skilledtothegillsJul 9, 2024

Linksys Velop routers send Wi-Fi passwords in plaintext to US servers

https://lemmy.world/post/17387425

Linksys Velop routers send Wi-Fi passwords in plaintext to US servers - Lemmy.World

During installation, the router sent several data packets to an Amazon server in the US. These packets contained the configured SSID name and password in clear text, as well as some identification tokens for this network within a broader database and an access token for a user session that could potentially enable a MITM attack. Linksys has refused to acknowledge/respond to the issue.

Show threadAvid AmoebaJul 9, 2024
What does this mean, that the use plain HTTP or some other protocol? I can’t see details.
Show threadmhague

From what I can find, by “These routers send your credentials in plaintext”, they actually meant to say, “The mobile app sends credentials in plaintext.”

If you use the web interface then your credentials are not sent in plaintext. The routers themselves also don’t send credentials in plaintext.

The people who found this out got that wrong, and a lot of people are confused because they didn’t expand on “in plaintext.” They could be a little more professional / thoughtful.

Jul 9, 2024 at 5:38pmWeb
Show threadAvid AmoebaJul 9, 2024
This is what I’m thinking too. The only likely scenario under which the plaintext and MITM words make sense together is HTTP. I wouldn’t put it past Linksys to have used an HTTP API endpoint but these days a lot of things scream if you use HTTP. Thanks for the work!