Just reading these comments - is everyone OK with them sending your password to a server, but not with the lack of encryption?
I would not expect my password to be sent to the server in the first place.
Just reading these comments - is everyone OK with them sending your password to a server, but not with the lack of encryption?
I would not expect my password to be sent to the server in the first place.
Via the TR-69 mechanism, Verizon FiOS routers send your local wifi password to their central management system. The excuse I've heard for this is to "allow support agents to assist users who forgot their passwords"
:-/
To be honest, this makes a lot of sense. The time saved in support is probably worth way more that costs of dealing with any security fallout
For that I think having a remote "reset password" option is more sensible. It would avoid issues coming from password reuse.
…and help the customer reconnect all devices on the WiFi?
Yes. It would be the same as resetting your email password and needing to login again on your devices.
If a password is so precious that you share it plaintext with third parties it is a bad usecase for a password.
The level of effort and obviousness of an email reset is nothing compared to helping someone figure out how to reconfigure every smart device ever made.
So it's a bad usecase for a password, then. Perhaps every router should ship with a preconfigured VLAN for shitty smart home stuff that is a lot more open, or maybe we should stop trying to stick internet into everything ever created.
Why should it be just the IoT devices that get the insecure network? Why not just stop trusting the LAN altogether and instead use technologies like HTTPS and DoH to ensure privacy on the important devices? That seems to be the way the tide is turning anyway.
Personally I'm all for that but people & packages seem to be pretty promiscuous about listen address defaults and assuming everything behind a routers NAT is trusted.
Treating the network as untrusted is good but as long as some people are paying for service, traffic and bandwidth there are reasons to not allow anything to use your network. And there is also a legal question of liability if someone is not quite above board from your IP.
Tell me you've never done help desk work without telling me you've never done help desk work.
I've actually worked help desk for about 3 years.
I've had calls lasting over an hour helping customers configure their email on their phone and computer.
I learned not to laugh when people called "the internet" either "that e-thingy", "mozarella foxfire" or "googlé charome".
I dealt with explaining to people why IE6 did not understand SNI when we decided to give all our customers websites HTTPS.
Just saying that I've been in that and seen that.
They can change it back after logging in if they insist.
they forgot the password, so they can't
There's always the reset to factory defaults button. The vast majority of WiFi users have never adjust any of the settings anyways.
Right, good point. There is of course the option to see saved wifi passwords on most devices... but I can see how an engineer decided to bypass all this bikeshedding and just send the damn password haha.
Verizon does not get to decide what's an appropriate tradeoff for other people's security.
For Verizon owned routers? For company owned and supported equipment, I can understand it. I might not like it, but I can understand it. Especially if they are on the hook for support.
But, that’s why I run my own router for internet access. It’s my router and I can control what it does. If it goes down, then that’s on me. And I’m okay with that. Would I necessarily want the same setup for my parents? Probably not…
Do the own they rest of the equipment on the network that they're putting at risk?
I'm not concerned with this question as it implies that people haven't got a choice between "rent modem, ez for noobs" and "buy own equipment, fully control it." They do have that choice still, it must be some leftover regulation (from back when the US did that) in the case of cable companies, but I have zero problem with the ISP making those tradeoffs. The people who would trust the ISP-owned device likely have already typed that wi-fi password into things like $99 smart TVs which probably transmit their wifi password, location, and microphone data directly to China. Verizon having the wifi password is not cause for concern here.
Those who are security conscious enough to have concerns about their LAN security do not buy "internet + routers + desktop support as a service" by renting the endpoint equipment -- they buy just the internet connectivity and furnish equipment they can control and trust.
I'm not concerned with this question as it implies that people haven't got a choice between "rent modem, ez for noobs" and "buy own equipment, fully control it."
If you buy the equipment from Verizon, I will bet you a significant amount of money that it still sends your passwords to them [on edit: with exactly zero disclosure that's detectable to 99.99 percent of users]. In fact, I'll bet you Verizon treats customer-owned equipment exactly like rented equipment except in billing. But anyway.
The people who would trust the ISP-owned device likely have already typed that wi-fi password into things like $99 smart TVs which probably transmit their wifi password, location, and microphone data directly to China. Verizon having the wifi password is not cause for concern here.
You park your car in bad neighborhoods. Had I not stolen your car, somebody else would have done it.
A good argument why the fines for this kind of behavior need to be orders of magnitude higher.
Couldn't a security conscious user just use their own APs/Router?
Sure, it’s what I do as a Verizon->Frontier->Ziply FiOS user. But most users are not going to go out and procur a bunch of Ubiquiti equipment or whatever, they’re going to take the defaults.
Also, with services like Xfinity, the monthly cost is substantially lower if you are using their router. This is because they scan the traffic for ad targeting, but most people don't care and don't want to buy their own router and then have to pay more per month to use it.
Really? How much lower? I have had my own modem so long I never knew this. Not that I would switch to theirs.
This must be new. It's been about 8 years since I've had Xfinity but I always had my own modem and router and got a discount (i.e. didn't have to "rent" the modem).
Iirc it was something small like $5 or $15 a month... I really only did it for the better hardware and software.
This was earlier in the year, we had started hitting the monthly data caps on our plan and getting penalized.
I went in and the unlimited plan was about $15 less per month using their modem/router than my own (which I already had), plus the router was free (I'm not paying a monthly equipment "rental" fee).
One annoyance was that their router didn't allow spaces in the WiFi password, so I had to reconfigure all my devices.
I could set up the router in bridge mode where it acts like a dumb modem and continue to use my own router, but I have not bothered with that.
