Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
×
Networking Security

Backdoor Found In TP-Link Routers 197

New submitter NuclearCat writes "Polish security researchers have found a backdoor in TP-Link routers, allowing an attacker to not only gain root access to the local network, but also to knock down the router via a CSRF attack remotely. (Further informationGoogle translation of Russian original). According to the researchers, TP-Link hasn't yet responded to give an answer about issue. The good news: Users who replaced their TP-Link firmware with Open/DD-WRT firmware can sleep well."
This discussion has been archived. No new comments can be posted.

Backdoor Found In TP-Link Routers

Comments Filter:
  • Et tu, China? (Score:3, Insightful)

    by Anonymous Coward on Friday March 15, 2013 @07:52AM (#43181487)

    With every government in the world wanting their own backdoors to everything these days, designing firmware for modern routers must be akin to being a carpenter tasked with building a house to satisfy 300 different feuding owners.

    • Comment removed based on user account deletion
    • Re:Et tu, China? (Score:5, Insightful)

      by stevegee58 ( 1179505 ) on Friday March 15, 2013 @08:36AM (#43181827) Journal
      The last time I posted a comment about Chinese products containing malware I was voted down as flamebait and accused of being a racist.
      • by L4t3r4lu5 ( 1216702 ) on Friday March 15, 2013 @09:32AM (#43182255)
        That's nothing! I've tried, on numerNEVER BEFORE to post about bugs in produce coming from China, and every tiCHINESE GOODS ARE MADE TO HIGHEST QUALITYerent in some way. I tried to warn my boss away from buying that "too cheap" Cisco gear from eBay (the lettering was weird, too), but he wouHONOURABLE MANAGER MAKES SENSIBLE PURCHASING DECISION.
      • Been there, too.
      • Re:Et tu, China? (Score:4, Insightful)

        by AK Marc ( 707885 ) on Friday March 15, 2013 @02:14PM (#43185297)
        Sony has shipped backdoors. Cisco has shipped backdoors. HP, Microsoft, and probably everyone else (they just might not all get press - I know personally of the HP case because I worked there for that one, apparently someone let the imaging machine get infected to where the HP recovery media had a virus rootkit on them, burned and shipped). Everyone on the planet is looking at "China" closer than anyone else, and the discovery rate is lower than US rate, but one company, TP-Link, has one issue, and suddenly, it's a coordinated Chinese attack on us. It's that logical disconnect that earns you a racist tag.
      • That is the Chinese Water Army at work. The fascists that run that country are insanely sensitive to criticism....
  • English news article (Score:5, Informative)

    by hweimer ( 709734 ) on Friday March 15, 2013 @07:54AM (#43181501) Homepage
  • by fuzzyfuzzyfungus ( 1223518 ) on Friday March 15, 2013 @07:55AM (#43181509) Journal

    Given the relatively dismal reputation of vendor firmware on most routers, and the distinctly limited opportunities for software-differentiation in the 'well, it sits there and makes the internet wireless, right?' networking market, I honestly have to wonder why most vendor firmware isn't just thinly-skinned Open or DD WRT out of the box...

    • Re: (Score:2, Informative)

      by Anonymous Coward

      For a lot of routers the chipset manufacturers aren't as friendly towards open source as they could be (eg broadcom), which is largely the reason why many popular routers are unsupported or work-in-progress for openwrt/dd-wrt etc.

      • For a lot of routers the chipset manufacturers aren't as friendly towards open source as they could be (eg broadcom), which is largely the reason why many popular routers are unsupported or work-in-progress for openwrt/dd-wrt etc.

        Open Source is not to friendly to Broadcom chipsets keeping their software interfaces secret to prevent clone vendors from leveraging the effort Broadcom put into writing the drivers for its chips by just making chips that could work with the Broadcom drivers.

        Either you leave the Broadcom drivers out of Windows itself (disadvantaging Broadcom in the market place), or you include them, and if they use a documented interface, you disadvantage Broadcom in the marketplace, since they had to pay for the drivers

        • by h4rr4r ( 612664 )

          Bullshit.

          Broadcom does not even need to pay to make drivers. Open source the documentation and let others make the drivers.

          Broadcom is trying to avoid the fact that they make a commodity product. If they would acknowledge that they do, they could benefit from drivers that were compatible with multiple vendors chipsets.

