this post was submitted on 09 Jul 2024
642 points (99.7% liked)

Technology

59667 readers
3766 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
 

During installation, the router sent several data packets to an Amazon server in the US. These packets contained the configured SSID name and password in clear text, as well as some identification tokens for this network within a broader database and an access token for a user session that could potentially enable a MITM attack.

Linksys has refused to acknowledge/respond to the issue.

you are viewing a single comment's thread
view the rest of the comments
[โ€“] mhague 23 points 4 months ago* (last edited 4 months ago) (1 children)

From what I can find, by "These routers send your credentials in plaintext", they actually meant to say, "The mobile app sends credentials in plaintext."

If you use the web interface then your credentials are not sent in plaintext. The routers themselves also don't send credentials in plaintext.

The people who found this out got that wrong, and a lot of people are confused because they didn't expand on "in plaintext." They could be a little more professional / thoughtful.

Edit: I'm also thinking about the "may expose you to a MITM" bit. I think if it was https then a MITM (assuming all they can do is examine your packets) wouldn't work because the data can only be unlocked by the private key. It sounds like it was an http connection?

[โ€“] [email protected] 5 points 4 months ago

This is what I'm thinking too. The only likely scenario under which the plaintext and MITM words make sense together is HTTP. I wouldn't put it past Linksys to have used an HTTP API endpoint but these days a lot of things scream if you use HTTP. Thanks for the work!