Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Backdoor Found In TP-Link Routers

Soulskill posted about a year and a half ago | from the control-of-your-router-hosted-in-the-cloud dept.

Networking 197

New submitter NuclearCat writes "Polish security researchers have found a backdoor in TP-Link routers, allowing an attacker to not only gain root access to the local network, but also to knock down the router via a CSRF attack remotely. (Further informationGoogle translation of Russian original). According to the researchers, TP-Link hasn't yet responded to give an answer about issue. The good news: Users who replaced their TP-Link firmware with Open/DD-WRT firmware can sleep well."

Sorry! There are no comments related to the filter you selected.

Et tu, China? (3, Insightful)

Anonymous Coward | about a year and a half ago | (#43181487)

With every government in the world wanting their own backdoors to everything these days, designing firmware for modern routers must be akin to being a carpenter tasked with building a house to satisfy 300 different feuding owners.

Re:Et tu, China? (1)

DigiShaman (671371) | about a year and a half ago | (#43181729)

Actually, there are a lot of TP-Link routers in China. Which means that there could be a lot internal Chinese to Chinese hacking and DOS attacks going on. I think the local ISPs use ZTE branded devices, but again, TP-Link are the cheapies found all over the place and thus easy to get.

Re:Et tu, China? (5, Insightful)

stevegee58 (1179505) | about a year and a half ago | (#43181827)

The last time I posted a comment about Chinese products containing malware I was voted down as flamebait and accused of being a racist.

Re:Et tu, China? (0, Flamebait)

the_B0fh (208483) | about a year and a half ago | (#43182141)

That is because you are a fucking idiot.

The issue isn't whether some chinese or some american branded piece of equipment and thus chinese are hackers or americans are hackers.

You do realize even Microsoft had shipped CDs with a virus on them before. This is either a lack of QC/procedures, allowing something to get in to the image, or a malicious act.

Country of origin is irrelevant. If you still feel it is, remember, StuxNet came from the US government.

Re:Et tu, China? (2, Funny)

stevegee58 (1179505) | about a year and a half ago | (#43182435)

Good gracious! This place is getting as bad as 4chan.

Re:Et tu, China? (0)

Anonymous Coward | about a year and a half ago | (#43183659)

StuxNet came from Israel. One of their generals even admitted this to the press.

Country of origin is quite relevant - all Chinese telecom and networking gear can be safely assumed to be backdoored.

Re:Et tu, China? (1)

Jawnn (445279) | about a year and a half ago | (#43183769)

Country of origin is irrelevant. If you still feel it is, remember, StuxNet came from the US government.

Yes, it did, which rather proves that state-sponsored cyber attacks are very, very real. Given that, the notion that routers manufactured in the PRC might come with back doors as standard equipment (we're looking at you, Huawei) is hardly a stretch.

Re:Et tu, China? (4, Funny)

L4t3r4lu5 (1216702) | about a year and a half ago | (#43182255)

That's nothing! I've tried, on numerNEVER BEFORE to post about bugs in produce coming from China, and every tiCHINESE GOODS ARE MADE TO HIGHEST QUALITYerent in some way. I tried to warn my boss away from buying that "too cheap" Cisco gear from eBay (the lettering was weird, too), but he wouHONOURABLE MANAGER MAKES SENSIBLE PURCHASING DECISION.

Re:Et tu, China? (1)

carlhaagen (1021273) | about a year and a half ago | (#43183445)

Been there, too.

Re:Et tu, China? (0)

Anonymous Coward | about a year and a half ago | (#43182791)

But if all 300 owners are asking for the same door at the back of their home, what's the issue?

I have to wonder why they bother... (5, Interesting)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#43181509)

Given the relatively dismal reputation of vendor firmware on most routers, and the distinctly limited opportunities for software-differentiation in the 'well, it sits there and makes the internet wireless, right?' networking market, I honestly have to wonder why most vendor firmware isn't just thinly-skinned Open or DD WRT out of the box...

Re:I have to wonder why they bother... (-1)

Anonymous Coward | about a year and a half ago | (#43181567)

Yes, yes, yes. This! Eh. Pardon my enthusiasm :)

Re:I have to wonder why they bother... (2, Informative)

Anonymous Coward | about a year and a half ago | (#43181585)

For a lot of routers the chipset manufacturers aren't as friendly towards open source as they could be (eg broadcom), which is largely the reason why many popular routers are unsupported or work-in-progress for openwrt/dd-wrt etc.

Re:I have to wonder why they bother... (0)

tlambert (566799) | about a year and a half ago | (#43181685)

For a lot of routers the chipset manufacturers aren't as friendly towards open source as they could be (eg broadcom), which is largely the reason why many popular routers are unsupported or work-in-progress for openwrt/dd-wrt etc.

Open Source is not to friendly to Broadcom chipsets keeping their software interfaces secret to prevent clone vendors from leveraging the effort Broadcom put into writing the drivers for its chips by just making chips that could work with the Broadcom drivers.

