US reportedly mulls TP-Link router ban over national security risk The Feds may ban the sale of TP-Link routers in the US over ongoing national security concerns about Chinese-made devices being used in cyberattacks. Three federal departments — Commerce, Defense, and Justice — have opened investigations into the router manufacturer, according to a Wall Street Journal report, citing "people …
What model do you have? Many TP-link models are supported with OpenWRT, which is open source linux based router software. [Open WRT table of hardware - https://openwrt.org/toh/start]
If your model is supported then you can load WRT into your EEPROM, reboot, and be running something even less unlikely to have backdoors then a router made in the USA oops no such thing manufactured in China and EEPROM-flashed with proprietary firmware in the USA.
If your router isn't supported, there are OpenWRT supporting new Wifi 5 802.11ac (one behind the newest Wifi6 802.11ax) routers for under $30, or used ones on EBay for even less than that.
About 7 or 8 years ago I loaded OpenWRT onto a router, and although it was fiddly setting it up and playing around it for a month or two, I haven't touched it since then (*) and it has never failed. (* Haven't touched it since then except for a hard coded table of device-MAC-addresses to IP addresses, which I update whenever a new device is added or an old one removed. The default is not hard coded, but I opted for hard coded for added security).
I second the OpenWRT route too. TP-Link routers tend to be cheap and reliable, although I've never used their software for longer than it takes to reflash it. My router currently says it's been up for 236 days, which is probably about when we last had a power outage longer than the UPS could handle. It's handling VLANs to keep some devices partitioned off from the rest of the network on their own subnet, took a bit of effort but figured it out in the end.
>OpenWRT is a good plan.
Opensource is communism, please report to your nearest capitalism indoctrination center for reprogramming
(please note: it is upto you to ensure that your reprogramming center is in-network or you could be liable for any costs. Claims for reprogramming may be denied if deemed non-necessary or we feel like it )
Well, they have 2 things going for them: they're cheap, and they actually work.
I got a cheap TP-Link range extender that doubles as an AP. The reason was simple: a relative that lives with me likes using Nintendo gaming devices, but they tend to use B mode (even the newest ones) which KILLS network throughput during multiplayer games [let's say "Among Us"] when I'm trying to do development work on an embedded device across the wifi network. So editing files using X11 starts to SUCK because B mode screws the throughput for everything ELSE. Solution, a 2nd AP but with DHCP etc. turned OFF. Ethernet cable to a convenient place, and it works! (the thing looks like a wall-wart)
When I got it I was VERY disappointed at their docs and setup instructions, which said NOTHING about AP mode, so I gave it a one-star review and then hacked the solution. Turns out you need internet connectivity AND ethernet to the device simultaneously, THEN go to some remote web page, and it re-directs to a config page on the device itself where you can set it up, which is BS as far as I am concerned. And if you have "noscript" active it misleadingly tells you to UPGRADE YOUR BROWSER rather than "enable script".
So it's really "cheap crap but it works". No great loss if they get banned. That's My Bombastic Opinion at any rate...
Solution, a 2nd AP but with DHCP etc. turned OFF.
I'm glad you had one which allowed DCHP to be turned off. I have two which have their own DHCP which allegedly only steps in when the link with the router goes down, but why would anyone even want that because when the link comes back that's your network screwed as the router's DHCP gives way to the one in the extender. And so when the power goes, 10 minutes of futzing around unplugging the extenders, starting the router, plugging in the extenders in when the router is live and connected to the Internet.
I blamed the router for a couple of years until I found out that there was a later firmware update for the extenders that the auto update didn't find, the auto update claimed that it was at the latest version. So once both extenders were manually updated to the real latest version they finally allowed me to turn off the extenders' own DHCP.
Just really shit software all round.
... but their hardware (paired with OpenWRT) is very good for the price, and they have been trying on the security front; in particular, their OOB prompts on newish devices (AX23/WiFi 6) seemed to be a pretty good UX and really insisted on you changing the password. Secret services shenanigans notwithstanding, can't really say TP-Link is significantly worse than other consumer-grade brands.
That said, they seem to be complaining mostly about ISP-supplied equipment, which is typically not user-upgradeable (and in many cases, not even user-configurable). In my corner of the world, On-Premises equipment is only replaced on failure, on speed upgrade not supported by your current device, or when you change ISPs.