          • by LWATCDR ( 28044 )

            "Broadcom does not even need to pay to make drivers. Open source the documentation and let others make the drivers."
            Doesn't happen with complex devices AMD proved that. AMD has released the documentation for their GPUs and they OpenSource drivers lag the closed source and AMD has to pay programers to work on the OpenSource drivers same as Intel does for their GPUs. And the next statement will be that of course the closed source drivers are ahead of the FOSS drivers because they have had a head start and the

            • by h4rr4r ( 612664 )

              Wireless chips are not that complex.

              AMD can't even make their own decent driver, not even the closed one, maybe the hardware just sucks.

            • Bullshit; the b43 drivers were reverse-engineered by the community and are better than Broadcom's own drivers. Granted, WiFi drivers are a little more complex than a serial port driver, but they're nowhere near as hard as GPU drivers.

          • by tlambert ( 566799 ) on Friday March 15, 2013 @11:04AM (#43183143)

            Bullshit.

            Broadcom does not even need to pay to make drivers. Open source the documentation and let others make the drivers.

            Broadcom is trying to avoid the fact that they make a commodity product. If they would acknowledge that they do, they could benefit from drivers that were compatible with multiple vendors chipsets.

            CS students no longer take economics classes?

            Their product is NOT commodity; their functionality IS commodity. This is an INTENTIONAL line in the sand they are drawing to keep the products legal in the US, since you are not permitted to license an SDR in the US except as the aggregate of both the hardware for the SDR and the firmware which gets loaded into the hardware, and the driver which drives the hardware. This is an FCC regulation intended to keep people from easily eavesdropping or interfering with Military, Police, Fire, and other emergency services bands. It also makes it more difficult to turn a cheap SDR into a scanner by running it in receive-promiscuous mode, which would let you hear cell phone and other end-pointed transmissions, as well as allowing you to fake the IMEI for the device in order to clone other people's phones.

            They DO NOT WANT an open source driver that documents their hardware interfaces so someone can clone their chip registers, since documenting the operation and order of operations on their chip registers represents disclosure of Trade Secret information not protectable by patents.

            They would prefer that this never happen, since it means that if they have a large chunk of the market, they can keep other people from entering the market by making them work to get parity with their closed source drivers shipping in a third party OS, like Windows. Buy Windows? Broadcom just works, buy someone else's chips? Good luck, since you will have to fight to get your drivers signed, and fight Microsoft with getting them to ship your drivers with their OS so that your competing chipset also "just works".

            It's an intentional non-monopoly anticompetitive practice (and therefore this side of the legal line) which raises costs for your competitors to the same levels as your costs, since you already have sunk costs that you need to recover. Making it so some clone factory can take advantage of all your sunk costs, and no matter what you do, they will undercut your pricing in the market.

            This is EXACTLY the same reason the old Adaptec SCSI controllers went to the HIM architecture, and EXACTLY why the Diamond Viper video cards required a matched driver for the PAL coding matching the BIOS with the card, which made them a bitch to use without thunking down to INT 10. Both companies were preventing their cards being cheaply cloned and being used with the drivers they wrote. John Hamm, who made the decision on the HIM layer at Adaptec was later the CEO of one of the startups I worked at.

            Note that the video driver stuff is not the same; the 3D engine uses patented processes in software, so they can't Open Source those without granting the license to use their patents, royalty free, so long as the code is licensed under similar terms.

            Hardware accelerated decode for H.264 and MPEG would require licensing the Sorenson patents on a per chip basis. By pushing the cost of licensing off to the OS vendor as part of the licensing of the OS, they make it someone else's problem, which brings down the unit cost on the GPUs, so long as they are not used for that purpose, and you end up with bulk licensing applying across multiple GPUs when it comes from the OS vendor, which spreads the pain around to your competitors. So even though the decode could be fully done in hardware, there's always a software loopback part that requires the license, since the hardware won't do it on its own without the loopback.

            • by tibit ( 1762298 )

              Good luck, since you will have to fight to get your drivers signed

              Lolwut? Your "fight", then, is as follows: Forking over around $250 for a certificate, downloading a cross certificate and running signtool on the driver files.