Either you leave the Broadcom drivers out of Windows itself (disadvantaging Broadcom in the market place), or you include them, and if they use a documented interface, you disadvantage Broadcom in the marketplace, since they had to pay for the drivers to be developed, and then amortized those costs over their per untit prices, whereas the clone venders don't have that cost.

Re:I have to wonder why they bother... (1)

h4rr4r (612664) | about a year and a half ago | (#43181727)

Bullshit.

Broadcom does not even need to pay to make drivers. Open source the documentation and let others make the drivers.

Broadcom is trying to avoid the fact that they make a commodity product. If they would acknowledge that they do, they could benefit from drivers that were compatible with multiple vendors chipsets.

Re:I have to wonder why they bother... (2)

LWATCDR (28044) | about a year and a half ago | (#43181853)

"Broadcom does not even need to pay to make drivers. Open source the documentation and let others make the drivers."
Doesn't happen with complex devices AMD proved that. AMD has released the documentation for their GPUs and they OpenSource drivers lag the closed source and AMD has to pay programers to work on the OpenSource drivers same as Intel does for their GPUs. And the next statement will be that of course the closed source drivers are ahead of the FOSS drivers because they have had a head start and then you will get to what most people in the FOSS community wants. They want companies to open the driver source code and then maintain it.

The Broadcom chips may be simple enough that they will get support but the "open the specs and someone will write the drivers for free" just doesn't work once you get into complex devices.

Re:I have to wonder why they bother... (1)

h4rr4r (612664) | about a year and a half ago | (#43182421)

Wireless chips are not that complex.

AMD can't even make their own decent driver, not even the closed one, maybe the hardware just sucks.

Re:I have to wonder why they bother... (0)

Anonymous Coward | about a year and a half ago | (#43184527)

Maybe the hardware "just sucks"?

Maybe you're a fanboi troll with no electronics background.

CS students no longer take economics classes? (4, Informative)

tlambert (566799) | about a year and a half ago | (#43183143)

Bullshit.

Broadcom does not even need to pay to make drivers. Open source the documentation and let others make the drivers.

Broadcom is trying to avoid the fact that they make a commodity product. If they would acknowledge that they do, they could benefit from drivers that were compatible with multiple vendors chipsets.

CS students no longer take economics classes?

Their product is NOT commodity; their functionality IS commodity. This is an INTENTIONAL line in the sand they are drawing to keep the products legal in the US, since you are not permitted to license an SDR in the US except as the aggregate of both the hardware for the SDR and the firmware which gets loaded into the hardware, and the driver which drives the hardware. This is an FCC regulation intended to keep people from easily eavesdropping or interfering with Military, Police, Fire, and other emergency services bands. It also makes it more difficult to turn a cheap SDR into a scanner by running it in receive-promiscuous mode, which would let you hear cell phone and other end-pointed transmissions, as well as allowing you to fake the IMEI for the device in order to clone other people's phones.

They DO NOT WANT an open source driver that documents their hardware interfaces so someone can clone their chip registers, since documenting the operation and order of operations on their chip registers represents disclosure of Trade Secret information not protectable by patents.

They would prefer that this never happen, since it means that if they have a large chunk of the market, they can keep other people from entering the market by making them work to get parity with their closed source drivers shipping in a third party OS, like Windows. Buy Windows? Broadcom just works, buy someone else's chips? Good luck, since you will have to fight to get your drivers signed, and fight Microsoft with getting them to ship your drivers with their OS so that your competing chipset also "just works".

It's an intentional non-monopoly anticompetitive practice (and therefore this side of the legal line) which raises costs for your competitors to the same levels as your costs, since you already have sunk costs that you need to recover. Making it so some clone factory can take advantage of all your sunk costs, and no matter what you do, they will undercut your pricing in the market.

This is EXACTLY the same reason the old Adaptec SCSI controllers went to the HIM architecture, and EXACTLY why the Diamond Viper video cards required a matched driver for the PAL coding matching the BIOS with the card, which made them a bitch to use without thunking down to INT 10. Both companies were preventing their cards being cheaply cloned and being used with the drivers they wrote. John Hamm, who made the decision on the HIM layer at Adaptec was later the CEO of one of the startups I worked at.

Note that the video driver stuff is not the same; the 3D engine uses patented processes in software, so they can't Open Source those without granting the license to use their patents, royalty free, so long as the code is licensed under similar terms.

Hardware accelerated decode for H.264 and MPEG would require licensing the Sorenson patents on a per chip basis. By pushing the cost of licensing off to the OS vendor as part of the licensing of the OS, they make it someone else's problem, which brings down the unit cost on the GPUs, so long as they are not used for that purpose, and you end up with bulk licensing applying across multiple GPUs when it comes from the OS vendor, which spreads the pain around to your competitors. So even though the decode could be fully done in hardware, there's always a software loopback part that requires the license, since the hardware won't do it on its own without the loopback.