I thought it was more using their router, especially over time. They charge $15/month for the router/modem which doesn’t sound too bad, but is $180/year on a device that retails for $180 or so. And they’ll happily keep charging that, forever - long past when their costs and a reasonable profit have been made.
They also force you to share your cable/wifi connection with other Xfinity users who are near you. Buying your own router and modem is a much better deal.
I've never been offered a better deal with Comcast/Xfinity for using their modems or hardware. Renting their stuff is $10/mo and a modem is $100, last I bought something like 5 years ago now, for a higher end one that supports gigabit service.
So, $100 or pay $10/mo forever, and over the past 5 years that $10 would be $600, or $500 saved by buying my own modem.
I use my own modem and router with XFinity, and I don't pay any more for doing it. In fact, I pay a little bit less because I'm not paying the monthly equipment rental fee.
That is, as long as I stay on top of it. Every 3 months like clockwork, they "forget" that I'm not renting their equipment and start billing me for it. I have to call them up and remind them.
Large scale wire fraud that will never be prosecuted.
I have heard that in some markets the only way to get unlimited service from Comcast (with no monthly cap) is to use their hardware.
Most of the CPE from various ISPs I've seen are barely powered enough to keep track of enough NAT connections. They're handing out devices capable of DPI on 100mb/s+ connections now?
Sure, but then a forgotten password is your problem.
Honestly it would never even occur to me to call my ISP to help if I'd forgotten my wifi password.
Also I feel like if you are concerned about forgetting your wifi password you'd probably just keep the one that's written on the device (and which is probably quite a bit more secure than the password you'd come up with yourself).
Xfinity these days will have the tech set up your WiFi with your password. It's an integrated device so he'll set up the cable internet and then your WiFi. Monkeybrains is all "you're set up!" and then you add your own WiFi router. Sonic has you set up your own WiFi. AT&T has the WiFi password printed on the device along with the admin password.
That's my experience with ISPs in SF. It's clear that many people don't buy Internet access. They buy "WiFi" which is that Xfinity integrated service. The components don't matter.
I'm certain that nearly most, if not all users on hacker news have a pretty solid mental model of the basics of how internet connection works, and the responsibilities between the computer or device, wifi, home router, ISP, and internet web sites or other services.
But I've assisted people who's mental model is simply "Verizon put this box in my home and now I have internet". Who panic when a site doesn't load, and will call the first person they think is responsible for the problem. (typically, the company that gave them internet). Or more commonly nowadays, "my phone is my internet connection" -- and the only thing they think they have the power to do is to wave the phone in the air to find 'more bars'.
I suppose it makes sense from Verizon's (or any ISPs) perspective, and honesty, if you understand how all this works, then you understand how to trivially eliminate the issue, and then of course, you know when and when not to call Verizon with problems. (Of course, it'd be awful nice if they offered 'Shibboleet' [1] service for folks who do undertsand when the problem is between the site and the router.) HOWEVER, it'd be nice if they were more upfront with the disclosure of this password sharing ...
Not only. Probably all ISPs around the world who provides their customers a modem with an embedded (or not) WiFi router do the same.
EDIT: also, if your ISP has a mobile app from which you can change any password on ISP provided devices, then most likely it goes around in plain text (inside TCP/TLS packets, at least).
Every WiFi router I've ever owned, you hold the reset button for so many seconds to perform a hard reset, and the WiFi goes back to some default password. From there, you can login to the router and set a new password.
I thought WPS would have been the solution to the inconvenience of wifi passwords. If I were an ISP receiving too many support cases relating to the wifi password, perhaps WPS should be used more?
That's utterly insane.
It makes me feel happy about my longstanding habit of not using routers supplied by ISPs, though.
I really wish wifi router OEMs would use OpenWRT. They could skin it (ala gli.net) if they wish, but at least use it. It's open. It works. You can still differentiate your product by making it have MOAR ANTENNAS! and continue to add up all the speed numbers to make it look REALLY FAST!!!!
Or if they're worried about GPL stuff from Linux, there's also OpnSense, which works fine and I think is well respected.
I'm nerdy enough to have built my own router with OpnSense a few years ago, and it worked like a champ. The only reason I stopped was there was an issue with BSD and a specific Broadcom 10Gbe card that I couldn't work around, so I ended up hacking something together with ClearOS and eventually NixOS.
Are any parts of your nixos router config available publicly? I also rolled my own and am always on the lookout for inspiration
My router largely just implemented this tutorial: https://github.com/ghostbuster91/blogposts/blob/a2374f0039f8...
ChatGPT was used whenever something I didn't understand came up.
Thanks! I've also used parts of it when building mine
Yeah, I'm hesitant to share any of my configs directly since I might have done something wrong and I want at least a very cursory "security by obscurity".
That's a perfectly valid position to have IMO. Same reason I post only parts of my config publicly, the rest is hidden in a flake hosted on a private forge.
I'm really glad OpenWRT does not share a similar fate to Android.
The point being that if one has the technical ability, they could just flash stock.
I learned a few hours ago, for unrelated reasons, that there is at least one which does. GL.iNet ship routers running their in-house build of OpenWRT:
https://www.gl-inet.com/support/firmware-versions/
https://github.com/gl-inet/openwrt
And it's straightforward to install stock OpenWRT using OpenWRT's sysupgrade method:
A whole bunch of GLI.NET devices use SOCs, where Linux mainline kernel support was never upstreamed. So buying GLI.NET is not a surefire way to obtain Hardware, that's runs 'Proper OpenWrt', you still have to check the HCL, or better/up2date, the list of DTS files in the current git master of openwrt.
