Linksys Velop Routers Caught Sending WiFi Creds in the Clear [Hackaday]

View Article on Hackaday

A troubling report from the Belgian consumer protection group Testaankoop: several models of Velop Pro routers from Linksys were found to be sending WiFi configuration data out to a remote server during the setup process. That would be bad enough, but not only are these routers reporting private information to the mothership, they are doing it in clear text for anyone to listen in on.

Testaankoop says that while testing out the Pro WiFi 6E and Pro 7 versions of Velop routers, they discovered that unencrypted packets were being sent to a server hosted by Amazon Web Services (AWS). In these packets, they discovered not only the SSID of the user’s wireless network, but the encryption key necessary to join it. There were also various tokens included that could be used to identify network and user.

While the report doesn’t go into too much detail, it seems this information is being sent as part of the configuration process when using the official Linksys mobile application. If you want to avoid having your information bounced around the Internet, you can still use the router’s built-in web configuration menus from a browser on the local network — just like in the good old days.

The real kicker here is the response from Linksys, or more accurately, the lack thereof. Testaankoop says they notified them of their discovery back in November of 2023, and got no response. There’s even been firmware updates for the affected routers since then, but the issue is still unresolved.

Testaankoop ends the review by strongly recommending users avoid these particular models of Linksys Velop routers, which given the facts, sounds like solid advice to us. They also express their disappointment in how the brand, a fixture in the consumer router space for decades, has handled the situation. If you ask us, things started going downhill once they stopped running Linux on their hardware.