Mesh Wi-Fi or other setup for home network?

[alarmguy]

Agree, but I thought

All true, but there is also nothing wrong with knowing you are dealing with a Chinese CCP backed company

A Chinese company, not a CCP backed company.
and that TP lInk router is now made in Vietnam much like some USA router makers.
Dont get me wrong, I have no problem with people wanting to avoid Chinese products. I just hate politicians going on a baseless witch hunt admitting they have no evidence and the media jumping all over the story and then people in forums not even reading the stories and commenting on the headline.

Im not a fan of China at all. Heck I bought a TV made in Japan but Im not a hypocrite typing anti china stuff on a computer made of china components which also include almost any electric device in my life including my cars without facts and evidence on one company. Actually I can go one step further, I have South Korean made appliances and I bet half the nation has China owned GE appliances. most all this stuff is connected to the internet too.

 

[OVERKILL]

All true, but there is also nothing wrong with knowing you are dealing with a Chinese CCP backed company.

The issue, as I've articulated in other threads, is more complicated than he's describing of course.

- Pretty much every single home and SMB router is based on busybox
- OEM's customize busybox, adding packages (like OpenVPN) to increase features/functionality
- Most home/SMB routers don't automatically update their firmware
- Most home/SMB router manufacturers don't address, in a timely fashion, vulnerabilities found in their firmware/busybox, if they address them at all
- Most home/SMB routers are abandonware after a period of time

This gives them a large attack surface, so it's unsurprising that many of them, since they are all based on the same software and use the same packages, end up vulnerable to the same attacks, and this gets exploited in the wild. The question on TP-Link is whether the dearth of vulnerabilities in their equipment is as a result of negligence/incompetence, or by design, to aide the CCP in gaining access to more devices within the borders of other nations. The attempt to conflate this quite legitimate concern with burning witches is beyond the pale, but then this "defence by whataboutism" is something I've come to expect.

What most of these bad actors are looking to do when gaining access to your device isn't to gather information about you (though that could potentially be a side benefit). The purpose is to use your home router/gateway as a proxy, as from within the target country, systems leveraging geoblocking as a protection mechanism can be accessed through these proxies. So a VPN tunnel is established between some hacking group in Beijing and your home router, and they use your home router to access domestic targets like your utility, the DOH, DOE, FBI...etc. You become the "useful idiot" in the equation; your router the tool to facilitate espionage.

As more and more "smart" devices enter the market, they become part of the attack surface, as many of them run busybox as well. And of course poor patching/updating happens here as well.

On the subject of buying equipment made in China by say Apple vs Huawei, the difference should be obvious: who wrote the software. And this is why there is concern about TP-Link (and why there was concern about Huawei). Yes, that Netgear router you bought 8 years ago may be vulnerable due to an unpatched flaw, but its unlikely that its firmware contains code designed to facilitate nefarious actions by a foreign actor.

Since we know for a fact that one of the primary attack vectors for Chinese hacking groups is home and SMB routers used as proxies, the question is really whether this just happens to exist wholly by accident, due to lazy updating and security practices by OEM's, or whether it is in part being facilitated at the direction of the CCP by Chinese companies.

 

[dogememe]

The issue, as I've articulated in other threads, is more complicated than he's describing of course.

- Pretty much every single home and SMB router is based on busybox
- OEM's customize busybox, adding packages (like OpenVPN) to increase features/functionality
- Most home/SMB routers don't automatically update their firmware
- Most home/SMB router manufacturers don't address, in a timely fashion, vulnerabilities found in their firmware/busybox, if they address them at all
- Most home/SMB routers are abandonware after a period of time

This gives them a large attack surface, so it's unsurprising that many of them, since they are all based on the same software and use the same packages, end up vulnerable to the same attacks, and this gets exploited in the wild. The question on TP-Link is whether the dearth of vulnerabilities in their equipment is as a result of negligence/incompetence, or by design, to aide the CCP in gaining access to more devices within the borders of other nations. The attempt to conflate this quite legitimate concern with burning witches is beyond the pale, but then this "defence by whataboutism" is something I've come to expect.

What most of these bad actors are looking to do when gaining access to your device isn't to gather information about you (though that could potentially be a side benefit). The purpose is to use your home router/gateway as a proxy, as from within the target country, systems leveraging geoblocking as a protection mechanism can be accessed through these proxies. So a VPN tunnel is established between some hacking group in Beijing and your home router, and they use your home router to access domestic targets like your utility, the DOH, DOE, FBI...etc. You become the "useful idiot" in the equation; your router the tool to facilitate espionage.

As more and more "smart" devices enter the market, they become part of the attack surface, as many of them run busybox as well. And of course poor patching/updating happens here as well.

On the subject of buying equipment made in China by say Apple vs Huawei, the difference should be obvious: who wrote the software. And this is why there is concern about TP-Link (and why there was concern about Huawei). Yes, that Netgear router you bought 8 years ago may be vulnerable due to an unpatched flaw, but its unlikely that its firmware contains code designed to facilitate nefarious actions by a foreign actor.