Re:I have to wonder why they bother... (1)

Hatta (162192) | about a year and a half ago | (#43181757)

Open Source is not to friendly to Broadcom chipsets keeping their software interfaces secret to prevent clone vendors from leveraging the effort Broadcom put into writing the drivers for its chips by just making chips that could work with the Broadcom drivers.

Any vendor, Broadcom or competitor, that wants free drivers can just publish specs and the community will build the drivers. There's no competetive disadvantage if everyone gets free drivers.

Re:I have to wonder why they bother... (1)

LordLimecat (1103839) | about a year and a half ago | (#43182587)

Apparently there is, or nVidia, Broadcom, and a whole host of others would be doing just that.

Re:I have to wonder why they bother... (1)

Hatta (162192) | about a year and a half ago | (#43182653)

Only if you assume businesses make rational decisions. In reality, they are as driven by fear as the people that comprise them.

Re:I have to wonder why they bother... (2)

LWATCDR (28044) | about a year and a half ago | (#43181927)

Not as big if an issue as you would think for the manufactures. The drivers would just be loadable and not statically linked to the kernel. The reason for not using Open-DRT is that the UI is terrible Luci is not great but the standard out of box UI is just a command line. Oh yes I use a TP-Link TR-3220 as a media extender. It is really cool that they have it and I will probably get a few more TP-Link routers for other projects but Open-DRT is not friendly at all.
DD and Tomato do not work on as many devices so I have not had a chance to play with them.

Re:I have to wonder why they bother... (1)

FireFury03 (653718) | about a year and a half ago | (#43184467)

Not as big if an issue as you would think for the manufactures. The drivers would just be loadable and not statically linked to the kernel. The reason for not using Open-DRT is that the UI is terrible Luci is not great but the standard out of box UI is just a command line. Oh yes I use a TP-Link TR-3220 as a media extender. It is really cool that they have it and I will probably get a few more TP-Link routers for other projects but Open-DRT is not friendly at all.
DD and Tomato do not work on as many devices so I have not had a chance to play with them.

I have a TD8816 ADSL 2+ router running in modem mode (plain PPPoE stream that's terminated on a separate machine). I was initially impressed at the fairly extensive featureset, given that it was dirt cheap. Unfortunately, that's where my impressedness ended: when running in ADSL2+ mode it syncs to a nice high speed during the day... then at night the SNR on the line drops. Unfortunately, the modem doesn't ever bother to resync as the SNR gets worse - eventually *all* the packets are arriving as CRC errors and it still keeps trying to run at the speed it originally synced at. Rebooting it causes it to sync at a lower speed due to the lower SNR.

Obviously I thought this was a bug, so I contacted TP-Link... they got back to me and said it was the "expected behaviour"... It seems that their firmware doesn't resync unless the router's PPP daemon has to restart the connection, and of course with a PPPoE configuration, the router's PPP daemon isn't ever running so it never has to restart the connection so the router never resyncs...

Its running ok in ADSL1 mode for now... at some point I'll get around to binning it and installing an FTTC connection.

Re:I have to wonder why they bother... (1)

jimicus (737525) | about a year and a half ago | (#43182505)

The great majority of these routers are running Linux.

It seems to be a dirty little secret of the router world: they're all running Linux (GPLv2), many have ADSL chips and support PPPoE and PPPoA.

Yet the mainline kernel has practically zero support for ADSL chips - none of the drivers have been open-sourced. The documentation for the chips themselves is released to the router manufacturers under NDA, and quite often the manufacturers also get a reference driver (a Linux kernel module).

This means the router manufacturer cannot comply with both the NDA and the GPL. Usually they comply with the NDA and either ignore the GPL or release source that's missing ADSL drivers. So we have the mildly absurd case that OpenWRT and DD-WRT have abysmal ADSL support.

Re:I have to wonder why they bother... (5, Informative)

neokushan (932374) | about a year and a half ago | (#43181731)

As far as I know, that's more or less what Asus does. I have an RT-N66U and it's an absolute dream box. It's based on one of the open source firmwares (I can't remember which one though, DD-WRT, OpenWRT or Tomato), Asus releases the source code to the firmware and you don't have to do anything fancy to install a custom variant of it, just upgrade your firmware manually like you would on any other router except pick the custom firmware file.

Re:I have to wonder why they bother... (1)

DigiShaman (671371) | about a year and a half ago | (#43181829)

For most Chinese, that's an expensive router! $160 bucks vs a TP-Link cheapie going for 20$ these days? If there's one thing I've learned about people in general: There's what you ought to do vs. what's the cheapest damn thing I can buy to get me up and running.

Re:I have to wonder why they bother... (1)

neokushan (932374) | about a year and a half ago | (#43181871)

That's great, but the OP was asking about why most vendors don't do this. He wasn't talking about people in china.

Re:I have to wonder why they bother... (1)

macieklen (1104105) | about a year and a half ago | (#43181861)

I don't know about Asus, but my Buffalo WZR-HP-G300NH does exactly that. Buffalo makes their proprietary firmware, and also pays for having a custom DD-WRT build made. I ended up installing OpenWRT on it, though, due to some stability issues.

