Slashdot Mirror
TP-LINK Loses Control of Two Device Configuration Domains (helpnetsecurity.com)
Reader Orome1 writes: Security researcher Amitay Dan warns that tplinklogin.net, a domain through which TP-LINK router owners can configure their devices, is no longer owned by the company, and that this fact could be misused by malware peddlers. TP-LINK has confirmed that they no longer own the domain in question, and will not be trying to buy it from the unknown seller for now. Instead, they intend to change the domain in the manuals to a newer one that's already in use.ComputerWorld has more details.
I use TP-LINK network bridges. There are other people in the world besides yourself.
Seven puppies were harmed during the making of this post.
Because this is commodity hardware that's available in almost any IT-related shop, even the dumbest:
http://www.pcworld.co.uk/gbuk/...
Lots of people have bought that router, and they could now all be compromised. Besides that, this is an IT site. If it was Cisco, you'd be up in arms.
The CW article says the router intercepts that domain name and redirects to an internally hosted web page.
When you use products like this, you get eat you deserve. When you use Facebook, you put yourself at risk. This is no different...
See where you went wrong there is, you thought anyone would give a fuck what you think. I racked one for a customer today because he's a cheap bastard. So they get used. And this is a gigantic bollock to drop as a tech company, hence, newsworthy.
I do not want your cheap brainburning drugs. They are useless for work. And I am a working man today.
Why does a router need "a domain through which to configure it"? Don't you just connect to a 192.168 address with a browser?
All your bases are belong to us!
Fucking chinease just don't know jack about nothing security.
Tp link dispite being a noname router manufacturer to many actually makes great equipment for about 1/2 the price of other brands often performing better. Don't beleive me? Check out reviews anywhere. Not sure the domain control thing matters as most people just use the lan address.
Website Just Down For Me? Find out
There are other people in the world besides yourself.
You mean out in the big blue room with the bright light? This is Slashdot. We don't mention those people.
.
That was what you did PRE-CLOUD. Now all the vendors want you to go through their website.
That way, later, when they discontinue the product --- they can require you purchase an upgrade, next time you want to make changes.... Or even better, they can bill you a monthly fee, and turn your network off if you forget to renew the license; e.g. Meraki.
Think about such issues the next time a device manufacturer wants restrict what you can do with the hardware you purchased. Such as examining and changing behavior, including security issues like this.
Shipping devices using patched-up software stacks put together god knows where... leaving customers exposed and vulnerable.
Not everyone is like you! Here it's how it can happen!
Sent as ripples into the electromagnetic field. No single photon has been harmed in the process.
"Who gives a shit?"
Well, that is what the "TP" is for silly! It's for yer bunghole after you insert these products where they belong.
And they can upgrade the firmware of your router to add a backdoor when needed...
I use TP-LINK network bridges. There are other people in the world besides yourself.
Well maybe you should reconsider since, apparently, the company must not be solvent enough to afford a $10 per year domain registration.
Why does a router need "a domain through which to configure it"?
Corporate networks typically have domain servers.
Don't you just connect to a 192.168 address with a browser?
Most corporate networks are set to 10.0.0.0 for addresses. When I did a PC refresh project at a Fortune 500 company, the engineers wanted to keep their old workstation but the IT department wouldn't open more ports and/or provide switches. The engineers brought old routers from home to use the switch portion but didn't turn off the DCHP server for the router. Nearby workstations picked up the 192.168.0.0 addresses, unable to access the corporate network, and users complained to help desk. Took the IT department all morning to track down the half-dozen rogue routers.
I use them by the ton. I haven't bought a non TP-LINK router in over 5 years.
If it needs to call home to function, this shit will happen.
Cisco does this shit too.
Sure they still own the DNS address but it sets YOU up for a DNS-based attack, a oops-we-bricked-your-shit, or Spooks need access to your network.
Obama's legacy: (N)othing (S)ecure (A)nywhere and (T)error (S)imulation (A)dministration
I use one of their wireless routers.
I think I paid $30 for it over 3 years ago when my $120 Netgear router crapped out.
I chose this one specifically because I could install DD-WRT on it. While I would have prefered Tomato Firmware, I needed something cheap and fast at the time.
No issues with it since I installed DD-WRT on it. Someone maintains an up to date firmware for this specific device (I don't have the model number with me), with regular updates every 2-3 months.
Can you give less of a fuck about security than that? Granted, TP-Link isn't particularly known for great or backdoor-less firmware, but still, such a public failure to secure your products should put a real dent in your sales.
I'm curious.
If your router's settings are fubar and won't let you go online, how do you connect to the cloud to change the router's settings so you can go online?
-=This sig has nothing to do with my comment. Move along now=-
TP-Link stuff is generally pretty OK, but with OpenWRT (for the models and versions which are capable) is very nice.
Red to red, black to black. Switch it on, but stand well back.
I use TP-LINK network bridges. There are other people in the world besides yourself.