Since we know for a fact that one of the primary attack vectors for Chinese hacking groups is home and SMB routers used as proxies, the question is really whether this just happens to exist wholly by accident, due to lazy updating and security practices by OEM's, or whether it is in part being facilitated at the direction of the CCP by Chinese companies.

I don't think TP-Link is doing it on purpose - I think it's a matter of price. They are often the best value in networking... Cheap! When your margins are thin, in a competitive industry, you cut costs to make profit, and software engineering and security auditing are expensive!

It's the same reason HyunKia cars blow up engines left and right and Nissans lose CVTs here and there... you are buying a cheap product, and the compromise has to be somewhere. Yet, despite both those being considered common issues, by the numbers, most HyunKias and Nissans are still on the road at well over 150K miles and people have good experiences with them and continue to buy them.

I have installed oodles of TP-Link mesh systems in friends, family, etc. places. Personally, I wouldn't use it, as a mesh system doesn't meet my needs - we ran ethernet cable across the house and are using Aruba Instant On APs here, and that's really the best way to go IMO, but if you must use a mesh system, and you want something affordable that works well, TP-Link is a great deal.

And despite being significantly more expensive, Netgear, Asus, etc. have plenty of security issues as well. Just the same way that BMWs, despite being more expensive than Nissans, break down too sometimes.

 

[andrew_j]

A cheap Mesh (I use Google WiFi) with CAT6 cable runs for backhaul to main router will absolutely crush the best mesh network product in speeds that has a wireless backhaul. Nearby main router/mesh it will be great otherwise a slow pig.

Took a bunch of work to run those runs however no more WiFi complaints in home. Speeds up to 500 Mbps. I think I lose 100 Mbps due to older tech of my setup.

 

[OVERKILL]

I don't think TP-Link is doing it on purpose - I think it's a matter of price. They are often the best value in networking... Cheap! When your margins are thin, in a competitive industry, you cut costs to make profit, and software engineering and security auditing are expensive!

There is the RISK they are doing it on purpose, to facilitate what I've described. There is no concrete evidence (at least that's publicly available) that this isn't just incompetence/cost cutting, but they are currently being investigated.

It's the same reason HyunKia cars blow up engines left and right and Nissans lose CVTs here and there... you are buying a cheap product, and the compromise has to be somewhere. Yet, despite both those being considered common issues, by the numbers, most HyunKias and Nissans are still on the road at well over 150K miles and people have good experiences with them and continue to buy them.

Except we aren't practicing cyber warfare with the South Koreans and the South Koreans aren't regularly hacking us, so it isn't quite the same thing from that perspective. Our relationship with China is far more like our relationship with the Soviet Union was during the Cold War.

I have installed oodles of TP-Link mesh systems in friends, family, etc. places. Personally, I wouldn't use it, as a mesh system doesn't meet my needs - we ran ethernet cable across the house and are using Aruba Instant On APs here, and that's really the best way to go IMO, but if you must use a mesh system, and you want something affordable that works well, TP-Link is a great deal.

Yes, it's a great deal, that's why they are so prevalent. The current theory is that this is intentional, that this is a potentially subsidized low cost (through the state) to ensure high levels of uptake of these devices so that they can be used in the manner in which they are currently: as proxies for cyber warfare and espionage.

And despite being significantly more expensive, Netgear, Asus, etc. have plenty of security issues as well. Just the same way that BMWs, despite being more expensive than Nissans, break down too sometimes.

Yes, though I don't consider them "significantly" more expensive. As I covered in my post, these are all devices that run busybox and use many of the same addons, so are all subject to many of the same vulnerabilities if not patched. While ASUS has historically been pretty good with providing firmware updates, you still have to install them, which most people don't and wouldn't even know how.

The difference is that security vulnerabilities aren't, generally, intentional. The concern with TP-Link is that they may be, at the direction of the CCP, so that their state-directed hacking groups have access to these botnets, from which they undertake their operations.

Ubiquiti's "Unifi" equipment is currently a pretty good option, being reasonably user friendly as long as you stay out of the advanced settings, while automatically being kept up-to-date with regular firmware updates. While more "Prosumer" oriented and more expensive than the Best Buy special, they aren't crazy expensive like stuff from Cisco, Juniper, SonicWall, CheckPoint...etc.

 

[tmorris1]

Agree, but I thought

A Chinese company, not a CCP backed company.

Same thing in my opinion. Chinese companies are pretty much under the thumb of the CCP and will do their bidding if pressed.
I also think manufactured in China is a lot different than engineered in China using Chinese components. A lot can be hidden using Chinese silicon.

 

[PandaBear]

Today's mesh works pretty well especially in the "roaming" between APs and repeaters. In the old days I would run powerline over ethernet / Homeplug that includes MIMO but I think the mesh these days have caught up and made it even better now.

I don't trust ANY router companies, just assume everything between computers are going to be hacked and need encryptions.

 

[dja4260]

UPDATE- I installed the new mesh system mentioned above last night. I went to 6 locations around the house and notated the speed. The old system Meshforce set up averaged: 40 MBPS. Same locations in the home, new set up averaged: 320 MBPS...