Re:I have to wonder why they bother... (0)

Anonymous Coward | about a year and a half ago | (#43181891)

Asus uses a customized version of OpenWRT.

I have an rtn53, it has a a few known issues that Asus refuse to fix. Alternative firmware is hard to find and the few that do exist break neat features like dual band.

Re:I have to wonder why they bother... (1)

neokushan (932374) | about a year and a half ago | (#43181951)

From some googling, this seems to be an issue specific to the RT-N53, lots of people having issues even on the stock firmware. Some have had success, though - http://www.thedartboard.net/forum/showthread.php?t=957 [thedartboard.net]
I'm not really sure where the blame lies for this, though. Is it Asus? Their own firmware seems fine. Is it the 3rd party firmwares? They're the ones with the issue but then again is it due to what they have to work with?

I can't speak for the 53, but my own 66 has had no issues at all and there's more than a few firmwares out there. I'm guessing it's just a more popular router in general.

Re:I have to wonder why they bother... (0)

Anonymous Coward | about a year and a half ago | (#43183631)

RT-N66U is indeed a dream box.
Comes with 256MB of RAM and even includes a microSD card slot on its motherboard.

As for alternative firmwares - asuswrt-merlin and Tomato Shibi are available

Re:I have to wonder why they bother... (1)

DigiShaman (671371) | about a year and a half ago | (#43181775)

Because said vendors are the one that have to provide post sales support. I suppose they could fork Open or DDWRT (if even possible, I haven't checked) and go their own way. It's basically the same argument for why you don't see Linux desktops on the show room floor at your local B&M store.

Re:I have to wonder why they bother... (1)

LWATCDR (28044) | about a year and a half ago | (#43181879)

ummm... You do realize that a lot of the routers already run Linux just with a different skin.

Re:I have to wonder why they bother... (3, Interesting)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#43181987)

Because said vendors are the one that have to provide post sales support. I suppose they could fork Open or DDWRT (if even possible, I haven't checked) and go their own way. It's basically the same argument for why you don't see Linux desktops on the show room floor at your local B&M store.

That's actually the weird thing: If you wanted to extend the router analogy to PCs, you would see Linux desktops on the show floor at the local store; but they would all be running deeply dysfunctional bespoke distros, mostly out of date and broken in various ways, some built from scratch, some based off an elderly version of Redhat, along with the low end machines all running FreeDOS with a bundled program designed to resemble a KDE desktop. You would be justified in asking 'Why the hell didn't they just install debian?'

I'm not imagining that retail routers would be running open-wrt-SVN-Bleeding-edge-UNSTABLE, or ship without some drool-proof web interface that the support guys have a manual for. I just don't understand why(in the presence of free, solid, easily available 3rd party firmware) vendors keep spending on developing in-house or licenced firmware that has all kinds of nasty personality issues, time after time.

Re:I have to wonder why they bother... (1)

Zalbik (308903) | about a year and a half ago | (#43182677)

I just don't understand why(in the presence of free, solid, easily available 3rd party firmware) vendors keep spending on developing in-house or licenced firmware that has all kinds of nasty personality issues, time after time.

My guess? Cause most managers don't have a real firm grasp on software development, and the smart software developers convince their managers to keep development in-house (job security).

Re:I have to wonder why they bother... (1)

bill_mcgonigle (4333) | about a year and a half ago | (#43183707)

I honestly have to wonder why most vendor firmware isn't just thinly-skinned Open or DD WRT out of the box

They think:
1) we can save a nickel on RAM if we don't use linux
2) we sell tens of millions of devices
3) that's millions of dollars of savings

and if they contract out the firmware to the lowest bidder and don't actually provide any support, maybe they're right. What I find surprising is that the linux-based routers didn't take over years ago at a $10 premium for their good reputation. Then again, I've never seen any marketing for any of these devices other than Cisco's rebranded Linksys stuff.

Cutest name (2, Funny)

Anonymous Coward | about a year and a half ago | (#43181511)

TP-Link is the cutest name. Toilet Paper Link... It wipes the competition, literally.

Re:Cutest name (4, Funny)

hack slash (1064002) | about a year and a half ago | (#43181655)

And "bunghole" could be a euphamism for "internet", which would explain why Beavis said "I need teepee for my bunghole", he just wanted to go online...

Re:Cutest name (1)

poofmeisterp (650750) | about a year and a half ago | (#43184093)

TP-Link is the cutest name. Toilet Paper Link... It wipes the competition, literally.

Link.. TP.. Legend of Zelda Toilet Paper... I like where this is going.

A company of the PRC does it again (0)

Anonymous Coward | about a year and a half ago | (#43181515)

Color me surprised!

What about OpenWRT? :) (0)

pntkl (2187764) | about a year and a half ago | (#43181517)

Re:What about OpenWRT? :) (2, Informative)

Anonymous Coward | about a year and a half ago | (#43181571)

From the summary:

The good news: Users who replaced their TP-Link firmware with Open/DD-WRT firmware can sleep well."