Well maybe you should reconsider since, apparently, the company must not be solvent enough to afford a $10 per year domain registration.
Much like Google couldn't afford $12 last year...
Why not use local IP address to access configuration page? I think typing 192.168.0.1 is simpler, faster and error-proof than typing tplinklogin.net
You don't have to go to the web to configure the router. Its a hard coded DNS entry that points to the router address. Netgear does it as well. This could be an issue if you've changed the DNS you are using from the router to something else. But I'd bet if you've done that, you are managing the router through the IP address and not this tplinklogin.net.
Well, I for one think this is important. How else can the government ensure we are safe from terror, tax evasion, and political subversion if they aren't allowed to install backdoors in our network hardware?
Phone, 3G.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
It redirects based on the settings of the router. Even if you're not online, if you're able to get to the wireless login page, kind of like the captive portal logins that show up before you log into the internet.
It has nothing to do with 'the CLOUD' or any such nonsense. The internal name server in the router resolves that name to ITSELF.
If they don't have dedicated switches, they probably aren't very good engineers. They are like 10 bucks for a 5 port switch and no network issues.
the $5 a year was too much to maintain the security of its customers.
very sad
Presumably because home users are afraid of the scary computer language address they'd have to type in, so they used those domains. I would be OK with that if the domain always resolved locally via the router, but why the fuck would I ever want to go on the internet to configure my LAN?
I use TP-LINK network bridges. There are other people in the world besides yourself.
Well maybe you should reconsider since, apparently, the company must not be solvent enough to afford a $10 per year domain registration.
Much like Google couldn't afford $12 last year...
If I recall correctly, that was actually due to a software bug in Google's own domain registration service that allowed him to register the google domain. If I recall correctly, the software reverted the registration almost immediately, too.
It IS always resolved locally via the router. The issue is NOT for people with these routers, it is for anyone else who goes to that domain.
... that domain management is a little more involved than just registering it.
Had they used something like myrouter.tplink.com, they'd've still been in full control.
Bottom line: You do have to sit down and think, and come up with a strategy for this sort of thing. Something you can stick with for a couple decades. And to do it properly, you need to actually have some DNS clue. Why this is entirely too hard for manufacturers of networking equipment is a mystery to me.
You didn't actually read the article, it wasn't that they didn't pay for their domain, it was that there was a bug in their own registrar software that allowed someone else to register their domain even though the domain was already registered.
If they don't have dedicated switches, they probably aren't very good engineers. They are like 10 bucks for a 5 port switch and no network issues.
These engineers were trained computer scientists. From my experience with computer scientists, they don't know squat about hardware. They just pulled hardware out of their junk boxes, put it into service and whined to help desk when the network goes FUBAR.
The router resolves that domain to the 192.168 address of the router. It has nothing to do with 'the evilz CLOUD'. Only on /. does idiocy like this get modded 'insightful'.
While I would have preferred Tomato Firmware, I needed something cheap and fast at the time.
Better Tomato Firmware than the Asparagus Firmware, anytime data leaves the port there is a real pungent smell.
It's only resolved by the router if it's the only router on the network. If you're configuring a new AP on an existing network then you will already have DNS set up and so the external thing will resolve.
I am TheRaven on Soylent News
Why are the experts from Help Net Security just copy-pasting text from other sources and then spamming slashdot? Two-thirds of that article is copy-paste.
Because a sequence of random numbers, 'dots', and so on are too complicated for most users. Everything they type in the address bar has to start with "dubbayu, dubbayu, dubbayu" anyway, doesn't it ?
Put it all in "the cloud". Whst could go wrong?
I won't. They happen to fix my wifi coverage problem nicely and are on my side of the network, so good luck to anyone who wants to "hack" in. I won't invite them to my house anymore.
Seven puppies were harmed during the making of this post.
I couldn't agree more. Just replaced my old WRT54GL router with a dirt-cheap D-Link DIR-645 that was on clearance sale. Just checked that it could run OpenWRT before I bought it. Works like a dream with my USB 3G dongle, have had it for 3 months now. The original firmware would not even support modems, forcing you up to more expensive models despite the hardware being more than capable.
You can easily flash back the original firmware if you need to return it for warranty purposes. Most routers run U-Boot these days, it has never been easier to get a top-notch router for pennies. This is why we need the freedom to tinker!
Took all morning? Really?
I work for a very small company and the one time someone tried something similar (bringing in an old router from home because they "needed more ports" in a particular office) it took seconds for my network monitoring to alert me to an unauthorised device on the network and even less time for the switch port to automatically disable because of an unrecognised MAC on the port. I would hope a fortune 500 would do things better than have such an open network in this day and age.
Took all morning? Really?
The single IT tech had to search multiple floors in a office building to find the half-dozen rogue routers hidden behind multiple workstations underneath the desks.
I would hope a fortune 500 would do things better than have such an open network in this day and age.
This particular company had an open network where anything plugged in could get on the network. I've worked at other Fortune 500 companies that required a help desk ticket to open a port on the switch. If you have a rogue wireless access point at Cisco, security will immediately show up to confiscate the AP and investigate you for criminal intent.