Your model Archer C3200 does appear to be hardware-locked-down by design [https://forum.archive.openwrt.org/viewtopic.php?id=62821&p=2]. :(
Obviously, it is better to check whether the hardware is supported before buying. Lots of hardware is supported by OpenWRT. I don't know much about DD-WRT - I thought they had merged.
I've not been running vendor-supplied software on any router pretty much since my employer pulled out of the router business in the 90's. Now that the LEDE spat is resolved, OpenWRT works well and TP-Link hardware seems to be a good choice for it nowadays.
Of course, I am only 98% certain that TP-Link firmware doesn't operate a clandestine capability for China to snoop or interfere with the operation of OpenWRT. So, how about, instead of taking potshots at banning TP-Link, how about the US government puts the effort into detailed security testing to convince itself (and us) that TP-Link is not interfering when the router is running OpenWRT.
At the same time, various other governments (including the Chinese) could do similar testing to make sure that Cisco isn't doing the same thing to allow the US to spy on us.
I've had good experiences with DD-WRT. Haven't tried OpenWRT yet, as by the time I wanted to flash the only router in my stable that supports it (casualy, a TP-Link), it fell prey to the 4/32 rule
https://openwrt.org/supported_devices/432_warning
Having said that, the only way to be sure that your router will have alternative firmware from the get go, is to buy it second hand, or buying one which already has it, or has a close derivate.
I went with a GL.inet GL-MT1600, which has a derivative of OpenWRT, but has plenty of vanilla builds available. Additional are a coverage in my flat is provided by a pair of wired second hand Linksys E900s with DD-WRT acting as APs. So, no need for mesh, not that I beliueve in mesh in a harsh RF multidwelling environment were all the neighborgs are morons, with red brick walls instead of gypsium planks.
I'll stick with stock for a while, and then change to Stock OpenWRT at some point in the future.
Wish me luck.
...surely all Federal and State services should be disconnected from the net. The threat of anything from hacks to zero day vulns is possible due to this stuff being connected to the internet. So take it all offline. Fixed. Sorted. Overnight. The rest of us aren't worth hacking, so we can carry on surfing, buying stuff online and posting words of wisdom on El Reg. The US government will be completely secure - safe from being hacked by being entirely offline.
Government is just too important to risk, so turn all of those government routers off. All government services can switch back to a pre-networked model for day to day operation. Telephones, letters, newsletters. But nothing online.
... surely all Federal and State services should be disbanded. Government is a form of communism, if you needed a service it would be provided more efficiently by the private sector.
This message brought to you by Omni Consumer Products. Your partner in total law enforcement
Ugh! My company sells aerospace and industrial hardware. Pretty much ordinary nuts and bolts that are used on everything from aircraft to holding together backyard swing-sets. Nothing remotely secret, military, proprietary or ITAR or DFAR related. Many US government agencies buy hardware from us and whenever they do, we have to sign a Form 889 to say that our company does not use any networking or communications equipment made by Huawei or they can’t do business with us. Not too big a deal because I’ve never seen anything made by Huawei. However, TP-Link is EVERYWHERE. I hope they don’t start the same non-sense with TP-Link without any concrete evidence, Just because an IT guy doesn’t change the default username and password from admin/admin to something unique, I’m not going to label the manufacturer of that equipment a security risk.
1. Yup.
2. I think the government would be sufficiently-secure using a network which uses government-proprietary protocols and equipment which do not interoperate with the civilian networks. Also, it must use physically separate communications channels (think super-high-speed leased lines, dedicated satellite links, etc.).
3. The safety gained by item 2, above, goes right out the window the moment the first VIP demands their government-networked computer be also be connected to the civilian network. (Hacking beachhead established!) Sadly, even having such VIPs publicly hanged for treason would not prevent this behaviour.
4. It isn't just the government. It's also banking, stock, futures, and (monetary) security exchanges, medical institutions, energy infrastructure, transport (trucking, trains, buses, aircraft, and ships), and food distribution chains/retailors. (There is enough food in the retail stores in most modern cities to last three days without replenishment.)
Tell that to all those pig-slaughterers (or whatever the Interpol-approved term is).
Even single, minimum-wage earners (not afflicted with a mindset which causes them to live beyond their means) will have multiple ten-thousands of pounds in their accounts.
The criminals will simply attack computers in volume to make up for the smaller per-victim swag.
If the ban goes through, I bet that CCP manufactured TP-link-a-like hardware will still be available, just with a name change and USDA Approved Patented Secure Firmware © on the EEPROM. (And of course a 2x higher price tag for the extra minute of labor + stock dividends + CEO bonus). Although I would be happy to be proven wrong and see it manufactured elsewhere.