(emphasis mine)

Re:What about OpenWRT? :) (1)

pntkl (2187764) | about a year and a half ago | (#43181725)

At least one person wasn't simply glancing at the article... Thank you.

Re:What about OpenWRT? :) (1)

Down_in_the_Park (721993) | about a year and a half ago | (#43182347)

Yeah great, first thing to do when you get a new router. But you do realize that you are on slashdot and neither my father nor my kids or any of my friends know slashdot or would dare to flash a new router... In other words 99% of the population do know everything about facebook and angry birds, but nothing about router systems, security, backdoors or anything closely related that isn't an icon they can click or touch...

Hardware check yet? (0)

Anonymous Coward | about a year and a half ago | (#43181527)

Found the software leak? For programing the chips there should be a hardware door, anyon checked for those unknown entry routes there yet?

Only worked from LAN side (2)

indy_bob_twobears (771882) | about a year and a half ago | (#43181589)

So, this is not important to me, I am not worried about intrusion from my users. Unless someone writes a Linux virus to set up a tftp server and send the request URL.

Re:Only worked from LAN side (2)

wvmarle (1070040) | about a year and a half ago | (#43181975)

Can you trust your visitors?

Including uninviteted, secretive visitors?

I'm sure a determined attacker will just social-engineer their way in, and after the visit there is a second backdoor but now one that's accessible from the outside as well.

Re:Only worked from LAN side (1)

mjr167 (2477430) | about a year and a half ago | (#43183153)

If they have physical access you have bigger problems...

Re:Only worked from LAN side (1)

wvmarle (1070040) | about a year and a half ago | (#43184315)

OK, those uninvited notwithstanding, it is normal for companies to have visitors.

People coming for business discussions, people coming to do building maintenance (various contractors), etc. Getting through the door is pretty easy. Getting on their LAN (wireless) is pretty easy (may not even have to get through the door for that). Getting on their LAN (wired) is a little harder - but a little social engineering and say pretending to be a network maintenance guy will usually get you really far, especially in larger companies where not everybody knows everybody.

Re:Only worked from LAN side (1)

mjr167 (2477430) | about a year and a half ago | (#43184567)

That is why you need good escort policies... Don't let your visitors run around unattended.

"gain root access to the local network" (0)

Anonymous Coward | about a year and a half ago | (#43181617)

WTF is that? Editors, you all windows using lusers or something? Please.

Re:"gain root access to the local network" (0)

Anonymous Coward | about a year and a half ago | (#43181671)

I can not give answer about issue.

TP (2)

DaMattster (977781) | about a year and a half ago | (#43181621)

So I guess the router is about worth toilet paper, huh?

Re:TP (2)

jones_supa (887896) | about a year and a half ago | (#43182569)

Well, toilet paper works every time.

Re:TP (0)

Anonymous Coward | about a year and a half ago | (#43183373)

Well, toilet paper works every time.

Sure it does, but some varieties leave a lot of dingle, or cause friction burns, or result in poo-finger, or end up clogging the pipes so bad that your business ends up all over the floor.

In Soviet Russia... (0)

Anonymous Coward | about a year and a half ago | (#43181663)

...each morning TP found on backdoor of you.

Looks like the firmware upgrade (1)

Anonymous Coward | about a year and a half ago | (#43181743)

LAN side only, seems to be the firmware upgrade app since it requires the sending computer to be on the LAN, and providing a TFTP connection.

"Update2: to works on WAN port if http admin is open WAN"

Well there's a gaping hole, most of the routers I've owned, you can enable the admin on the LAN or the LAN+WIFI, I've never seen one you can open the admin page to the WAN.

Still, not quite the hyperbole in the Slashdot summary though!

Re:Looks like the firmware upgrade (5, Informative)

ledow (319597) | about a year and a half ago | (#43181783)

Should be fixed, yes. Critical to your network security? Not really.

It requires someone to convince a local user to click a link which not only executes an HTTP request against the router but also somehow starts up a TFTP service on the machine that executes that request, with some crafted files served from it to compromise the router when it asks for them.

It's a home router (and "routers" in the headline is accurate but misleading - precisely two are listed as vulnerable), so to be honest, I'm not at all surprised that this is possible. Hell, UPnP is more a security threat than this backdoor and that's enabled by default in a lot of places.

However, if TP-Link (whose products I quite like, especially their wireless repeaters) had just issued an update that stopped this happening, I'd not have even cared about it one jot and it would disappear into the void of things that have been patched already. It's the non-response that gets me. Someone at TP-Link couldn't even be bothered to say "We're looking into it"?

It is kinda sloppy of them (1)

Anonymous Coward | about a year and a half ago | (#43182111)

Sloppy to hard code the request. But then again, suppose they forced you to enter the password for the router, you wouldn't be able to reconfigure it if you've forgotten the password. That 'easysetup app' of theirs would be worth anything.