              Wakeup call: you sign the drivers yourself. Having the drivers pass WHQL testing is another matter and fairly optional.

              All it'd take to get rid of this problem in the civilized world would be to make the PCI and USB VID/PID combination subject to trademark law. A knockoff product couldn't use the same PID/VID as the brand name, and brand name driver

        • by Hatta ( 162192 )

          Open Source is not to friendly to Broadcom chipsets keeping their software interfaces secret to prevent clone vendors from leveraging the effort Broadcom put into writing the drivers for its chips by just making chips that could work with the Broadcom drivers.

          Any vendor, Broadcom or competitor, that wants free drivers can just publish specs and the community will build the drivers. There's no competetive disadvantage if everyone gets free drivers.

          • Apparently there is, or nVidia, Broadcom, and a whole host of others would be doing just that.

            • by Hatta ( 162192 )

              Only if you assume businesses make rational decisions. In reality, they are as driven by fear as the people that comprise them.

        • by sjames ( 1099 )

          That's utter and complete crap. The fact is, most chips with similar function have a similar INTERFACE anyway. Knowing the details reveals little about the all-important internal implementation. A clone maker will happily shave the package off and find out every last detail of the chip using an electron microscope anyway.

          That's not to say that management paranoia coupled with the delusion that their product is totally unique and revolutionary doesn't convince them of that utter and complete crap.

          In some cas

      • by LWATCDR ( 28044 )

        Not as big if an issue as you would think for the manufactures. The drivers would just be loadable and not statically linked to the kernel. The reason for not using Open-DRT is that the UI is terrible Luci is not great but the standard out of box UI is just a command line. Oh yes I use a TP-Link TR-3220 as a media extender. It is really cool that they have it and I will probably get a few more TP-Link routers for other projects but Open-DRT is not friendly at all.
        DD and Tomato do not work on as many devices

        • Not as big if an issue as you would think for the manufactures. The drivers would just be loadable and not statically linked to the kernel. The reason for not using Open-DRT is that the UI is terrible Luci is not great but the standard out of box UI is just a command line. Oh yes I use a TP-Link TR-3220 as a media extender. It is really cool that they have it and I will probably get a few more TP-Link routers for other projects but Open-DRT is not friendly at all.
          DD and Tomato do not work on as many devices so I have not had a chance to play with them.

          I have a TD8816 ADSL 2+ router running in modem mode (plain PPPoE stream that's terminated on a separate machine). I was initially impressed at the fairly extensive featureset, given that it was dirt cheap. Unfortunately, that's where my impressedness ended: when running in ADSL2+ mode it syncs to a nice high speed during the day... then at night the SNR on the line drops. Unfortunately, the modem doesn't ever bother to resync as the SNR gets worse - eventually *all* the packets are arriving as CRC error

      • by jimicus ( 737525 )

        The great majority of these routers are running Linux.

        It seems to be a dirty little secret of the router world: they're all running Linux (GPLv2), many have ADSL chips and support PPPoE and PPPoA.

        Yet the mainline kernel has practically zero support for ADSL chips - none of the drivers have been open-sourced. The documentation for the chips themselves is released to the router manufacturers under NDA, and quite often the manufacturers also get a reference driver (a Linux kernel module).

        This means the router

    • by neokushan ( 932374 ) on Friday March 15, 2013 @08:24AM (#43181731)

      As far as I know, that's more or less what Asus does. I have an RT-N66U and it's an absolute dream box. It's based on one of the open source firmwares (I can't remember which one though, DD-WRT, OpenWRT or Tomato), Asus releases the source code to the firmware and you don't have to do anything fancy to install a custom variant of it, just upgrade your firmware manually like you would on any other router except pick the custom firmware file.

      • Comment removed based on user account deletion
        • That's great, but the OP was asking about why most vendors don't do this. He wasn't talking about people in china.

      • I don't know about Asus, but my Buffalo WZR-HP-G300NH does exactly that. Buffalo makes their proprietary firmware, and also pays for having a custom DD-WRT build made. I ended up installing OpenWRT on it, though, due to some stability issues.
    • Comment removed based on user account deletion
      • by LWATCDR ( 28044 )

        ummm... You do realize that a lot of the routers already run Linux just with a different skin.

