Two types of Linksys routers send Wi-Fi network login information in plaintext to U.S. Amazon servers, according to
Testaankoop. The devices in question are the Linksys Velop Pro 6E and Velop Pro 7, two mesh routers.
"During installation, the router sent several data packets to an Amazon server in the US. These packets contained the configured SSID name and password in plain text, and also some identification tokens for this network within a broader database as well as an access token for a user session that could potentially enable a man-in-the-middle (MITM) attack," according to Testaankoop.
The consumer organization reports that the routers had the latest firmware at the time of the test. Test-Aankoop warned Linksys last November, but, it says, without success. A firmware update did appear in the months following the warning, only it did not appear to solve the problem.
Testaankoop suspects that the security problem is caused by third-party software that the Linksys firmware uses. "But that does not justify it," the consumer organization further informed. Which "strongly advises against" buying the Linksys routers. "Because there is a serious risk of network intrusion and data loss. We regret the lack of response from Linkys and would have expected more from such a reputable brand."
People who already own the routers in question are advised to change the wifi network name and associated password via the web interface rather than using the app. "This will prevent your wifi network name and password from being shared in readable text," Testaankoop said.