"I'd not have even cared about it one jot and it would disappear into the void of things that have been patched already. It's the non-response that gets me"

I bet the TPLINK guy didn't even know why they would do that. He'll just be a PR guy who doesn't know squat and doesn't want to say anything that might get him into trouble. So the non-answer doesn't bother me.

The polish guys other bug looks more interesting, since that is something that should never have been. Now I can imagine wanting to share files from a drive across the WAN using FTP, so an FTP share open to WAN is a likely situation. Yet they haven't check for path traversal on the FTP directory and it can access everything (even writable). Now that is sloppy without a redeeming feature.

Yep, it's the Easy Setup Assistent (0)

Anonymous Coward | about a year and a half ago | (#43181905)

Yep, a quick check, they have an 'EASYSETUP Assistent' you run it LAN side from your computer and it creates a UDP port which I assume is for TFTP. I think that's what this interface is for, but I don't have a TP-Link router to hand.

Look for the app TL-WDR4300_V1.0_EasySetupAssistant

Re:Looks like the firmware upgrade (1)

ls671 (1122017) | about a year and a half ago | (#43181997)

"Update2: to works on WAN port if http admin is open WAN"

Well there's a gaping hole, most of the routers I've owned, you can enable the admin on the LAN or the LAN+WIFI, I've never seen one you can open the admin page to the WAN.

Still, not quite the hyperbole in the Slashdot summary though!

I have seen many, here is 2 examples

TP-LINK:
54M Wireless Router
Model No. TL-WR340G/TL-WR340GD

D-LINK:
  Product Page: DIR-615
        Hardware Version: E3 Firmware Version: 5.10

A deliberate action? (0)

Anonymous Coward | about a year and a half ago | (#43181761)

TP-Link headquarters are in China, so one wonders if the backdoor was installed deliberately in the first place...

Re:A deliberate action? (1)

MightyYar (622222) | about a year and a half ago | (#43182045)

Yes, then TP-Link sends a Chinese hacker/technician to your house to exploit this LAN-only security problem.

Re:A deliberate action? (0)

Anonymous Coward | about a year and a half ago | (#43182109)

"From the article:

After the following HTTP request is sent:

http://192.168.0.1/userRpmNatDebugRpm26525557/start_art.html
the router downloads a file (nart.out) from the host which has issed the http request and executes is as root
"
How is that LAN only problem?

Re:A deliberate action? (1)

MightyYar (622222) | about a year and a half ago | (#43182209)

192.168.xxx.xxx is LAN-only.

Re:A deliberate action? (1)

Skiron (735617) | about a year and a half ago | (#43182247)

I have TP-Link - I wondered why the laundry man kept turning up...

TFTP (1)

ls671 (1122017) | about a year and a half ago | (#43181851)

This reminds me of the vonage PAP2 case where you could unlock the PAP2 device by intercepting the tftp connection the device made to vonage the first time it got plugged in after you bought it from the store. You would redirect the connection to your own tftp server and basically tell the device to unlock itself.

The device was worth 70$ and vonage sold it for 10$ locked.

Some devices can easily be told to reconfigure themselves by simply telling them to download a configuration file through tftp, All you need is a running tftp server and sometimes IP/ports redirection and/or fake DNS entries really...

Re:TFTP (1)

drinkypoo (153816) | about a year and a half ago | (#43182071)

This reminds me of the vonage PAP2 case where you could unlock the PAP2 device by intercepting the tftp connection the device made to vonage the first time it got plugged in after you bought it from the store. You would redirect the connection to your own tftp server and basically tell the device to unlock itself.

Amusingly (to me) I'm working on that now. I'm currently stuck because I got the downgrade firmware on there but it's not requesting the XML file. It's getting an address via DHCP and then just sitting there like a turd.

delete submission (0)

Anonymous Coward | about a year and a half ago | (#43181865)

Hi everyone! do you know how to delete a submission???? I've found nowhere the answer, so I'm asking here anyone! Please help!

Re:delete submission (1)

philip.paradis (2580427) | about a year and a half ago | (#43181943)

You can't.

Re:delete submission (1)

MightyYar (622222) | about a year and a half ago | (#43182061)

You are off to a good start by using the <tt> tag. Now post this question on every article for a week and your submission will go away.

"sleep well"? Really? (1)

mark-t (151149) | about a year and a half ago | (#43182065)

If I keep hearing Linux is no more inherently secure than OSX or Windows, then why should one presume that there's some reason that OpenDD or OpenWRT should inherently be any more secure than standard router firmware?

Re:"sleep well"? Really? (1)

Down_in_the_Park (721993) | about a year and a half ago | (#43182417)

a) from whom are you hearing this no more secure...? b) in this very special case the mentioned Open/DD-WRT system doesn't have this security hole?

Re:"sleep well"? Really? (1)

jones_supa (887896) | about a year and a half ago | (#43182675)

If I keep hearing Linux is no more inherently secure than OSX or Windows, then why should one presume that there's some reason that OpenDD or OpenWRT should inherently be any more secure than standard router firmware?