      • by fuzzyfuzzyfungus ( 1223518 ) on Friday March 15, 2013 @08:54AM (#43181987) Journal

        Because said vendors are the one that have to provide post sales support. I suppose they could fork Open or DDWRT (if even possible, I haven't checked) and go their own way. It's basically the same argument for why you don't see Linux desktops on the show room floor at your local B&M store.

        That's actually the weird thing: If you wanted to extend the router analogy to PCs, you would see Linux desktops on the show floor at the local store; but they would all be running deeply dysfunctional bespoke distros, mostly out of date and broken in various ways, some built from scratch, some based off an elderly version of Redhat, along with the low end machines all running FreeDOS with a bundled program designed to resemble a KDE desktop. You would be justified in asking 'Why the hell didn't they just install debian?'

        I'm not imagining that retail routers would be running open-wrt-SVN-Bleeding-edge-UNSTABLE, or ship without some drool-proof web interface that the support guys have a manual for. I just don't understand why(in the presence of free, solid, easily available 3rd party firmware) vendors keep spending on developing in-house or licenced firmware that has all kinds of nasty personality issues, time after time.

        • by Zalbik ( 308903 )

          I just don't understand why(in the presence of free, solid, easily available 3rd party firmware) vendors keep spending on developing in-house or licenced firmware that has all kinds of nasty personality issues, time after time.

          My guess? Cause most managers don't have a real firm grasp on software development, and the smart software developers convince their managers to keep development in-house (job security).

    • I honestly have to wonder why most vendor firmware isn't just thinly-skinned Open or DD WRT out of the box

      They think:
      1) we can save a nickel on RAM if we don't use linux
      2) we sell tens of millions of devices
      3) that's millions of dollars of savings

      and if they contract out the firmware to the lowest bidder and don't actually provide any support, maybe they're right. What I find surprising is that the linux-based routers didn't take over years ago at a $10 premium for their good reputation. Then again, I've

  • Cutest name (Score:2, Funny)

    by Anonymous Coward

    TP-Link is the cutest name. Toilet Paper Link... It wipes the competition, literally.

  • So, this is not important to me, I am not worried about intrusion from my users. Unless someone writes a Linux virus to set up a tftp server and send the request URL.
    • Can you trust your visitors?

      Including uninviteted, secretive visitors?

      I'm sure a determined attacker will just social-engineer their way in, and after the visit there is a second backdoor but now one that's accessible from the outside as well.

      • by mjr167 ( 2477430 )
        If they have physical access you have bigger problems...
        • OK, those uninvited notwithstanding, it is normal for companies to have visitors.

          People coming for business discussions, people coming to do building maintenance (various contractors), etc. Getting through the door is pretty easy. Getting on their LAN (wireless) is pretty easy (may not even have to get through the door for that). Getting on their LAN (wired) is a little harder - but a little social engineering and say pretending to be a network maintenance guy will usually get you really far, especially in

          • by mjr167 ( 2477430 )
            That is why you need good escort policies... Don't let your visitors run around unattended.
            • Of course. But then there are policies, and then there is the real world.

              "Don't leave your visitor unattended!"

              "But I'm just fetching him a cup of coffee..."

              And when said "network maintenance" guy is there, even if someone is keeping a watchful eye on him, that someone likely doesn't know what the network maintenance guy is doing (or they could have done it by themselves).

  • by DaMattster ( 977781 ) on Friday March 15, 2013 @08:09AM (#43181621)
    So I guess the router is about worth toilet paper, huh?
  • by Anonymous Coward

    LAN side only, seems to be the firmware upgrade app since it requires the sending computer to be on the LAN, and providing a TFTP connection.

    "Update2: to works on WAN port if http admin is open WAN"

    Well there's a gaping hole, most of the routers I've owned, you can enable the admin on the LAN or the LAN+WIFI, I've never seen one you can open the admin page to the WAN.

    Still, not quite the hyperbole in the Slashdot summary though!

    • by ledow ( 319597 ) on Friday March 15, 2013 @08:30AM (#43181783) Homepage

      Should be fixed, yes. Critical to your network security? Not really.

      It requires someone to convince a local user to click a link which not only executes an HTTP request against the router but also somehow starts up a TFTP service on the machine that executes that request, with some crafted files served from it to compromise the router when it asks for them.

