According to Testaankoop, the Belgian equivalent of the Consumers’ Association, two types of Linksys routers are sending Wi-Fi login details in plaintext to Amazon (AWS) servers.
This discovery involves the Linksys Velop Pro 6E and Velop Pro 7 mesh routers.
During routine installation checks, Testaankoop detected several data packets being transmitted to an AWS server in the US. These packets included the configured SSID name and password in clear text, identification tokens for the network within a broader database, and an access token for a user session, potentially paving the way for a man-in-the-middle (MITM) attack.
An MITM attack is a security breach in which an attacker intercepts the communication between your Linksys router and the Amazon server without either party’s knowledge. In this context, it means the attacker could capture your Wi-Fi network name (SSID) and password as they are transmitted in plaintext, allowing them to read or alter these sensitive details and potentially gain unauthorized access to your network.
The consumer organization conducted these tests using the latest firmware available at the time. Despite warning Linksys in November, no effective measures have been taken.
The Velop 6E and 7 we tested had the most recent firmware. The Velop 6E was tested several times, the last time with firmware V 1.0.8 MX6200_1.0.8.215731 and the new Velop Pro 7 was tested with firmware 1.0.10.215314.
Testaankoop
Linksys released a firmware update after the initial warning, but it did not address the concerns raised. “We regret the lack of response from Linksys and expected more from such a renowned brand,” Testaankoop expressed.
Testaankoop suspects the security issue might stem from third-party software used in the Linksys firmware. However, they emphasize that this does not excuse the vulnerability. For those who already own the affected routers, they have recommended changing the Wi-Fi network name and password via the web interface instead of the app. This precaution prevents the SSID name and password from being transmitted in readable text.
Mesh routers like the Velop series are designed to improve Wi-Fi distribution in large or multi-story homes by creating a wireless network through multiple connected nodes. These nodes communicate either wirelessly or through cables to ensure better Wi-Fi coverage. However, the Velop Pro WiFi 6E and Pro 7’s data transmission practices undermine the security benefits they should provide.
Testaankoop contacted Linksys again just days before today’s publication in response to the ongoing issue, giving them a brief window to respond. However, they have not received any acknowledgment or solution from the manufacturer.
The vulnerability persists even in the latest Linksys 7 Pro, highlighting a critical security lapse. “After our long and intensive tests, we strongly advise against buying the Linksys Velop Pro WiFi 6E and Pro 7 because there is a serious risk of network intrusion and data loss,” the researchers concluded.
While breaching a network requires effort and technical skill (Linksys has done a lot of the heavy lifting here!), the attacker can cause extensive damage once inside. Linksys themselves recommend the Velop product line for small offices, making this issue particularly concerning for both personal and professional environments.
Stack Diary reached out to Linksys on July 9 to see if they plan on responding; as of July 14, we have yet to hear from them.