A lot of them already are running OpenWRT.
It's just not the upstream OpenWRT. Instead, it would be an ancient version of OpenWRT with an ancient Linux kernel (hint hint).
Guessed why? Yeah, the same story as Android. Hardware vendors (those actually designing wireless chips, like Qualcomm and Mediatek) based their official SDK on an ancient version of OpenWRT and piled on tons of non-upstream-able patches to implement drivers.
I've never bothered to install a theme for it, but https://openwrt.org/docs/guide-user/luci/luci.themes they do exist. There's really no good reason they couldn't.
My old Araknis AP was just a reskinned OpenWRT, trudat.
That and Apple should bring back AirPorts. They were easy to set up, performed well, had some advanced features, and got security updates for many years.
Two years ago or so, my office mate and I pulled out an old AirPort Extreme when our Fritz!Box broke. Not only did it still work very well, it was still pretty competitive as an 802.11ac router.
Is this actually plaintext, or is this plaintext-inside-HTTPS? The article and source material don’t say.
It’s pretty normal for passwords to be “plaintext” inside an HTTPS request. That’s how practically every login to a web app works. If it’s not HTTPS, there’s a whole slew of other issues along with putting a plaintext password in the request.
If it is HTTPS, then the issue really is just that the password gets sent anywhere rather than staying local. This is a lot more debatable as a practice, but unfortunately is also common for a lot of routers to support their cloud/app management functionalities.
is also common for a lot of routers to support their cloud/app management functionalities
Why does the cloud need to know the wifi password to support mgmt functionalities? The only reasons I can think of right now are for more "automatic" setup of a second unit for meshing or if you want a factory reset to have the same password. Both of those cases have better solutions.
If it's for setting a new password I don't see why they need the old one, if it's for remote management access using the wifi password as the access credential then that seems both bad (access to my network should not mean access to manage it) and like it can be done a lot better if actually needed (send just a well salted and hashed password).
This appears to be a cloud password first stetup feature. As in you type your new password into the app, the app sends your password to a cloud API, and then the cloud API instructs the router to change to the new password over a management API.
So the password is sent for a specific feature that legitimately wants it.
You could have the app connect to a special WiFi network and then communicate directly with an API exposed by the router. That's what my router does. But the experience of using a special-purpose WiFi network is janky on many common devices so I understand not taking that choice.
But the experience of using a speical-purpose WiFi network is janky on many common devices so I understand not taking that choice.
Yea, this is my hunch as well as to why this works this way. Consumers are easily confused, and asking them to disconnect from their currently working internet connect and connect to a router that hasn’t yet been set up (and might not be able to provide an internet connection) can get confusing. I know I’ve been in this situation before where I’ve been connected to a special-purpose network without internet connect, need to look up some instructions online, but then remember I can’t because I’m not connected to the internet…
and might not be able to provide an internet connection
But this router has to have an internet connection for this flow to work, right? Otherwise how can the router get the password from the cloud service?
What is needed is the device-to-router connection to work securely but by sending the wifi credentials plaintext that is not secure, so not sure what is won here.
The router itself has an internet connection but that doesn’t necessarily mean that all of the other stuff required to actually route traffic or connect other devices is configured (like DHCP).
It’d be possible to have some sane defaults in there to make it work, but I wouldn’t count on them to be 100% out in the field of who-knows-what-crazy-settings-this-consumer-has.
sending the wifi credentials plaintext that is not secure
If the connection between the app, router, and cloud server are all HTTPS, then it’s probably more secure to do it that way than it would be to send it over an unconfigured, insecure WiFi network (which typically uses HTTP or unsigned certificates for the management interface).
it occurs to me now that the whole recent stuff that Apple has been pushing, where apps are banned from making HTTP requests (HTTPS only) may have been the impetus for this. Their "setup app" can't connect to http:// 192.168.1.1/ (or if if can, does so only after popping up dire warnings in scare dialogs) -- but it can connect to the "cloud" server so just send it up to the cloud and back down the WAN port. I can see how they arrived here. Still this is why "apps" suck for this purpose, but I bet they moved to apps for because there are probably plenty of households without a working computer, who need wi-fi for their phones and Rokus, and this proved to be the friendliest way to do it.
Even if all that is true why would you not use a temporary password to then directly set the real password? It seems to me like they have not treated the password as an actual secret in this transaction.
The velop uses bluetooth for setup... you use an application on your phone, that sets up the router. Yes, it's janky too.
Couldn't they then use a random password for the setup process and switch to the selected one when app and the router have connected? I'm pretty sure both android and iOS have APIs for apps to connect to wifi networks.
I'm just trying to ask: What is the scenario where the best (in both security and user-friendliness) solution is to send the wifi password in plaintext?
That API was introduced in Android 10. That's currently supported by only around 60% of Android devices globally and that number would have been lower when they decided how to implement this project.
My phone did have that API, and I subjectively still found the experience janky. But that's just my opinion.
You could send the password through the cloud server pre-hashed, or even better the cloud server could be used to establish an end-to-end encrypted connection from the app to the router.
If they intercepted it, then one must assume it was truly plaintext. Because if they were able to get access to the private key for Linksys's server certificate, that would be even bigger news.
No need to worry about Huawei backdoors when domestic infrastructure does such a bang up job on their own.
I am sick of reading about these embarrassing security holes in Cisco/Juniper/etc. The internet is an adversarial place. Stop cowboy coding
Stop cowboy coding
Why are you giving this company benefit of the doubt - just because it’s western? They haven’t even bothered to comment on the issue, they made no promise to fix it, for all you know they are selling your data to the highest bidder. And to anyone from China too.
