TP-Link critical authentication bypass - patch available

[Carmudgeon]

iOS 15.8.7 was released a couple weeks ago, with support going back to the iPhone 6S.

WatchOS 8 was just updated with new certificates, so that Series 3 and later watches can continue to function with Messages and FaceTime come 2027.

If such a device is just used for texting, it doesn't need to have any cell service at all, as long as it has a net connection.

Good luck getting such support out of a consumer grade router. A cynic would say that by the time the firmware is finally stable in the product's life cycle, it's time to push the next new widget. Rinse and repeat.

 

[tmorris1]

Duh. That's why I said it was "a related note". I understand it's not exactly the same. Also, some modems (AIO) do act as ethernet/wifi routers.

A modem is essentially wire as far as your router is concerned. The router modem combo things are really just separate pieces of gear with totally different functionalities combined into one enclosure.

 

[ripcord]

An example of why TP-Link and other imported routers are getting the regulatory cold shoulder. Apparently the feds have shut down a Russian.gov hacking operation based on TP-Link router DNS highjacking exploits.

https://www.justice.gov/opa/pr/just...d-disruption-dns-hijacking-network-controlled

 

[OVERKILL]

An example of why TP-Link and other imported routers are getting the regulatory cold shoulder. Apparently the feds have shut down a Russian.gov hacking operation based on TP-Link router DNS highjacking exploits.

https://www.justice.gov/opa/pr/just...d-disruption-dns-hijacking-network-controlled

This is very important and directly addresses one of the things @alarmguy and I were discussing regarding his thoughts as to the lack of interest these actors would have in his (and people like him) traffic/activities. @wwillson and I were also talking about this the other night.

From the article:
Since at least 2024, GRU actors have exploited known vulnerabilities to steal credentials for thousands of TP-Link routers worldwide. The actors then accessed many of these compromised routers without authorization and manipulated their settings to redirect DNS requests to GRU-controlled servers - i.e., malicious DNS resolvers. GRU actors were indiscriminate in their initial targeting and manipulation of routers. The actors then implemented an automated filtering process to determine which DNS requests were of interest and warranted interception. For select targets, the GRU’s DNS resolvers provided fraudulent DNS records for specific domains that mimicked legitimate services – including Microsoft Outlook Web Access – to facilitate Actor-in-the-Middle attacks against encrypted victim network traffic. In doing so, the GRU actors harvested unencrypted passwords, authentication tokens, emails, and other sensitive information from devices on the same network as the compromised TP-Link routers.

 

[alarmguy]

An example of why TP-Link and other imported routers are getting the regulatory cold shoulder. Apparently the feds have shut down a Russian.gov hacking operation based on TP-Link router DNS highjacking exploits.

https://www.justice.gov/opa/pr/just...d-disruption-dns-hijacking-network-controlled

The only router made in the USA is Starlink
Soon they all will be. It’s not going to stop hacking however but I guess there might be more control?
Who knows?
Router companies don’t conspire with Russian hackers and they absolutely hack everything not just TP link
Google any router company with the word hack and you will see results including names of some of the most cherished routers in forums

Of course some hackers choosing the most widely used router in the world for some purposes makes sense. Typically I would suggest unrelated to the user of that router

But TP link routers are not in government offices and your health network that provide every Americans social security numbers posted on the dark web by hackers

Agree it was a big hack on unsecured non updated TPLink routers … interesting article …
Not sure how manufacturing routers here will make a difference though
https://www.ibtimes.sg/russian-gru-...-home-routers-steal-passwords-worldwide-85135

 

[OVERKILL]

The only router made in the USA is Starlink

It's less the hardware and more the software, and that's an issue for all Big Box equipment as we've discussed previously. This "abandonware" approach leaves vulnerable devices that can be used maliciously once compromised.

Soon they all will be. It’s not going to stop hacking however but I guess there might be more control?
Who knows?

Yeah, the focus on COO misses the mark, it needs to be on timely patching of security vulnerabilities, automatic firmware updates and something like a 10 year minimum support period.

Router companies don’t conspire with Russian hackers and they absolutely hack everything not just TP link
Google any router company with the word hack and you will see results including names of some of the most cherished routers in forums

Of course some hackers choosing the most widely used router in the world for some purposes makes sense

Sure, but some of those companies, typically not the consumer ones, provide updated software for their products long after they are obsolete. Cisco is still shipping new firmware for 2960S switches that are >10 years old now.

Ubiquiti's Unifi gear is definitely one of the better options for home users if you want something that's got a good lifecycle and gets regular updates.

But TP link routers are not in government offices and your health network that provide every Americans social security numbers posted on the dark web by hackers

No, but they are used as proxies by malicious actors to circumvent geoblocking and COO restrictions that would otherwise prevent that traffic from reaching those organizations. It adds additional attack vectors.

 

[alarmguy]

It's less the hardware and more the software, and that's an issue for all Big Box equipment as we've discussed previously. This "abandonware" approach leaves vulnerable devices that can be used maliciously once compromised.

