Backdoor+Insider = Disaster For Some Users of TP-Link Routers

From the “What were they thinking?!” department…
“The expert says that when a browser sends an HTTP GET request to

http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html,

the contacted router will establish a connection back to the visitor’s IP and contact any TFTP server there.”

see Treacherous backdoor found in TP-Link routers.

So, any organization using BYOD with such a router gives away the store. Wirelessly, too… I wonder if this is a stupid decision by TP-Link or some scammer got to someone in the organization. Heads should roll on this one. It’s potentially a financial/legal/brand killer of TP-Link and they did not even bother to respond to a private disclosure. Some people are smart to use GNU/Linux for obvious reasons but there’s no assurance they will be smart in how they use it. A backdoor to import random executables is not smart. Security by obscurity is no security at all. A router with no security should not be on the market.

About Robert Pogson

I am a retired teacher in Canada. I taught in the subject areas where I have worked for almost forty years: maths, physics, chemistry and computers. I love hunting, fishing, picking berries and mushrooms, too.
This entry was posted in technology and tagged . Bookmark the permalink.

8 Responses to Backdoor+Insider = Disaster For Some Users of TP-Link Routers

  1. Der Balrog wrote, “This statement above shows that you are quite willing to blame users.

    Hypocrite.”

    Setting up routers on the web without RTFM is not smart. Every router whose manual I have read states, “change the password” usually in the “getting started” part and many tell users to disable access from the Internet. Driving a car without getting a licence or taking lessons is not smart. Same with any dangerous tool. On the Internet a computer is dangerous when loaded with malware.

    Fortunately that kind of stupidity is rare. On the whole planet the guy found only a few 100K such machines. There is hope for mankind. I don’t blame the users. Clearly most users of the many millions of routers out there do the right things.

    Manufacturers are behind a rock and a hard place. If they tighten them up at the factory, they won’t work when plugged in and consumers would complain. They could come up with better passwords than “root” obviously, and they could disable access from the Internet by default. No doubt some consumers would interchange the red and green connections… Perhaps they could have routers that sensed the Internet connector with some probes and generate a random password placed on a sticker on the case…

    It’s just impossible to make a router foolproof but a decent manual can be written and read.

  2. oiaohm says:

    Der Balrog please note the not migrating in time does not mean not taking secure into accounting.

    Der Balrog also read back I also stated for long-term people should go FOSS or have source code as it the only one you really have any control over.

    So I did blame the users to a bit. Sorry not a hypocrite. The ability to work out of problems once you are in them is one thing.

    My point of view on security has not changed.

    You are blaming the users allown for not migrating off in time.

    Note I said users have to accept some blame. I did not say users have to accept all blame.

    I denied you the right to shift all the blame to the users.

    Microsoft is partly to blame and the users are partly to blame with the migration issues.

    Security issues end users and vendors are to blame to point.

    Der Balrog get use to it I am a shades of grey person not a black and white.

  3. Der Balrog says:

    Der Balrog users do have to accept some of the blame for not demanding quality.

    You denied me the right to blame users for not migrating in time from Windows XP to something else. You accused Microsoft instead. But here it’s suddenly so simple?

    You’re just the same hypocrite as Pogson.

  4. oiaohm says:

    ram yep best practice only use audited code bases.

    Der Balrog most Linux people believe users need to start being more picky on the hardware they accept due to the risks.

    Windows is very had to have a proper audit report to read on it.

    Der Balrog users do have to accept some of the blame for not demanding quality.

  5. ram says:

    All routers, out of the box, are insecure and trivial to crack. TP-Link stuff sells to professionals because they remove the TP-Link installed software and install OpenWRT instead.

    OpenWRT is a version of Linux that gives FULL access to the router hardware. It can be made very secure.

    It also has a multitude of other uses.

  6. Der Balrog says:

    Some people are smart to use GNU/Linux for obvious reasons but there’s no assurance they will be smart in how they use it.

    Then why do you blame Microsoft when users “lock themselves in”? This statement above shows that you are quite willing to blame users.

    Hypocrite.

  7. oiaohm says:

    Ivan history of devices and secuirty issues is long. I guess you missed the recent HP printer hack network.

    Reality is Linux outnumbers Windows in a lot of businesses. Problem is it hiding in devices with very bad update and validation cycles.

    Ivan
    –You’re using a version of linux with a privilege escalation vulnerability, would you classify your use of linux as smart?–
    Most OS’s have a privilege escalation vulnerability some where. Remote privilege escalation that is another thing.

    Lot of people go around using Android devices with huge privilege escalation vulnerablity. Video card drivers in some of them have reintroduced the /dev/mem device under a different device name not secured. Great fun can write anywhere in memory you like.

    There are other equal evil faults on MS Windows devices. Don’t trust hardware makers to always do the right thing by security.

    Ivan reality we are all idiots because we should not be using devices unless they are audited.

    The computer you are sitting are you sure the embeded controller on the motherboard of it cannot be turned into a key logger. Or the firmware on the south bridge be alter to transmit collected data to remote locations. Yes infects southbridge will not be found by any anti-virus scan. This is infection of hardware. Or what are commonly nicknamed forever viruses. Unless you replace the motherboard or know how to inspect the motherboard firmwares you are never getting rid of these infections.

    Lets just say the router issue is a tip of very risky embedded hardware.

    Some of the most risky turn out to be some models of pace makers. Yes they control people hart. Some of them transmit wirelessly unencrypted even worse accept changes in settings without a password or encryption or anything else. So some people could go around playing kill a human due to our poor Quality requirements on embedded devices.

  8. Ivan says:

    Define smart use of Linux. You’re using a version of linux with a privilege escalation vulnerability, would you classify your use of linux as smart?

Leave a Reply