If a Chinese company does it we are quick to label it stealing, but here we have the authority to regulate, and we go soft, oh no, it’s disorganisation, poor them, they’ve only been in this business for like 40 years or whatever.
Maybe we should assume malevolence, just like we do with China.
Why are you giving this company benefit of the doubt - just because it’s western?
What does “western” mean? Linksys has been owned by Foxconn since 2018, which is based in Taiwan.
Maybe we should assume malevolence, just like we do with China.
I'm fine with assuming ignorance for a brief window. But when the vendor doesn't reply after multiple repeated attempts, and no fix is in sight, it should quickly evolve from ignorance to willful malpractice at the very least.
Where did I give them the benefit of the doubt? I am furious at the network providers ongoing negligence/incompetence. Either they are in bed with the NSA or they just suck at their job. Regardless of the root cause, we all suffer.
The mention of Huawei was to point out the humor that the government has banned a company on the potential for subtle back doors. Something like the xz exploit. Yet the domestic vendors put out trivially broken crap on the regular. How many Cisco devices have shipped with hardcoded passwords in the past decade.
Making this about foreign vs domestic is bullshit. There is no such thing as a friendly vulnerability.
Just quit allowing corporations to bake up pointlessly unique proprietary firmware blobs for every single device, and we won't have this problem! It's redundant work anyway.
"There is no such thing as a friendly vulnerability." is going right up there with "You can't trust code that you did not totally create yourself." in my list of favorite infosec quotes. Thank you!
Stop cowboy coding.
Look, I'm a cowboy coder, through and through; but I still know better than to close the barn door after the horse bolted.
Information security and software processes aren't that closely related. You can be secure and yolo in production. You can run an extensive change management system and a) push mostly unnecessary cloud services, b) not use reasonable precautions to protect information in transit (and at rest) when sending to cloud services.
I picked up some of the Linksys Velop wifi 6 routers recently, because OpenWRT works on them, but I figured I'd try the factory firmware first... Woof, it's bad (but I only used the web interface... I wasn't willing to install the app), I lasted a day.
Forming a mesh involves the central node using the default password when accessing the other nodes. I guess that's effective, but felt pretty gross to me.
Linksys is owned by a foreign company (Foxconn).
Does anyone think that Netgear isn't doing the exact same thing with Orbi? (It's a given that Google is doing it with Eero.) Anyone taking odds on Ubiquiti?
My access point is still Ubiquiti, since I haven't found a solution to get WiFi access across my house that works directly with my homebuilt router that I'm sufficiently happy with. I'm sure Ubiquiti is doing the same stuff, behind the scenes.
I'm open to suggestions if anyone has them on the best way to avoid this.
In case you know -- is there a way to get into Ubiquiti without having a drop where I need the secondary AP? Today I use an Eero at the cable modem and a second Eero just mounted on the ceiling upstairs with . I'd like to move to something that isn't locked down the way Eero is (and which has a web UI), but I like the whole 'mesh with a dedicated backhaul on a separate channel' thing. My house is constructed in a way that would make running ethernet upstairs not convenient.
Yes, Ubiquiti has AP mesh hardware that uses a dedicated backhaul radio, so you can extend the mesh without needing wired backhaul for mesh points.
It's slow as shit though. I had 5x U6-Mesh after ditching the Google/Nest Wi-Fi garbage. Now, I have U6-Enterprise running on PoE on dedicated copper. There's no substitute for the bandwidth afforded by physical media.
FS: U6-Mesh for cheap! ;)
I have Ubiquiti APs that run off a local UniFi VM. The APs don't have internet access and the UniFi box has only limited access to grab firmware updates. No need to trust when you can enforce limits on a separate router running a FOSS OS like opnsense.
Eero is Amazon.
Don't most websites send passwords in plaintext for login and rely on the connection being HTTPS for having any security at all? I don't like that, but seems to be very common, so I'm not surprised about the plaintext part of this article. But that the passwords are at all sent to a server, that did surprise me, good to know.
Plaintext can mean a few things - encrypted in transit using an HTTPS connection means it's no longer plaintext.
The article and source material are light on details here. My guess is that it is using HTTPS, but the researchers saw the plaintext password in the request and assumed “password in plaintext always bad”.
If the app isn’t using HTTPS, then the story would be much bigger than just the password being plaintext.
How would they have been able to see the content of a request from the router to AWS if it was HTTPS?
You can MITM HTTPS, the device just needs to trust the cert (which isn't hard to do)
First thing to check before buying a router: if the firmware can be replaced with OpenWRT.
And who built the OpenWRT firmware? I bought a gl.inet that comes with OpenWRT but since it's made in China (like every other router) I looked at the OpenWRT blobs and for all I know they're built in China too.
Replaced with.
You can install it yourself, not buy something with it pre-installed
This is pretty light on details, but my guess would be there’s some app that you can use to reconfigure all your Wi-Fi repeaters at once and if you use the app, it erroneously transmit the password which it needs in plain text
It’s not clear to me that the router sends the password rather than the app on your phone
which it needs in plain text
Perhaps this is a typo on your part, in which case, please excuse my strong words here. But passwords should never be transmitted in clear text. Encryption is cheap these days.
Sorry I missed a,
Erroneously? It's an US company. They do it because it's cheaper :)
If they were Chinese they would do it because they're spying of course.
I wish Apple would get back into the WiFi router business again. I trust their privacy/security posture more than most other brands. Sadly they sell Linksys routers as the go to replacement for their previous products.
As long as
* source is available for the boot-loaders, all onboard devices.