Not if you are behind a firewall that blocks the connection. Then flash away to OpenWRT or DD-WRT. To get around "blocked" flashing, pop the cover and connect to the async port. You can use Ethernet to pull in the files. Or just X-, Y-, or Z-modem (slow but workable) to copy in.
So to base poster of thread question is correct, "Who gives...?"
They screwed up in a breathtaking way by losing their domain, and they arn't even going to fix it, putting countless people at risk of unknown bad actors?
I've never used these autoconfig domains myself, and I recently stopped using a TP-Link router I had because I just happened to buy an Asus instead. But with this news, I will *never* buy another TP-Link router again.
Decent network security is hard enough to maintain as it is, without having this sort of gross incompetence happen on top of it. Between this and the fact that TP-Link announcing that they will no longer permit 3rd party firmware on their devices, TP-Link is now a non-starter for me.
How does TP-LINK affect me or anyone I know?
The reason why nobody will be able to explain this to you in a way you can understand is that you are - demonstrably - simply too stupid.
...the security of thousands of customers. Way to go, TP-Link.
" From my experience with computer scientists, they don't know squat about hardware."
This was a huge reason i switched away from a CompSci degree, i like hardware too much. I was SHOCKED when i ended up doing a ton of upgrades and repairs for my classmates. They had the worst, low-power, el-cheapo machines.
Why the fuck can't people get this through their heads? It's bad enough that nearly every "IT person" is too fucking stupid/lazy to use a domain that will never resolve to a public server for the internal network. It's EVEN FUCKING WORSE that the networking equipment manufacturers are using PUBLIC DOMAINS BY DEFAULT. Seriously, WHAT THE FUCK?
Networking 101: DO NOT USE PUBLIC DOMAINS FOR INTERNAL NETWORK RESOURCES
dns was one of the first things we put in the cloud.
Sleep your way to a whiter smile...date a dentist!
But this new way allows NSA Cybersecurity to reconfigure the router when necessary.
Or they can be like Cisco where they require you to have a support contract just to get access to the firmware updates. If you don't pay for the support contract, you can't get the new firmware, which means if there is a vulnerability in your version, you're screwed.
Lots of companies do this stupid ritual of registering lots of domains for different projects and then when renewal comes along the company forgets about it and it lapses and then it causes them to run around screaming and shouting at people saying "Why did you not renew" What don't these firms just have one main domain like tp-link.com and then use sub-domains for each project and that why they don't have to worry about hundreds of silly registered domain names.
It would get modded insightful elsewhere, except most other sites don't have "insightful" as a moderation option.
Actually it is depressing to see it modded insightful, this is supposed to be a community of geeks and nerds who should have some awareness of this shit, not surprising though, /. isn't what it once was.
If the new owner of the domain puts anything up at tplinklogin.net, especially a fake login/phishing page, couldn't they be sued by TP-Link for trademark infringement?
If I can be modded down for being a troll, can I be modded up for being an orc, or a balrog?
Network vendors are doing this. So I get the update that this is not what TP-LINK is doing here. That does not invalidate my point though..... Be VERY careful about other vendors requiring you to use an external link to configure local equipment or making Calls out to home.
I would check really thoroughly, and if there's not a way to turn it off, return the product to merchant before the return period runs out.
If your router's settings are fubar and won't let you go online, how do you connect to the cloud to change the router's settings so you can go online?
You call customer support. Usually they have a 'factory reset' button which will revert the device to grabbing its configuration from DHCP, so it can get back online.
They may have one of those 'diagnostic acoustic interfaces', where you do a button sequence, then hold your phone up to the device, and new settings are loaded onto it.
They may direct you to send it back, receive a replacement, Or get the software CD out, or plug a USB cable into the device which loads software on your PC to re-configure the WAN interface settings.
They may also direct you through a "technical support console" which requires connecting with telnet and then entering the response to a challenge code support will provide you.
Some of them may have a stripped-down webui available on the local LAN after factory reset, which will provide just enough configuration to connect to the cloud.
Yeah, shortly afterwards you know what happened?
Eternal September, that's what happened. I blame you!
you can't get the new firmware, which means if there is a vulnerability in your version, you're screwed.
Cisco has a Free security updates policy for their equipment. You don't need a support contract --- you just will not be able to download it directly without calling in TAC on the phone.
As long as the model is not end of life, you can call in TAC support for a free security update, and you'll get the version with security bugs patched.
You will not get other upgrades, bugfixes, or enhancements. They'll provide you the code based on your current version with only the security patches applied to it.
It has everything to do with the cloud, because it's cloud thinking. Keeping your configuration or files or services on somebody else's computer is the core concept of what cloud infrastructure is.
I just want a router that I buy and goes in my home, but protects me from going to all the bad sites, disturbing content that offends me and can be turned off if a terrorists break into my home and try to use it to access hate material. Do they sell that?