Backdoor Found In TP-Link Routers

← Back to Stories (view on slashdot.org)

Backdoor Found In TP-Link Routers

Posted by Soulskill on Friday March 15, 2013 @12:49AM from the control-of-your-router-hosted-in-the-cloud dept.

New submitter NuclearCat writes "Polish security researchers have found a backdoor in TP-Link routers, allowing an attacker to not only gain root access to the local network, but also to knock down the router via a CSRF attack remotely. (Further information — Google translation of Russian original). According to the researchers, TP-Link hasn't yet responded to give an answer about issue. The good news: Users who replaced their TP-Link firmware with Open/DD-WRT firmware can sleep well."

24 of 197 comments (clear)

Min score:

Reason:

Sort:

Et tu, China? by Anonymous Coward · 2013-03-15 00:52 · Score: 3, Insightful

With every government in the world wanting their own backdoors to everything these days, designing firmware for modern routers must be akin to being a carpenter tasked with building a house to satisfy 300 different feuding owners.
1. Re:Et tu, China? by stevegee58 · 2013-03-15 01:36 · Score: 5, Insightful
  
  The last time I posted a comment about Chinese products containing malware I was voted down as flamebait and accused of being a racist.
2. Re:Et tu, China? by L4t3r4lu5 · 2013-03-15 02:32 · Score: 4, Funny
  
  That's nothing! I've tried, on numerNEVER BEFORE to post about bugs in produce coming from China, and every tiCHINESE GOODS ARE MADE TO HIGHEST QUALITYerent in some way. I tried to warn my boss away from buying that "too cheap" Cisco gear from eBay (the lettering was weird, too), but he wouHONOURABLE MANAGER MAKES SENSIBLE PURCHASING DECISION.
  
  --
  Finally had enough. Come see us over at https://soylentnews.org/
3. Re:Et tu, China? by stevegee58 · 2013-03-15 02:49 · Score: 2, Funny
  
  Good gracious! This place is getting as bad as 4chan.
4. Re:Et tu, China? by AK+Marc · 2013-03-15 07:14 · Score: 3, Insightful
  
  Sony has shipped backdoors. Cisco has shipped backdoors. HP, Microsoft, and probably everyone else (they just might not all get press - I know personally of the HP case because I worked there for that one, apparently someone let the imaging machine get infected to where the HP recovery media had a virus rootkit on them, burned and shipped). Everyone on the planet is looking at "China" closer than anyone else, and the discovery rate is lower than US rate, but one company, TP-Link, has one issue, and suddenly, it's a coordinated Chinese attack on us. It's that logical disconnect that earns you a racist tag.
  
  --
  Learn to love Alaska
English news article by hweimer · 2013-03-15 00:54 · Score: 5, Informative

The H Security: Treacherous backdoor found in TP-Link routers

--
OS Reviews: Free and Open Source Software
I have to wonder why they bother... by fuzzyfuzzyfungus · 2013-03-15 00:55 · Score: 5, Interesting

Given the relatively dismal reputation of vendor firmware on most routers, and the distinctly limited opportunities for software-differentiation in the 'well, it sits there and makes the internet wireless, right?' networking market, I honestly have to wonder why most vendor firmware isn't just thinly-skinned Open or DD WRT out of the box...
1. Re:I have to wonder why they bother... by Anonymous Coward · 2013-03-15 01:05 · Score: 2, Informative
  
  For a lot of routers the chipset manufacturers aren't as friendly towards open source as they could be (eg broadcom), which is largely the reason why many popular routers are unsupported or work-in-progress for openwrt/dd-wrt etc.
2. Re:I have to wonder why they bother... by neokushan · 2013-03-15 01:24 · Score: 5, Informative
  
  As far as I know, that's more or less what Asus does. I have an RT-N66U and it's an absolute dream box. It's based on one of the open source firmwares (I can't remember which one though, DD-WRT, OpenWRT or Tomato), Asus releases the source code to the firmware and you don't have to do anything fancy to install a custom variant of it, just upgrade your firmware manually like you would on any other router except pick the custom firmware file.
  
  --
  +1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
3. Re:I have to wonder why they bother... by LWATCDR · 2013-03-15 01:39 · Score: 2
  
  "Broadcom does not even need to pay to make drivers. Open source the documentation and let others make the drivers."
  Doesn't happen with complex devices AMD proved that. AMD has released the documentation for their GPUs and they OpenSource drivers lag the closed source and AMD has to pay programers to work on the OpenSource drivers same as Intel does for their GPUs. And the next statement will be that of course the closed source drivers are ahead of the FOSS drivers because they have had a head start and then you will get to what most people in the FOSS community wants. They want companies to open the driver source code and then maintain it.
  The Broadcom chips may be simple enough that they will get support but the "open the specs and someone will write the drivers for free" just doesn't work once you get into complex devices.
  