* Firmware source available for all NPUs, 'offload engines', and other devices in Ethernet data path.
* mainline linux kernel supports a fully blob-free bootup (except Wifi/RF)
* a jumper enables trustzone access, with complete key management available to the enduser
* populated serial UART port header on the inside. (optional)
... Then I don't care who builds it. But I can't image Apple would build such a user-friendly device, that I could just easily install OpenWrt on 5 minutes out the box. Plus they'd probably fleece you.
Sorry, no one is interested in a device subscription business model. People like to own their hardware.
Consumers deserve far better than what they're getting from network gear manufacturers—crap, and grossly overpriced crap. I wish Apple would get back into the game and at least offer some grossly overpriced non-crap.
You don’t need Apple as your saviour, there are expensive non crap brands out there. I’ve liked Ruckus for example.
I certainly don't need Apple. My primary home router is a virtual machine running on a Proxmox cluster, and my house is serviced by three sub-$30 Netgear wifi 5 access points running OpenWRT with 802.11r fast transition on a wired backhaul.
I can't recommend any of that to my non-techy friends or family. I can't recommend Ruckus, either, as it's about an order of magnitude too expensive. Ditto for the other "prosumer" vendors.
We've been here before. OE firmware needs to be assumed hostile and either replaced with open source aftermarket firmware, or the device sequestered in a subnet with no internet access.
Nobody got time for that.
Unified online DB for devices and brands regarding nuisances.
Add ads, micropayments and Flattr-like mechanisms for sustainability.
Maybe you'd also like a cloud service that ties your shoes? God forbid you should move a muscle.
Taking a step back and thinking about this, this vulnerability/bad decision was a result of systemic disorganization.
It's not just the developer who wrote said code, as well as the backend developers who receive these outputs, but further, the organization did not have any kind of test/check and balance/security mechanism in place.
It's terrible given the router, especially in a world of IoT, may be the device on your network that should be the most secure.
Finally, now that it's public how bad the organization at Linksys is, it is trivial for a criminal to pay an employee to purposefully include backdoors.
The consumer router scene needs a security focused disruption.
There is vendor-side infrastructure to receive the information. This wasn't a lapse in planning/testing. This was intentional.
Stop giving corporations the benefit of the doubt.
I also want to mention that Linksys is owned by Cisco whose hardware probably touches the majority of the internet directly.
Linksys has not been Cisco since 2013. Right now, Foxconn owns it. Belkin owned it before that.
Cisco sells Meraki, which they bought in Dec 2012.
Years ago, I caught some overseas contractors writing passwords to a log file. It wasn't malicious on their part, it was ignorance. (But, that kind of mistake is highly unprofessional and shows a lack of insight from someone who should know better.)
I suspect that someone has some debugging flags that do this, and accidentally shipped with the flags set the wrong way.
Heck, Apple did that once (CVE-2012-0652).
When you start digging into outbound dns traffic from consumer routers you can find a baffling amount of data sent. On the order of 50,000-100,000 dns requests a month to their company servers (sometimes hosted in china).
Testaankoop suspects the security issue might stem from third-party software used in the Linksys firmware.
What third part software does Linksys use on that router?
Very happy with my own router with my own software (just regular Arch Linux ARM). :) The thing that guards access to and from my internal networks really deserves to not be so turdish. I'd hate to pay $350 for such a betrayal.
Some things can apparently only be bought with your own time, when it comes to "but you had to spend cumulative 3 days setting up your custom thing, so it didn't really cost $100" equation that people will throw at you if you tell them that you have built something yourself from relatively cheap components.
Embarrassing. Not responding for months is actively malicious and should be punished as such, towards the entire company too, not just one throwaway developer to shift blame on to.
so just like unify circa 2017?
it was over ssl, but still.
I'm impressed a consumer test organisation has the technical expertise to detect this. You don't find this by using it as a consumer would. They had to do the effort to hunt for security bugs to notice this.
Security key <> passwords
Only the hacker news crowd is arrogant enough to call them out for check if that password was hTTPS but not for actually giving a fuck about the lack of privacy. SMH hacker news
Don't worry, as long as its not a Chinese company we are fine.
Of fucking course
This isn't limited to their Velop line. While converting my EA7500 to openWRT, I noticed this exact same information being sent as it tried to force me to login via the mylinksys web portal and tried to establish a link with the home server.
This is very bad.
I’ve really disliked the change in the router industry where the routers have become ‘smart devices’ instead of reliable local networking hardware. This has turned into the same abuse of customers we see from others. For example TP Link uses the same dark patterns in their routers as companies like Roku, where they make updates to the terms of service and force you to accept it in a pop up if you want to use the app. And the app is the ONLY way to access most of the router configuration features, as compared to the old method where routers would let you navigate to a password protected website to configure them. So if you don’t accept the new terms, you can’t control your router that you were able to control all this time. Additionally their app constantly pushes trials of their useless and unwanted services through nudges within the app like red circular badges next to menu items and user interface elements. It wouldn’t surprise me if their terms also let them abuse my privacy and security in the same way as Linksys.
But who else do we go to? Every company is doing this. Maybe they just cannot survive without it. It’s probably why we need regulation here (consequences for security breaches, limitations on terms of service abuse, etc).
Despite warning Linksys in November, no effective measures have been taken.
November? November?! OK, sure, there are a lot of holidays around then. But I would have expected public disclosure on something like this by end of January at the latest, unless the vendor is actively working / communicating about it.
I'm certainly not OK with that. I'm not OK with a router sending anything whatsoever off to a mystery server somewhere (sending data somewhere when the user overtly sets it up to do so is OK), and any router that does that is not fit for purpose in my view.
