Linksys Velop routers send Wi-Fi passwords in plaintext to US servers

According to Testaankoop, the Belgian equivalent of the Consumers’ Association, two types of Linksys routers are sending Wi-Fi login details in plaintext to Amazon (AWS) servers.

This discovery involves the Linksys Velop Pro 6E and Velop Pro 7 mesh routers.

During routine installation checks, Testaankoop detected several data packets being transmitted to an AWS server in the US. These packets included the configured SSID name and password in clear text, identification tokens for the network within a broader database, and an access token for a user session, potentially paving the way for a man-in-the-middle (MITM) attack.

The consumer organization conducted these tests using the latest firmware available at the time. Despite warning Linksys in November, no effective measures have been taken.