Linksys Velop routers send Wi-Fi passwords in plaintext to US servers

Original Article ↗ Hacker News Discussion ↗

Domestic vs foreign trust & motives

  • Many see irony that policymakers fear Chinese “backdoors” (e.g., Huawei) while US‑market gear ships with obvious flaws.
  • Some argue this should be treated as intentional or at least willful malpractice, not “oops” disorganization, especially given months of silence from the vendor.
  • Others stress this isn’t about “foreign vs domestic” at all; vulnerabilities are never friendly and Linksys is now owned by a Taiwanese company (Foxconn) anyway.

Cloud‑managed routers & data exfiltration

  • Several report consumer routers sending large volumes of outbound DNS/telemetry to vendor servers, sometimes in China.
  • People dislike the trend of app‑only, cloud‑linked, “smart” routers versus simple local web UIs.
  • Many are not only upset about the lack of encryption but about any transmission of Wi‑Fi passwords or configuration data to vendor servers.

ISP practices and password handling

  • Example given: Verizon FiOS routers send Wi‑Fi passwords via TR‑69 so support can help customers who forget them.
  • Some defend this as a pragmatic support tradeoff; others say ISPs have no right to make that tradeoff for users.
  • Workarounds like factory reset, WPS, or separate insecure VLANs for IoT are debated as better patterns.

Security culture: negligence vs malice

  • One camp attributes this to systemic incompetence, weak internal checks, and outsourced development.
  • Another insists the existence of backend infrastructure to receive passwords indicates intentional collection, not mere oversight.
  • Not responding for months is widely seen as crossing the line into malicious disregard.

User workarounds and alternatives

  • Many run their own routers/firewalls (OpenWRT, opnsense, NixOS, custom Linux) or isolate ISP/consumer gear on untrusted subnets.
  • OpenWRT is repeatedly recommended; some note many OEMs already use heavily modified, outdated OpenWRT internally.
  • There is nostalgic praise for Apple’s AirPort line and calls for Apple or others to offer “secure but simple” consumer gear.

Technical details & open questions

  • It’s unclear from the thread whether the password is sent in true plaintext or plaintext inside HTTPS; some argue the real issue is any cloud transmission at all.
  • Several call for deeper reverse‑engineering proof and note similar patterns likely exist across other mesh/router brands.