That said, I haven't considered Linksys routers to be fit for purpose at all for years now anyway.
Wait till you find out what TVs do... Which is far from ok
What does my smart tv that has never been connected to wifi do?
Ethernet was added to the HDMI standard since version 1.4 and most cables today support that. If your TV is connected to an already networked box via a HDMI cable, chances are that it won't need a WiFi connection to go online.
Also, it could connect to an open WiFi without telling the user since it wouldn't need any input to enter credentials. It is becoming a lot harder to remain offline, at least with TVs.
I’m skeptical of this. Why would my Apple TV cheerfully proxy my TV’s request to send packets to the Internet?
Why wouldn't it? Apple has a whole network of devices that relay data from other devices. Its not like you can even check the software running on their products.
Because it's an extra expense to support it with basically no value. The reason to give a TV a network connection would be to use the applications built into the TV... ones that you don't need if you're using an Apple TV.
And hell, I can't even find any evidence that there's TVs that support HEC.
Rumor has it that some devices will connect to other networks. I'm not sure this has been proven but it seems a bit hard to catch and it seems like a thing that could be done in the name of accessibility. I'd be interested if anyone has dumped firmware and looked to see if it does or doesn't happen.
Either way, not connecting your TV to wifi isn't an excuse for the behavior. Good for you, but that doesn't justify their actions or make anybody who is not up to date with what kind of spying happens any less of a victim. It shouldn't happen even if you are able to get around them. You should be able to use wifi AND not be spied on. Full stop.
https://web.archive.org/web/20210912135232/https://forum.dev...
I have seen it. I like to run an open wifi AP. The way I have it set up it sort of sucks, throttled about as low as I can get it, you could read HN on it but most websites are very unpleasant to use. Anyway, the point is, for the most part my only customer is my neighbors samsung tv sending some sort of click and navigation updates back to the mothership. Now I don't "know" that it wasn't attached to intentionally. but I suspect the tv was just happy to attach to anything it could find.
You ever think about asking your neighbor? Could also make an interesting blog post as I think there are a lot of people interested in this subject. It's also not that easy of a topic to Google. The results all focus on how to connect your TV to wifi rather than trying to find the specific issue. There's definitely HN interest in it
So you are knowingly helping Samsung spy on your neighbor. Have you thought about the ethics of what you are doing.
Anyway while I would not call the original accusation of the TV using any open WIFI automatically out of the question this experiment provides little evidence of that. It's hardly unthinkable that your neighbor or someone using their TV just clicked OK on some prompts to make them go away and thereby selecting the first network in the list. It's also not unthinkable that your neighbor wanted to use some functionality that requires an internet connection to setup and just didn't pay attention to the WIFI network selection.
I think Fire TVs may connect over Amazon Sidewalk to someone walking by your house. Samsung was caught sending screenshots of people's smart TVs, which could be being used as desktop monitors.
It’s called ACR, Samsung is very proud of it and sells it to whoever will buy it. They can tell what you’re watching even if it’s from a divx file on your SD card.
I understand your concerns and feel exactly the same. But I think at a certain point you can only care so much and dedicate so much time to it. With a home network you can obfuscate so much with little know how, and further you ultimately are "aware" of all packets being sent via examining your own traffic.
The real problem is cars, IoT Devices. Do you drive a vehicle newer than model year ~2015? That thing is sending all kinds of telemetry to OEM manufacturer and their entire supply line of OEM suppliers. That data is firstly used to audit and evaluate functions in the vehicle for future iterations....but then that data is sold as many times as they can to research firms, advertisers, gov't planning boards etc.
Taking ownership of the vehicle is you signing away any investigation or litigation rights, or even access to those data/data systems.
I think THIS is where data privacy awareness needs to be pivoted to, Geolocating "iot" devices like vehicle CPU that no one, not even service techs can ever access.
No, I don't, for that exact reason. Some things are important enough for me to go to the effort to find a way to mitigate the security threat they pose. Other things, like relatively modern cars and IoT devices that I can't control, aren't important enough to do that. Instead, I just don't use them.
I applaud your dedication. 2015 is almost ten years ago, this ain’t work for ever and at some all used vehicles that are in a dependable condition will be 2015 or newer. What then, if telemetry can’t be disabled by the user?
I'm old enough that I seriously doubt the world will run out of suitable used cars within my lifetime. My current car is from 2005 and still runs like new.
But if that day comes, I'll figure out how to disable the radio. If that's not possible, then I'll stop owning a car.
I hope you’re right :)
That is most likely what _Linksys_ did.
Please! Lets not just accept this poor state of security and somehow try to be apologetic for this issue. The BAR IS SO LOW .. Do not send unencrypted PII over the internet. And bonus points for not sharing someone's WiFi password with a third party. A third party in the US. We can probably assume that some three letter US government agency has intercepted all these requests.
The bar is really low. This is basic stuff. Zero need to be nice to Linksys.
I'm waiting for more of the post-2015 models to hit the secondary markets before the legal system sorts this out. When someone buys a used car for cash from a independent dealership, I seriously doubt they have sufficiently signed off on such data collection.
While I do still encourage people to do this as any security is better than no security, it is worth noting that you can entirely bypass things like a DNS block (i.e. pihole). For example, your browser probably does. Idk where it is in Chrome, but in Firefox you can go to Settings > Privacy & Security[0] and down at the bottom is "Enable DNS over HTTPS using:". Which, in general, I'd also encourage people to use. Cloudflare suggests this feature is available in Brace, Chrome, Edge, and Firefox[1]
So I'm saying there's an extra step to be aware of because if you rely on only DNS to perform the blocking, then it may not catch everything because there might just be a host file with the IPs manually specified. Which isn't unlikely.