Haven't done any for a while, but when I used to do broadband setups on a regular basis I always found TP-Link kit to be inexpensive yet reliable - more so than many of the more expensive alternatives.
Being widespread Chinese kit, it wouldn't suprise me if they were compromised. Some actual evidence would be nice, though.
If they have 65% of the market, it's not massively surprising that the said attacks consisted of largely TP-Link kit, is it? Still, I can understand the concern - just because you're paranoid it doesn't mean they're not out to get you!
Being widespread Chinese kit, it wouldn't surprise me if they were compromised. Some actual evidence would be nice, though.
More likely is simply piss-poor software with developer code left in and crap from marketing inserted in a hurry. But that is hardly unique to TP-Link.
MS, how are your multiple vulnerabilities getting on?
So these security warriors installed all of these devices before ascertaining whether or not they posed a security risk. Shirley they'd not be so:
[ ] Remiss; [ ] Incompetent; [ ] Amateurish - (TLAs please tick each box you're now acknowledging.)
No problem, don't worry, we've all got to learn. But now that you've obviously learnt your lesson, to save us going through this every 5 years, could you please let us know which kit you can compromise approve.
All the USA needs to do is require that the only TP-Link routers that can be sold are ones that run only free software and include full source code and installation installation when delivered.
Any Chinese backdoors and the like will be easily fixed then, same as any exploits.
Most TP-Link routers use u-boot, run BusyBox/Linux and implements most functionality with free software, thus doing so will be quite easy for TP-Link (they may not want their customers to have freedom, but it's either that, or they can't sell the product, you know what choice they're going to make).
Currently TP-Link is one of the few manufacturers that actually partially supplies the source code of the GPLv2/GPLv3/LGPLv2.1/LGPLv3 software they use (too bad the source code is often incomplete (it usually does not include "all modules it contains", for example the derivative work of Linux that run on the Wi-Fi card processor), or of the wrong version, but as typically there is a UART header and u-boot usually isn't handcuffed, such partial source code is usually enough to port "Open"WRT and rarely is enough to port LibreCMC).
And that would benefit CISCO how ? The point of this is to force local councils / schools / libraries / etc to buy $30K government-approved CISCO routers
Ah yes, gotta love corruption and kickbacks and using an absolutely proprietary $30,000 router when a cheap 1000BASE-T switch with enough ports, or the cheapest computer you can find, with GNU/Linux installed and a 1000BASE-T card added would do.
That reminds me that CISCO needed to be sued before they would comply with the GPLv2 and LGPLv2.1; https://en.wikipedia.org/wiki/Free_Software_Foundation,_Inc._v._Cisco_Systems,_Inc.?useskin=monobook
CISCO nowadays appears to be mostly continuing with their infringing activities, except for some products they'll give you a useless dump of incomplete source code if you manage to ask (that requires an expert level of understanding as to why it is incomplete) and they like breaking their GPLvX request inboxes at random, so you often can't even manage to ask for source code.
Let me guess, the $30,000 routers run BusyBox/Linux and don't even have a written offer (I guess CISCO figures that suckers that big would never ask even if they knew)?
Routers spying on you shouldn't be a problem at all. Because ISPs and TLAs have that capability "on the wire" and therefore all your traffic should be encrypted and disguised anyway.
Yes, there's scope for determining whether you're at home or not based on traffic and MAC address tracking, but that is only useful if they know who you are and where you live and if they have that they can determine that information anyway.
This just sounds like more Trumpist nationalism scare tactics.
Adding you own open source software removes greatly reduces the chance that you're compromised at the OS level which will help keep non nation state level snoopers away BUT...
As was shown recently with Hezbollah pagers & walkie-talkies all going bang, compromising hardware is just as relevant and there's nothing you can do if 'special' additions have been made to any of the chip designs before they hit the FAB.
TP-Link has about 65 percent of the US router market for homes and small businesses.
In late October, Microsoft warned that Chinese government-backed threat actors had compromised thousands of internet-connected devices for password-spray attacks against its customers, and noted "routers manufactured by TP-Link make up most of this network."
So what would constitute "most"? About 65%?
This post has been deleted by its author
We do a LOT of large event networki
Years ago, before it all kicked off we purchased a number of Huawie SmartAX MA5612 DSLAMs, Vectoring CCUEs. VDSL2 line cards and POTs card. These were neither cheap or easy to find.