Yeah, the focus on COO misses the mark, it needs to be on timely patching of security vulnerabilities, automatic firmware updates and something like a 10 year minimum support period.

Sure, but some of those companies, typically not the consumer ones, provide updated software for their products long after they are obsolete. Cisco is still shipping new firmware for 2960S switches that are >10 years old now.

Ubiquiti's Unifi gear is definitely one of the better options for home users if you want something that's got a good lifecycle and gets regular updates.

No, but they are used as proxies by malicious actors to circumvent geoblocking and COO restrictions that would otherwise prevent that traffic from reaching those organizations. It adds additional attack vectors.

Agree!

 

[tmorris1]

It is also the manufacturing process that they are worried about. China or someone else could inject malware or a backdoor in by paying off someone in the factory. There have been cases of this with some devices.

I recently had my cheap wifi picture frame act weird and throw alarms on my Uniquity router security. Turns out it had become a part of a botnet. It was making a bunch of connections to Russian servers.

 

[OVERKILL]

It is also the manufacturing process that they are worried about. China or someone else could inject malware or a backdoor in by paying off someone in the factory. There have been cases of this with some devices.

I recently had my cheap wifi picture frame act weird and throw alarms on my Uniquity router security. Turns out it had become a part of a botnet. It was making a bunch of connections to Russian servers.

That's predominantly a software problem however. The COO of the hardware is far less of an issue in that context. While most of these devices use open source-based firmware (almost all of them are based on BusyBox), the primary issue isn't nefarious vendors, but incompetent or lazy ones, who ship code with out of date libraries, or gaping security holes and then rarely patch them because they are already onto the next model. This is inherent to the price point this stuff is shipped at. 10 years of support for a $70 Best Buy special, to the OEM, crushes that model, but that's really what's required to address this issue. If you ship a connected device, you need to be on the hook for a reasonable period (I think 10 years, minimum) to provide timely updates to address known CVE's.

 

[dogememe]

If you're a power user, add in Mikrotik.

Great routers. Horrible interface!

 

[MaximumMini]

Twisted Conspiracy Theory......

The threat was exaggerated. The US government wanted a backdoor to ALL US routers. The firmware "Patch/upgrade" gave the NSA, CIA and FBI direct access to your router. The real threat was not foreign in origin.

 

[tmorris1]

That's predominantly a software problem however. The COO of the hardware is far less of an issue in that context. While most of these devices use open source-based firmware (almost all of them are based on BusyBox), the primary issue isn't nefarious vendors, but incompetent or lazy ones, who ship code with out of date libraries, or gaping security holes and then rarely patch them because they are already onto the next model. This is inherent to the price point this stuff is shipped at. 10 years of support for a $70 Best Buy special, to the OEM, crushes that model, but that's really what's required to address this issue. If you ship a connected device, you need to be on the hook for a reasonable period (I think 10 years, minimum) to provide timely updates to address known CVE's.

It is software but the CM has to assemble and program the devices. Could be easier to inject or alter the software images a lot easier in China vs a US company but I guess people can be bought anywhere.

 

[OVERKILL]

It is software but the CM has to assemble and program the devices. Could be easier to inject or alter the software images a lot easier in China vs a US company but I guess people can be bought anywhere.

Yeah, that's why I made sure to use the word "predominantly" there, as there are of course exceptions, but the overall theme here has been abandonware and incompetence, not malicious intent.

 

[robbobster]

My TP-Link Deco XE75 mesh setup is akin to “Home Networking for Dummies” and that’s why I bought it. It replaced a Deco X20 setup used previously.

I considered Ubiquity products for the safety and control aspects, but the learning curve seemed steep…and my networking knowledge is thin

 

[dogememe]

My TP-Link Deco XE75 mesh setup is akin to “Home Networking for Dummies” and that’s why I bought it. It replaced a Deco X20 setup used previously.

I considered Ubiquity products for the safety and control aspects, but the learning curve seemed steep…and my networking knowledge is thin

I’ve installed quite a bit of Deco stuff for friends and family. Works alright. And if you catch it on sale it’s an insane value! It’ll be a bummer not to have that as an option.

Every single person does joke the units look like rolls of TP and that’s why it’s called TP-Link…

 

[OVERKILL]

My TP-Link Deco XE75 mesh setup is akin to “Home Networking for Dummies” and that’s why I bought it. It replaced a Deco X20 setup used previously.

I considered Ubiquity products for the safety and control aspects, but the learning curve seemed steep…and my networking knowledge is thin

Unifi stuff is pretty simple as far as prosumer gear goes, but I do think there's a market for quality equipment that gets regular updates and is inherently configured for security, but that this setup can be achieved by a wizard geared toward Joe Average who doesn't want, or need to know what IDS and IPS are.

 

[alarmguy]

I’ve installed quite a bit of Deco stuff for friends and family. Works alright. And if you catch it on sale it’s an insane value! It’ll be a bummer not to have that as an option

You will always have that option