      It's a home router (and "routers" in the headline is accurate but misleading - precisely two are listed as vulnerable), so to be honest, I'm not at all surprised that this is possible. Hell, UPnP is more a security threat than this backdoor and that's enabled by default in a lot of places.

      However, if TP-Link (whose products I quite like, especially their wireless repeaters) had just issued an update that stopped this happening, I'd not have even cared about it one jot and it would disappear into the void of things that have been patched already. It's the non-response that gets me. Someone at TP-Link couldn't even be bothered to say "We're looking into it"?

      • by Anonymous Coward

        Sloppy to hard code the request. But then again, suppose they forced you to enter the password for the router, you wouldn't be able to reconfigure it if you've forgotten the password. That 'easysetup app' of theirs would be worth anything.

        "I'd not have even cared about it one jot and it would disappear into the void of things that have been patched already. It's the non-response that gets me"

        I bet the TPLINK guy didn't even know why they would do that. He'll just be a PR guy who doesn't know squat and doesn

    • by ls671 ( 1122017 )

      "Update2: to works on WAN port if http admin is open WAN"

      Well there's a gaping hole, most of the routers I've owned, you can enable the admin on the LAN or the LAN+WIFI, I've never seen one you can open the admin page to the WAN.

      Still, not quite the hyperbole in the Slashdot summary though!

      I have seen many, here is 2 examples

      TP-LINK:
      54M Wireless Router
      Model No. TL-WR340G/TL-WR340GD

      D-LINK:
      Product Page: DIR-615
      Hardware Version: E3 Firmware Version: 5.10

  • by ls671 ( 1122017 )

    This reminds me of the vonage PAP2 case where you could unlock the PAP2 device by intercepting the tftp connection the device made to vonage the first time it got plugged in after you bought it from the store. You would redirect the connection to your own tftp server and basically tell the device to unlock itself.

    The device was worth 70$ and vonage sold it for 10$ locked.

    Some devices can easily be told to reconfigure themselves by simply telling them to download a configuration file through tftp, All you

    • This reminds me of the vonage PAP2 case where you could unlock the PAP2 device by intercepting the tftp connection the device made to vonage the first time it got plugged in after you bought it from the store. You would redirect the connection to your own tftp server and basically tell the device to unlock itself.

      Amusingly (to me) I'm working on that now. I'm currently stuck because I got the downgrade firmware on there but it's not requesting the XML file. It's getting an address via DHCP and then just sitting there like a turd.

  • If I keep hearing Linux is no more inherently secure than OSX or Windows, then why should one presume that there's some reason that OpenDD or OpenWRT should inherently be any more secure than standard router firmware?
    • a) from whom are you hearing this no more secure...? b) in this very special case the mentioned Open/DD-WRT system doesn't have this security hole?
      • by mark-t ( 151149 )
        Right here on slashdot, actually. The argument typically given is that the *only* real reason Linux doesn't have any major problems with viruses is because its desktop share is too small, not because the operating system is somehow proofed against such types of attacks.
    • If I keep hearing Linux is no more inherently secure than OSX or Windows, then why should one presume that there's some reason that OpenDD or OpenWRT should inherently be any more secure than standard router firmware?

      I don't know how the comparison to Mac/Win makes applies here, but anyway, here's my theory... OpenWRT is developed by a larger, open community which also wants to offer long-term support for older devices. A manufacturer stock firmware of a router (even if Linux-based) can be slapped together quite sloppily and the manufacturer moves on to next projects, leaving security holes and router-crashing bugs behind.

    • TP-link deliberately introduced a backdoor. you can do that on OSX or Windows, too, and it's no harder.

      the real issue here is that if TP-link shipped Open-WRT with a TP-link skin and some kind of mostly-automatic updating, they'd be far better off. vendors don't seem to understand that open-source isn't just a shortcut, but a better way to support their systems.

  • I got my first TP-Link Router last night. Turns out I'm not going to use it because my ISP (Frontier) doesn't support configuring the crappy router they provided, into bridge mode, which would allow me to make use of it.
  • by Cajun Hell ( 725246 ) on Friday March 15, 2013 @09:21AM (#43182185) Homepage Journal

    ..gain root access to the local network..

    That's really troubling too, because after I read this, I went to change my network's root password and I couldn't find where to do that!