I don't know how the comparison to Mac/Win makes applies here, but anyway, here's my theory... OpenWRT is developed by a larger, open community which also wants to offer long-term support for older devices. A manufacturer stock firmware of a router (even if Linux-based) can be slapped together quite sloppily and the manufacturer moves on to next projects, leaving security holes and router-crashing bugs behind.

Re:"sleep well"? Really? (1)

markhahn (122033) | about a year and a half ago | (#43184681)

TP-link deliberately introduced a backdoor. you can do that on OSX or Windows, too, and it's no harder.

the real issue here is that if TP-link shipped Open-WRT with a TP-link skin and some kind of mostly-automatic updating, they'd be far better off. vendors don't seem to understand that open-source isn't just a shortcut, but a better way to support their systems.

I got my first TP-Link Router last night (1)

jader3rd (2222716) | about a year and a half ago | (#43182067)

I got my first TP-Link Router last night. Turns out I'm not going to use it because my ISP (Frontier) doesn't support configuring the crappy router they provided, into bridge mode, which would allow me to make use of it.

Re:I got my first TP-Link Router last night (0)

Anonymous Coward | about a year and a half ago | (#43182179)

Configuring a router is not dependent on the ISP

Re:I got my first TP-Link Router last night (1)

dugancent (2616577) | about a year and a half ago | (#43182703)

It is when they (Frontier) require you to rent their modem/router combo device.

Re:I got my first TP-Link Router last night (0)

Anonymous Coward | about a year and a half ago | (#43182713)

but configuring theirs is...

My friend has the same problem. They will not bridge their router at all to his (he even offered them cash to do it). Major ISPs do not dink around with this sort of thing. But I have noticed some of the smaller ones want to control 'the whole value chain'. They will not let you on the network unless it is on their terms. They want to make sure they can upsell you to a much more expensive tier (think 500+ per month) to have an unlocked router.

So where as with someone like TW or comcast you can just punch a hole in your firewall if you want to say run a torrent or a game. You can not do it with these sorts of networks. They are meant for Web and Email only, no 'servers'.

Re:I got my first TP-Link Router last night (1)

jader3rd (2222716) | about a year and a half ago | (#43182879)

Configuring a router is not dependent on the ISP

I can configure the router, and I don't need the help of the ISP to do it. What happened was I followed the existing instructions on how to configure that particular router to be in bridge mode, and then I lost my internet connection. I called up the ISP and asked for help on how to fix it and the support person said that they don't support customers with routers in bridge mode. So the "suggested" way to use my new router, would be to have it be a client of the ISP supported router; which defeats the purposed of why I got the newer router. Again, not supported, but works mostly; even though it's a horrible network design to have the double hop of routers plugged together like that.

In the end it doesn't matter if I configure my router to how I want it to be, if when I do my ISP doesn't assign me an IP Address. I kind of need my end to be configured in a way that ISP will support/honor.

Re:I got my first TP-Link Router last night (0)

Anonymous Coward | about a year and a half ago | (#43182941)

I have frontier DSL and the way I got around that was purchase my own DSL modem. I still have to pay to rent their shitty modem/router deal but at least I can control my connection.

TP-Link hasn't yet responded (0)

Anonymous Coward | about a year and a half ago | (#43182081)

"TP-Link hasn't yet responded" - maybe that's because someone knocked their network down using this attack? :-)

Re:TP-Link hasn't yet responded (1)

jones_supa (887896) | about a year and a half ago | (#43182723)

Man, it would be so refreshing if more often the case was "${company_name} responded immediately and is working on a security fix"...

Where's the pride behind the products?

"root access to the local network" (2)

Cajun Hell (725246) | about a year and a half ago | (#43182185)

..gain root access to the local network..

That's really troubling too, because after I read this, I went to change my network's root password and I couldn't find where to do that!

After RTFA it's clear they mean root access to that router, which is the same thing that anyone would have inferred from the mere mention of "back door" anyway. So why add the confusing phrase about the network?

The world is already stupid enough. There's no need to go to extra trouble to make it stupider. That's wasted effort.

Re:"root access to the local network" (0)

Anonymous Coward | about a year and a half ago | (#43182669)

Hanlon's razor. And thus utter failure by submitter AND editors.

update (1)

Anonymous Coward | about a year and a half ago | (#43182237)

Today, we got some feedback from TP-Link Poland:

1) Apologies for their earlier lack of contact
2) Confirmation of the vulnerability on WAN site (ie. if you have your web admin put on WAN - you are affected).
3) Info about imminent press release
4) Offer to have some other models of the TP-Link devices - for security tests

-- ms, sekurak.pl team

Who uses that? (2)

slashmydots (2189826) | about a year and a half ago | (#43182319)

I've used one TP-Link device ever and it was a DSL modem since AT&T's price was absurd. Also the responsiveness and hardware specs weren't bad for the price. If you want the mother of all routers for fairly cheap, the ASUS RT-N12 (B1) is the king. It uses all Realtek wireless chips. It intercepts initial webpage requests and logs in password-less for initial configuration via its control panel so no typing in IPs. It adapts its IP structure automatically (increments it to 2) around AT&T's modems that purposely use 192.168.1.1 to screw with people. It can be set as a repeater or an access point too so you can drop 4 wired ethernet ports wirelessly on the other side of your house without actual wires. If a machete severs your cable to the modem, it intercepts web requests and pops up and tells you specifically that the link cable between the modem and router was disconnected. I use it at my shop and I've never had to reboot it even after 100+ wireless and wired clients. And this router runs about $40. Take that, TP-Link.

