for a criminal to pay an employee to purposefully include backdoors.

The consumer router scene needs a security focused disruption.

Very happy with my own router with my own software (just regular Arch Linux ARM). :) The thing that guards access to and from my internal networks really deserves to not be so turdish. I'd hate to pay $350 for such a betrayal.

Some things can apparently only be bought with your own time, when it comes to "but you had to spend cumulative 3 days setting up your custom thing, so it didn't really cost $100" equation that people will throw at you if you tell them that you have built something yourself from relatively cheap components.

Does anyone think that Netgear isn't doing the exact same thing with Orbi? (It's a given that Google is doing it with Eero.) Anyone taking odds on Ubiquiti?

First thing to check before buying a router: if the firmware can be replaced with OpenWRT.

Years ago, I caught some overseas contractors writing passwords to a log file. It wasn't malicious on their part, it was ignorance. (But, that kind of mistake is highly unprofessional and shows a lack of insight from someone who should know better.)

I suspect that someone has some debugging flags that do this, and accidentally shipped with the flags set the wrong way.

> Testaankoop suspects the security issue might stem from third-party software used in the Linksys firmware.

What third part software does Linksys use on that router?

Don't most websites send passwords in plaintext for login and rely on the connection being HTTPS for having any security at all? I don't like that, but seems to be very common, so I'm not surprised about the plaintext part of this article. But that the passwords are at all sent to a server, that did surprise me, good to know.

This seems like something that would be fairly easy to show proof for using ghidra/binary ninja/ida pro.

I wonder why they didn’t provide any disassembly/decompiler output, or other information on the offending binary

This is pretty light on details, but my guess would be there’s some app that you can use to reconfigure all your Wi-Fi repeaters at once and if you use the app, it erroneously transmit the password which it needs in plain text

It’s not clear to me that the router sends the password rather than the app on your phone

So, we should use common (hacked) passwords for our wifi routers. So, my password of 'mickeymouse' is probably compromised. (Password chosen because my young children can spell it from the disney show.)

When you start digging into outbound dns traffic from consumer routers you can find a baffling amount of data sent. On the order of 50,000-100,000 dns requests a month to their company servers (sometimes hosted in china).

I never use phone app for router, and always block router calling back home through adguardhome, linksys do 2 every minute, some other brand do every 2 seconds.

Don't worry, as long as its not a Chinese company we are fine.

Security key <> passwords

I also want to mention that Linksys is owned by Cisco whose hardware probably touches the majority of the internet directly.

This is very bad.

so just like unify circa 2017?

it was over ssl, but still.

No need to worry about Huawei backdoors when domestic infrastructure does such a bang up job on their own.

I am sick of reading about these embarrassing security holes in Cisco/Juniper/etc. The internet is an adversarial place. Stop cowboy coding

Of fucking course

Only the hacker news crowd is arrogant enough to call them out for check if that password was hTTPS but not for actually giving a fuck about the lack of privacy. SMH hacker news