    After RTFA it's clear they mean root access to that router, which is the same thing that anyone would have inferred from the mere mention of "back door" anyway. So why add the confusing phrase about the network?

    The world is already stupid enough. There's no need to go to extra trouble to make it stupider. That's wasted effort.

  • by Anonymous Coward

    Today, we got some feedback from TP-Link Poland:

    1) Apologies for their earlier lack of contact
    2) Confirmation of the vulnerability on WAN site (ie. if you have your web admin put on WAN - you are affected).
    3) Info about imminent press release
    4) Offer to have some other models of the TP-Link devices - for security tests

    -- ms, sekurak.pl team

  • by slashmydots ( 2189826 ) on Friday March 15, 2013 @09:39AM (#43182319)
    I've used one TP-Link device ever and it was a DSL modem since AT&T's price was absurd. Also the responsiveness and hardware specs weren't bad for the price. If you want the mother of all routers for fairly cheap, the ASUS RT-N12 (B1) is the king. It uses all Realtek wireless chips. It intercepts initial webpage requests and logs in password-less for initial configuration via its control panel so no typing in IPs. It adapts its IP structure automatically (increments it to 2) around AT&T's modems that purposely use 192.168.1.1 to screw with people. It can be set as a repeater or an access point too so you can drop 4 wired ethernet ports wirelessly on the other side of your house without actual wires. If a machete severs your cable to the modem, it intercepts web requests and pops up and tells you specifically that the link cable between the modem and router was disconnected. I use it at my shop and I've never had to reboot it even after 100+ wireless and wired clients. And this router runs about $40. Take that, TP-Link.
    • If you want the mother of all routers for fairly cheap, the ASUS RT-N12 (B1) is the king.

      No way. The D-Link DOR-632 sells for $35 from Amazon.com (free shipping) right now. It's trivial to upgrade it to DD-WRT. Once you do that, it can act as a wireless bridge, wireless repeater, WDS, AP, etc. Hell, it can act as 10 different APs, if you want... make your own guest WiFi DMZ.

      Hardware-wise, it has a maximum-legal power 20dB radio. 8 ethernet switch ports. And a built-in USB port, which can be connecte

  • I just upgraded a WR841ND v7 from the official firmware to DD-WRT today. Seems to work fine, the configuration interface is friendly, and there's no more occasional lag when playing computer games online.
  • Yeah, where are these guys? Why aren't they printing out secure routers and other hardware? In fact, why isn't anybody? That will really scare the tyrants...

  • I'm having trouble wrapping my feeble mind around that one.

  • Users who replaced their TP-Link firmware with Open/DD-WRT firmware can sleep well.

    On what basis?

    On the basis of the security updates that occur, every single time a kernel or userland vulnerability is discovered?

    I have yet to see a security release for DD-WRT. I see updates, randomly, which have nothing to do with security issues. Certainly the stable branches of both projects releases rarely.

    Note, I'm not faulting these guys -- these are nice firmwares. However, to think that they are somehow more secure, when they fall prey to the same problem -- THAT IS, NO UPDATES DUE TO SECURITY

  • I've got a TP Link router, and if I try to visit the backdoor URL, the router shuts off its wireless. An attacking webpage would just need to put that URL in an img tag for example to trigger my browser to open it.

    I'm currently in Shanghai and the router is a unique chinese model, so I have no idea if it's compatible with OpenWRT / DD-WRT.

  • TP-Link is really the cheapest of the most low end Chinese own-brand Junk. Hopefully open-source hardware will become more common making this kind of backdoor harder to go unnoticed for so loon
  • by Anonymous Coward

    I've had a customer that used a TP-Link router, and their software required MSSQL port to be forwarded from the internet to their desktop (for motel software - updating reservations, etc).
    I wanted to firewall the Windows machine to only allow a subnet in from their supplier, who agreed all other incoming traffic on mssql port should be blocked. Unfortunately when I port forwarded it from the TP-Link router, the router also SNAT the traffic coming in so all requests on the mssql port were coming from the rou

    • I suspect you had the wrong product for your customer. These are cheap home grade devices - I've seen a few in people's homes. I would never use them in a business.

Marvelous! The super-user's going to boot me! What a finely tuned response to the situation!

Working...