Owners of the Linksys Velop Pro 6E and Pro 7 mesh routers, which are used by several broadband ISPs and consumers in the UK, are being advised to change the router’s passwords and Wi-Fi network names through an external web browser. The requirement comes after it was revealed that the models could transmit passwords in cleartext during the initial setup.
The issue was first discovered by a Belgian consumer organization, Testaankoop, which found that, during initial setup, both the Velop Pro 6E and 7 were transmitting the end-user’s SSID (WiFi network name) and passwords in cleartext (unencrypted) to an Amazon hosted server in the USA (we don’t know if they mean the admin or WiFi password, but it could be both). User session access tokens and database identification tokens were also transmitted.
The issue was discovered in firmware version 1.0.8 MX6200_1.0.8.215731 for the Wi-Fi 6E router and 1.0.10.215314 for the Wi-Fi 7 device. But exploiting this would admittedly require a Man-in-the-Middle (MITM) style attack, one with good timing.
Since then there has been an additional patch, but there’s no mention in the release notes of whether this includes a fix for the problem and Techspot claims that Linksys still hasn’t publicly acknowledged the issue. Testaankoop says they reported the vulnerability to Linksys in November 2023 but got no response, which doesn’t exactly inspire confidence in the company’s approach to device security.
In the meantime, the best course of action, if you have one of these routers, is to change your passwords (WiFi and router admin) and WiFi network names. But you should do this using a web browser on a PC / MAC or mobile device and NOT via the accompanying Linksys app to prevent the changes from being sent unencrypted.