Re:Who uses that? (0)

Anonymous Coward | about a year and a half ago | (#43182635)

Gigabit? Nope.

Re:Who uses that? (0)

Anonymous Coward | about a year and a half ago | (#43183703)

Umm http://wikidevi.com/wiki/ASUS_RT-N12_rev_B1. It uses a broadcom chipset.

Use DD-WRT (1)

andreyv (2754067) | about a year and a half ago | (#43182609)

I just upgraded a WR841ND v7 from the official firmware to DD-WRT today. Seems to work fine, the configuration interface is friendly, and there's no more occasional lag when playing computer games online.

Defense Distributed (1)

fustakrakich (1673220) | about a year and a half ago | (#43182695)

Yeah, where are these guys? Why aren't they printing out secure routers and other hardware? In fact, why isn't anybody? That will really scare the tyrants...

What is "root access to a network?" (2)

EmagGeek (574360) | about a year and a half ago | (#43182755)

I'm having trouble wrapping my feeble mind around that one.

useful tool (0)

Anonymous Coward | about a year and a half ago | (#43182845)

at last. proper tplink root level access. thanks.

Local network only (0)

FuzzNugget (2840687) | about a year and a half ago | (#43182917)

If you actually read TFA (and, seriously, this should have been in TFS), you'll find that this possible on a local network only, not "zomgs!! chaneeeze haxors r gonna sploit ma router!!!"

They can maybe knock it offline, but that's the maximum potency of a remote attack.

openwrt? dd-wrt? More secure?! (1)

Blymie (231220) | about a year and a half ago | (#43182971)

Users who replaced their TP-Link firmware with Open/DD-WRT firmware can sleep well.

On what basis?

On the basis of the security updates that occur, every single time a kernel or userland vulnerability is discovered?

I have yet to see a security release for DD-WRT. I see updates, randomly, which have nothing to do with security issues. Certainly the stable branches of both projects releases rarely.

Note, I'm not faulting these guys -- these are nice firmwares. However, to think that they are somehow more secure, when they fall prey to the same problem -- THAT IS, NO UPDATES DUE TO SECURITY ISSUES, is strange. These firmwares are just as insecure as stock firmwares.... in fact, likely MORE insecure, because what stock firmware has SSH exposed? Or other userland tools exposed?

Stock firmwares seldom have fluff modz, whereas one of the strengths of DD-WRT and others is to expose these services on user request.

If I look at .. say, Debian, and compare the number of security updates to the kernel, to tools like ssh, or dropbear, or apache, or whatever userland tools these routers are using.. I see *no updates*. None. Nada. Hell, the last month has seen likely 40 updates to the kernel for security issues, some of them serious remote DDoS. I've seen lots of updates to tools that DD-WRT incorporates in its userland, too. Again, severe security updates.

Where were the automatic, day-of-announcement updates for DD-WRT? OpenWRT? Until these tools incorporate Debian (or other copycat distros) updates with tools like apt-get, these things are WORSE than standard router firmwares.

What we need is to standardize these router firmwares on something like Debian.

Vulnerable even if no admin access on WAN side (1)

Anonymous Coward | about a year and a half ago | (#43183363)

I've got a TP Link router, and if I try to visit the backdoor URL, the router shuts off its wireless. An attacking webpage would just need to put that URL in an img tag for example to trigger my browser to open it.

I'm currently in Shanghai and the router is a unique chinese model, so I have no idea if it's compatible with OpenWRT / DD-WRT.

I think this is not such a big issue after all (0)

Anonymous Coward | about a year and a half ago | (#43183779)

If I understand correctly this is SW issue and not HW.
Easily correctable via alternative firmware (WRT based)

Or you can disable http admin that is opened to the WAN
        http admin to WAN is a bad practice anyway regardless of the router model by my opinion
        minimum is https if you must open admin to WAN
        better still is that there is nothing opend to WAN, or only SSH (secured by a digital certificate)
        you can allways get to http admina via VPN and then access it via LAN

Andrej

No surprise (1)

ickleberry (864871) | about a year and a half ago | (#43184497)

TP-Link is really the cheapest of the most low end Chinese own-brand Junk. Hopefully open-source hardware will become more common making this kind of backdoor harder to go unnoticed for so loon
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?