  --
  See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
4. Re:I have to wonder why they bother... by LWATCDR · 2013-03-15 01:47 · Score: 2
  
  Not as big if an issue as you would think for the manufactures. The drivers would just be loadable and not statically linked to the kernel. The reason for not using Open-DRT is that the UI is terrible Luci is not great but the standard out of box UI is just a command line. Oh yes I use a TP-Link TR-3220 as a media extender. It is really cool that they have it and I will probably get a few more TP-Link routers for other projects but Open-DRT is not friendly at all.
  DD and Tomato do not work on as many devices so I have not had a chance to play with them.
  
  --
  See my blog http://ilovecookes.blogspot.com/ for light hearted technical information.
5. Re:I have to wonder why they bother... by fuzzyfuzzyfungus · 2013-03-15 01:54 · Score: 3, Interesting
  
  Because said vendors are the one that have to provide post sales support. I suppose they could fork Open or DDWRT (if even possible, I haven't checked) and go their own way. It's basically the same argument for why you don't see Linux desktops on the show room floor at your local B&M store.
  That's actually the weird thing: If you wanted to extend the router analogy to PCs, you would see Linux desktops on the show floor at the local store; but they would all be running deeply dysfunctional bespoke distros, mostly out of date and broken in various ways, some built from scratch, some based off an elderly version of Redhat, along with the low end machines all running FreeDOS with a bundled program designed to resemble a KDE desktop. You would be justified in asking 'Why the hell didn't they just install debian?'
  I'm not imagining that retail routers would be running open-wrt-SVN-Bleeding-edge-UNSTABLE, or ship without some drool-proof web interface that the support guys have a manual for. I just don't understand why(in the presence of free, solid, easily available 3rd party firmware) vendors keep spending on developing in-house or licenced firmware that has all kinds of nasty personality issues, time after time.
Cutest name by Anonymous Coward · 2013-03-15 00:55 · Score: 2, Funny

TP-Link is the cutest name. Toilet Paper Link... It wipes the competition, literally.
1. Re:Cutest name by hack++slash · 2013-03-15 01:15 · Score: 4, Funny
  
  And "bunghole" could be a euphamism for "internet", which would explain why Beavis said "I need teepee for my bunghole", he just wanted to go online...
  
  --
  To do something right, you often have to roll up your sleeves and get busy.
Re:What about OpenWRT? :) by Anonymous Coward · 2013-03-15 01:03 · Score: 2, Informative

From the summary:

The good news: Users who replaced their TP-Link firmware with Open/DD-WRT firmware can sleep well."
(emphasis mine)
Only worked from LAN side by indy_bob_twobears · 2013-03-15 01:05 · Score: 2

So, this is not important to me, I am not worried about intrusion from my users. Unless someone writes a Linux virus to set up a tftp server and send the request URL.
1. Re:Only worked from LAN side by wvmarle · 2013-03-15 01:53 · Score: 2
  
  Can you trust your visitors?
  Including uninviteted, secretive visitors?
  I'm sure a determined attacker will just social-engineer their way in, and after the visit there is a second backdoor but now one that's accessible from the outside as well.
TP by DaMattster · 2013-03-15 01:09 · Score: 2

So I guess the router is about worth toilet paper, huh?
1. Re:TP by jones_supa · 2013-03-15 03:03 · Score: 2
  
  Well, toilet paper works every time.
Re:Looks like the firmware upgrade by ledow · 2013-03-15 01:30 · Score: 5, Informative

Should be fixed, yes. Critical to your network security? Not really.
It requires someone to convince a local user to click a link which not only executes an HTTP request against the router but also somehow starts up a TFTP service on the machine that executes that request, with some crafted files served from it to compromise the router when it asks for them.
It's a home router (and "routers" in the headline is accurate but misleading - precisely two are listed as vulnerable), so to be honest, I'm not at all surprised that this is possible. Hell, UPnP is more a security threat than this backdoor and that's enabled by default in a lot of places.
However, if TP-Link (whose products I quite like, especially their wireless repeaters) had just issued an update that stopped this happening, I'd not have even cared about it one jot and it would disappear into the void of things that have been patched already. It's the non-response that gets me. Someone at TP-Link couldn't even be bothered to say "We're looking into it"?
"root access to the local network" by Cajun+Hell · 2013-03-15 02:21 · Score: 2

..gain root access to the local network..
That's really troubling too, because after I read this, I went to change my network's root password and I couldn't find where to do that!
After RTFA it's clear they mean root access to that router, which is the same thing that anyone would have inferred from the mere mention of "back door" anyway. So why add the confusing phrase about the network?
The world is already stupid enough. There's no need to go to extra trouble to make it stupider. That's wasted effort.