We chose them on the simple basis that they were the best technology available, they wernt horrifically expensive, the support was excellent as was availability of parts. Nothing US manufactured came close and the Versa's we evaluated against them were garbage. Defininateley a market keading product...
US and later Uk : "Cant use then because..."
We firewalled them off anyway but upped the security a little but no one ever provided actual proof. We still use them and there is still nothing better.
Rather than drink Ubiquiti cool-aid and get reamed by licencing we went TP-Link Omada and went as far as to bake the management into our own build network controllers. The whole thing *just* works bar a few false starts and its a good, solid, reliable and powerful system. I personally faver it over Ubiquiti for a number of reasons. Like the Huawei DSLAMs we can make the Omada kit sing and dance and we favoure the ISP routers we purchase from them for DSL customers (Which we DONT lock down from the customer). When up against expensive kit like Draytek that B2B providers favour, its lightyears ahead in capability and configuration.
US: "Can't use them because..." No doubt the UK will follow suit.
Once again some wishy, washy excuse that seems to boil down to "Its better than our stuff"
Its getting boring now and is starting to reek of protectionism when the home grown options are like swiss cheese and mostly running UI's from the netscape era or built IN CHINA by the lowest bidder.
TP-Link did try a brand shift a few years ago with Mercusys. Its mostly hugely cost reduced TP-Link hardware with an absolute garbage firmware intended to do battle with the Tenda crap.
* I don't doubt Ubiquiti stuff is probobly mostly good, but I'm not playing their licencing game for every single product. I buy stuff, its mine, I dont pay to use it after. I certainly dont pay over the top for old technology and then pay again.
I think it's important to realize that US authorities have just as much access to the American public's information from the ISPs and big tech providers and sites as they do foreign accounts. ALL that information is up for grabs iff you follow the right legal procedures for the law enforcement branch in question.
The same applies here in Canada.
Anyone with cross border accounts is exposed to EVERY nation's authorities where the websites reside should they prove to be of concern.
What exactly is everyone so afraid of China having the same information access through channels that everyone else seems to have?
Furthermore, does anyone really know what back doors might be baked into pieces of proprietary hardware and software?
How much monitoring and inspection is really done for the source code to ensure it hasn't been compromised? For the hardware boot sequence hardware? For the encryption technology in use?
Personally I suspect that the capabilities of the largest of networked clustered systems are already capable of cracking encryption on behalf of our most technologically advanced nations. And the US is not alone on that list, as much as it galls them. Nor are human individuals above being tricked into clicking an abusive link, responding to a questionable post, or otherwise triggering the trap of some scammer, which may or may not involve a code injection on your system.
Many systems do little to prevent that. Most of us with moderate knowledge of technology trust anybody but RedHat to provide reasonable monitoring and access options for the source code that is used to build the systems; they, alas, have decided to do their best to obfuscate the changes that they make and make them as difficult to replicate and access as possible, completely missing the point and nature of the GPL licenses on which their products depend. IBM's coffers are dwindling; sooner or later someone with a bigger legal team and budget is going to take them on over the issue.
The days of the proprietary silo are dwindling. People expect and demand that the code be open for inspection so that it's security and quality can be monitored and enhanced. It's in the best interests of everyone who uses open source.
For instance, prohibiting the ISP from allowing anyone in the world to connect to the ISP-supplied modem/router's TP-069 port? (Looking at you, CenturyLink!) There's no excuse for that kind of failure. With security holes like that, it's only a matter of time before an ISP's entire network gets pwned in one operation.
(Yes, when I had CenturyLink, the TP-069 port, 4567, was open for anyone in the world to connect to, though it did require authentication. As discovered by a port scan I requested through a non-CenturyLink-connected service.)
Or, specifically, a "TP-Link" router? Not such a silly question. For many -- including our government officials -- is obviously a sinister black box with mysterious properties that allow China to monitor our every thought. For the rest of us, the people who actually know how the damn things work, its a small computer with network connections that runs software that may or may not have bugs and may or may not be easily hackable.
At least the Open-WRT crew understand this. You'd think the Federal government with all its resources and its huge budget would also have a bit of a clue but obviously they don't. Its way easier to just concoct press releases full of innuendo. If they were really worried about these devices they could have easily identified any problems and fixed them by now. But that's not the kind of expertise that runs our society these days, instead we;re driven entirely by lawyers and 'financial' engineers. (Who likely see business opportunities in 'rip and replace' -- millions upon millions of units.)
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