I think the bigger problem is the complexity of all of this and how we're all being spied on unknowingly and in unexpected ways (you might know that you're being spied on in some ways but I'm willing to bet there's also ways you don't know). It's pervasive, invasive, and quite difficult to escape for even technologically adept people. And we shouldn't have a society where people are victims of things just because they do not have domain expertise in that subject matter. No one is a domain expert in all domains and it would be ludicrous to suggest one could be in even several of the critical ones.
[0] or about:preferences#privacy
[1] https://developers.cloudflare.com/1.1.1.1/encryption/dns-ove...
I think the most a router should be doing is occasionally hitting an NTP endpoint, and that behaviour should be possible to disable/customize.
Somewhat relevant (from 2013, Google knows every WiFi password in the world): https://www.computerworld.com/article/1496628/android-google...
HN discussion at the time (503 points, 302 comments):
https://news.ycombinator.com/item?id=6379439
That discussion is fascinating just for how dramatically the tone on Google has shifted in the past 11 years. Top comment is a defense of Google, top reply to them is more concerned with US laws than with Google's voluntary behavior.
And this was after Steve Jobs started the war on Google and mentioned privacy as a concern during his era. It took the world 15 years and nearly 10 years after his death to understand this.
I remember asking people who supported Google before or after their IPO how they make money with your Data. No one cares. I remember pushing for Firefox instead of Chrome in 2009, no one cares. Not even on HN.
The sad thing is that those who stood up for privacy got bashed down for so many years and never received an apology. Those who defended Big Tech like Google is safe to use our data never apologised.
People do care, they are just sort of powerless to do anything.
Try the following exercises:
- try not to use google docs at work
- try to block google sites from your phone
- try to pay for things on the internet without accessing google/recaptcha/etc
it is both too big and too small of a problem for most people to deal with.
I know most technical people have done these sorts of things, but it is sort of like being your own sysadmin/security researcher. It's probably easier to run your own mail server in comparison.
I know. It is crazy to me as well. Google went from “Do No Evil” to “Do Profit From Evil” and everyone seems okay with the transition.
Just like they, and Microsoft, and many hardware manufacturers, also know every banking password/legal document/medical data in the world. Closed operating systems, applications, drivers, can all be used to exfiltrate data unbeknownst to users, including administrators. We're forced to give them some trust, otherwise the only choice would be to use only systems, software, hardware that is completely open down to the last bit, which sadly don't exist as a whole.
I don't disagree in principle but let's not conflate the trust required for proprietary software with the trust required for a service that is known to exfiltrate your data.
I may have read too much science fiction, but the mere fact that someone has full access to all my data worries me, if not because we don't know anything about which form of government we would have in, say, 10 years, and how easily a corrupt government could force those businesses to surrender that data in order to find their "enemies".
BTW, I don't live under a rock, I do online banking from the PC and have pretty much given up telling my lawyer and doctor not to use Whatsapp to send and receive sensitive documents, then keep them in their unencrypted phones, but that doesn't prevent me to be worried by how easy it has become to obtain personal data about someone for those who can.
This sort of ideological take is lacking necessary nuance is and ultimately thought-terminating. There’s a difference between trust and concrete proof that something is happening, and there are degrees of both. Information security is somehow a justified field despite the fact that only a very small handful of shops own the full stack. It’s all about understanding and mitigating risk.
Gosh, if only there was a device vendor who didn’t do that, and offered the option for encrypted cloud backups and e2e encryption for all your inter-device traffic, and designed their privacy-sensitive services to work on anonymized tokens instead of device identifiers or user accounts…
… but apple sells ads too therefore every option is equally bad!
It’s funny to see people admit with the AI stuff that apple is getting it right, introducing privacy-protecting approaches and services, etc, yet refuse to admit that the same perspective and approaches have informed all their services for a long time. In the day to day, there is no legitimate debate that Apple Maps is vastly more privacy preserving than google maps, etc. People use some weird purity test where because App Store ads exist suddenly apple is the same as a literal adtech company.
If Apple still made a router I would buy it. But they don’t…
A new AirPort Extreme with an M Series I would be all over that though.
Yes.
It also doesn't help that said device vendor has been trying to destroy computing freedom while sabotaging open standards left and right.
It's funny that different people on the Internet express different and sometimes conflicting opinions?
I suspect this is an internal sabotage from devs not agreeing with it - plaintext is easily observable and people can figure it out, causing a PR damage; encrypted passwords are basically untraceable.
Bold of you to assume that the development wasn't farmed out to the cheapest subcontractor in a developing country that doesn't even know how to spell IoT.
That's kind of hate speech. Do you really think people can develop software for a wifi router and cannot spell?
You must live in an unbelievably beautiful world to consider that comment to be "hate speech".
I wonder what term you would use to refer to actual vile racist speech? And how you would differentiate between them when you use the term so freely?
I regularly review PRs from developers with English as a first language with various spelling mistakes in variable names, code comments, commit messages, etc.
Not Wi-Fi routers, but I don’t see why those developers wouldn’t be able to slowly churn through Jira tickets for a router software.
Meanwhile, in reality, the offshore development firm being paid per line of code from Linksys farmed the work out to juniors who haven’t graduated and couldn’t care less if something is encrypted or not.
Even if they have graduated, why would they care? I log an objection once at work. I've covered my butt.
After that point, the outcomes are not my problem. It is less work to do it this way.
