Daily Archives: July 16, 2024

Linksys Velop Routers Caught Sending WiFi Creds In The Clear – alerted in November 2023 still not fixed

Posted on by

A troubling report from the Belgian consumer protection group Testaankoop: several models of Velop Pro routers from Linksys were found to be sending WiFi configuration data out to a remote server during the setup process. That would be bad enough, but not only are these routers reporting private information to the mothership, they are doing it in clear text for anyone to listen in on.

Testaankoop says that while testing out the Pro WiFi 6E and Pro 7 versions of Velop routers, they discovered that unencrypted packets were being sent to a server hosted by Amazon Web Services (AWS). In these packets, they discovered not only the SSID of the user’s wireless network, but the encryption key necessary to join it. There were also various tokens included that could be used to identify network and user.

While the report doesn’t go into too much detail, it seems this information is being sent as part of the configuration process when using the official Linksys mobile application. If you want to avoid having your information bounced around the Internet, you can still use the router’s built-in web configuration menus from a browser on the local network — just like in the good old days.

The real kicker here is the response from Linksys, or more accurately, the lack thereof. Testaankoop says they notified them of their discovery back in November of 2023, and got no response. There’s even been firmware updates for the affected routers since then, but the issue is still unresolved.

Testaankoop ends the review by strongly recommending users avoid these particular models of Linksys Velop routers, which given the facts, sounds like solid advice to us. They also express their disappointment in how the brand, a fixture in the consumer router space for decades, has handled the situation. If you ask us, things started going downhill once they stopped running Linux on their hardware.

Source: Linksys Velop Routers Caught Sending WiFi Creds In The Clear | Hackaday

Dutch DPA gets off its’ ass, Fine of 600,000 euros for tracking cookies on Kruidvat.nl – detected in 2020

Posted on by

The Dutch Data Protection Authority (AP) has imposed a fine of 600,000 euros on the company behind the Kruidvat drugstore. Kruidvat.nl followed consumers with tracking cookies, without their knowledge or permission. AS Watson collected and used sensitive personal data from millions of website visitors against the rules.

The company behind Kruidvat collected data from website visitors and was able to create personal profiles. In addition to visitors’ location data, this included which pages they visited, which products they added to the shopping cart and purchased and which recommendations they clicked on.

That is very sensitive information, AP points out, due to the specific nature of drugstore products. Such as pregnancy tests, contraceptives or medication for all kinds of ailments. That sensitive information, linked to the location (which may be traceable via the IP address) of the unique visitor, can sketch a very specific and invasive profile of the people who visit Kruidvat.nl.

Kruidvat.nl should have asked permission to place tracking cookies on visitors’ computers. The GDPR privacy law sets a number of requirements for valid consent. These requirements are that consent must be given freely, for specific processing of personal data, on the basis of sufficient information and that there must be no doubt that consent has been given.

In the cookie banner on Kruidvat.nl, the boxes to agree to the installation of tracking software were checked by default. That’s not allowed. Visitors who still wanted to refuse the cookies had to go through many steps to achieve this. The AP has found that personal data of website visitors to Kruidvat.nl have been processed unlawfully.

At the end of 2019, the AP started an investigation into various websites, including Kruidvat.nl. The AP tested whether these websites met the requirements for placing (tracking) cookies. The AP checked whether permission for tracking cookies was asked from website visitors and, if so, how exactly this happened.

Kruidvat.nl was found not to comply in April 2020, after which the AP sent the company a letter. In 2020, the AP found that Kruidvat.nl was still not in order. The AP then started investigating this website further. This violation ended in October 2020.

There is increasing social irritation about cookies and cookie notifications, ranging from annoying and misleading banners to concerns about the secret tracking of internet users. In 2024, the AP will check more often whether websites correctly request permission for tracking cookies or other tracking software.

Source: Boete van 600.000 euro voor tracking cookies op Kruidvat.nl – Emerce