--
"Believe me!" -- Donald Trump
Who uses that? by slashmydots · 2013-03-15 02:39 · Score: 2

I've used one TP-Link device ever and it was a DSL modem since AT&T's price was absurd. Also the responsiveness and hardware specs weren't bad for the price. If you want the mother of all routers for fairly cheap, the ASUS RT-N12 (B1) is the king. It uses all Realtek wireless chips. It intercepts initial webpage requests and logs in password-less for initial configuration via its control panel so no typing in IPs. It adapts its IP structure automatically (increments it to 2) around AT&T's modems that purposely use 192.168.1.1 to screw with people. It can be set as a repeater or an access point too so you can drop 4 wired ethernet ports wirelessly on the other side of your house without actual wires. If a machete severs your cable to the modem, it intercepts web requests and pops up and tells you specifically that the link cable between the modem and router was disconnected. I use it at my shop and I've never had to reboot it even after 100+ wireless and wired clients. And this router runs about $40. Take that, TP-Link.
What is "root access to a network?" by EmagGeek · 2013-03-15 03:26 · Score: 2

I'm having trouble wrapping my feeble mind around that one.
CS students no longer take economics classes? by tlambert · 2013-03-15 04:04 · Score: 4, Informative

Bullshit.
Broadcom does not even need to pay to make drivers. Open source the documentation and let others make the drivers.
Broadcom is trying to avoid the fact that they make a commodity product. If they would acknowledge that they do, they could benefit from drivers that were compatible with multiple vendors chipsets.
CS students no longer take economics classes?
Their product is NOT commodity; their functionality IS commodity. This is an INTENTIONAL line in the sand they are drawing to keep the products legal in the US, since you are not permitted to license an SDR in the US except as the aggregate of both the hardware for the SDR and the firmware which gets loaded into the hardware, and the driver which drives the hardware. This is an FCC regulation intended to keep people from easily eavesdropping or interfering with Military, Police, Fire, and other emergency services bands. It also makes it more difficult to turn a cheap SDR into a scanner by running it in receive-promiscuous mode, which would let you hear cell phone and other end-pointed transmissions, as well as allowing you to fake the IMEI for the device in order to clone other people's phones.
They DO NOT WANT an open source driver that documents their hardware interfaces so someone can clone their chip registers, since documenting the operation and order of operations on their chip registers represents disclosure of Trade Secret information not protectable by patents.
They would prefer that this never happen, since it means that if they have a large chunk of the market, they can keep other people from entering the market by making them work to get parity with their closed source drivers shipping in a third party OS, like Windows. Buy Windows? Broadcom just works, buy someone else's chips? Good luck, since you will have to fight to get your drivers signed, and fight Microsoft with getting them to ship your drivers with their OS so that your competing chipset also "just works".
It's an intentional non-monopoly anticompetitive practice (and therefore this side of the legal line) which raises costs for your competitors to the same levels as your costs, since you already have sunk costs that you need to recover. Making it so some clone factory can take advantage of all your sunk costs, and no matter what you do, they will undercut your pricing in the market.
This is EXACTLY the same reason the old Adaptec SCSI controllers went to the HIM architecture, and EXACTLY why the Diamond Viper video cards required a matched driver for the PAL coding matching the BIOS with the card, which made them a bitch to use without thunking down to INT 10. Both companies were preventing their cards being cheaply cloned and being used with the drivers they wrote. John Hamm, who made the decision on the HIM layer at Adaptec was later the CEO of one of the startups I worked at.
Note that the video driver stuff is not the same; the 3D engine uses patented processes in software, so they can't Open Source those without granting the license to use their patents, royalty free, so long as the code is licensed under similar terms.
Hardware accelerated decode for H.264 and MPEG would require licensing the Sorenson patents on a per chip basis. By pushing the cost of licensing off to the OS vendor as part of the licensing of the OS, they make it someone else's problem, which brings down the unit cost on the GPUs, so long as they are not used for that purpose, and you end up with bulk licensing applying across multiple GPUs when it comes from the OS vendor, which spreads the pain around to your competitors. So even though the decode could be fully done in hardware, there's always a software loopback part that requires the license, since the hardware won't do it on its own without the loopback.