Sure, log your objection between the choice of Tailwind and Bootstrap. In professions more serious than software, people generally use their spines and say "no" when they see problems to the degree of passwords sent in the clear.
The most you can expect from PR damage like this is that maybe an update goes out faster that fixes the problem (or at least hides it better). Nobody is afraid of bad PR. The most hated companies in the US are also massively wealthy and successful. If people refused to by routers from companies that pulled shit like this, nobody could buy a router. You can enter pretty much any major brand of wireless router into google next to words like "hardcoded" "backdoor" and "plaintext" and get results going back decades.
Next step is trawling procurement records for public purchasers of their products, and prompting their return.
No, it's probably devs not even caring about it (or not caring enough to push back on deadlines). It's surprising what people will do if they aren't forced to do the right thing (passwords checked to version control, proprietary code pasted in Stackoverflow) and so on.
Asking this question since the first password manager
Password managers are very different. The details get encrypted using a passphrase, and only the encrypted data gets sent to the password manager. You don't have to trust the backend unless the frontend is changed to send non-encrypted data and/or your passphrase.
You have to trust the frontend though. And where did you get that from?
And even if you audited its code, would you re-audit it if that code changed?
Contrary to what crypto fantastics might have you believe, software eco systems are always built on trust.
Audits are but a means to try champion that trust. And, indeed by no means a silver bullet at that.
Yes but, depending on how the ecosystem is built, the amount of trust needed can be smaller or greater. Reality isn't black or white, we also have shades and colors.
I use KeepassXC and synchronize the encrypted database across my devices using my own Nextcloud instance. But even if I used a mainstream cloud provider, that wouldn't matter since the db is encrypted and decrypted locally. Regarding trusting the frontend, in my case I just need to check that KeepassXC itself isn't sending data around. Which I admit I didn't do so far, but in my view the alternative of reusing password is much more likely to get you in trouble compared to the likelihood of KeepassXC sending your data to a tird party without anyone noticing.
You might consider 1Password. They don’t have the key so they effectively only see an all of the data in encrypted form, not even revealing the site, if I recall.
They have some fascinating papers about it, if I recall.
Yet they are the same org who develop and release the client software, which obviously has access to plain text values.
That's standard for all password managers IIRC. If they can get your into your vault without your master secret then it is a bad password manager.
What has happened to some password managers though is that they don't store the metadata encrypted (like username, website name, etc.) so that leaks have revealed which sites you use but I don't think any decent password manager has leaked passwords without a client being hacked, right?
First cloud-based* password manager.
There’s no useful attack that can be waged against your devices with knowledge of your wifi password.
The idea that your LAN is a security boundary is out of date by decades.
You should be able to figure out how many users are connected, i.e. if you are at home.
Third party activity on your LAN is a legal liability.
Famous last words.
I'm sure there are plenty of device and software vendors that haven't gotten the news. And exploits exist - no reason to carelessly discard a defensive layer just because it isn't 100% perfect.
Android needs a "Backup My Data to My Own Cloud/Device" option. Unfortunately that's gotten much harder to do over the years (as they've neutered the relevant API's).
https://github.com/seedvault-app/seedvault
It's included in GrapheneOS, so you can backup things like WiFi passwords to a local NextCloud server.
Seedvault has limitations, and last I heard GrapheneOS is trying to divorce itself of it.
Yeah. tbh we are lucky on the Apple side that itunes existed and had a backup facility (Presumably because WAN speeds were so slow for many people in 2007). You can bet if the iOS platform were created today, local backup would have never been a thing there either. "Just trust the cloud!"
Not me. I'm not even okay with being expected to use a cell phone app to configure the router.
that's definitely the worst thing. There's nothing like being on my computer doing something, thinking "oh let me go update a setting or check some status on my router" then remembering "oh that's right, I bought Eero, let me go try to use the crappy iPhone app where I can't even multitask, instead of the full computer right in front of me."
This article goes on about the Man In The Middle vulnerability, but doesn't bother to explain why there is a Middle to begin with, or why Amazon gets to put a Man at the End!
This exactly. Eeros, Nest/Google Wifi, and other cloud based mesh devices all likely have access to the password as they send it down to the app.
I work on SPR @ https://www.supernetworks.org/,w e keep data self hosted, instead of a database in someone else's cloud.
Take a poll and see how many iPhone users are here. Now realize the remainder are on some OEM Android! 50/50 I am the only one to reply to you running GrapheneOS. People WANT it to be this way, because any other way is too much work. It's how oligarchy arises!
I am not being hyperbolic, y'alls bitlocker codes are going to Microsoft soon if not already with 24H2.
Being into technology on a tech hacking [orange] subreddit does not put one into the same group as the tradecraft-savvy.
an hypothetically interesting wifi situation
SSID = [google] agrees to the following ToS.
psword = use of this password confers in perpetuity, unlimited use of any and all google products and services with no cost or liability, as the owner of the password sees fit
This is a big reason I despise the fact that so many ISP's just bundle routers into their modems.
At least with Comcast it seems like they have the ability to modify and (I assume) see this stuff in plain text. Who thought that was acceptable from a security standpoint I will never understand.
Of course. As long as they are not _Chinese_ servers. You see, US is our friend. /s
No, and all it does is prove, once again, that big tech companies cannot be trusted to sustain even common sense privacy concerns.
We need a privacy bill of rights. It’s time! The GDPR shows the way, and we can even improve on it with hindsight.
We’ll never get ahead of the data harvesting and exploitation of that data without it and all of this becomes quite an acute problem when we add low cost cognitive digital intelligences to the equation.