TP-LINK Loses Control of Two Device Configuration Domains

Reader Orome1 writes: Security researcher Amitay Dan warns that tplinklogin.net, a domain through which TP-LINK router owners can configure their devices, is no longer owned by the company, and that this fact could be misused by malware peddlers. TP-LINK has confirmed that they no longer own the domain in question, and will not be trying to buy it from the unknown seller for now. Instead, they intend to change the domain in the manuals to a newer one that's already in use.ComputerWorld has more details.

Re:Who gives a shit?

[Dunbal]

I use TP-LINK network bridges. There are other people in the world besides yourself.

Re:Who gives a shit?

[__aaclcg7560]

There are other people in the world besides yourself.

You mean out in the big blue room with the bright light? This is Slashdot. We don't mention those people.

.

Re:

[davester666]

dns was one of the first things we put in the cloud.

Re:

[jittles]

I use TP-LINK network bridges. There are other people in the world besides yourself.

Well maybe you should reconsider since, apparently, the company must not be solvent enough to afford a $10 per year domain registration.

Re:

[neilo_1701D]

I use TP-LINK network bridges. There are other people in the world besides yourself.

Well maybe you should reconsider since, apparently, the company must not be solvent enough to afford a $10 per year domain registration.

Much like Google [businessinsider.com] couldn't afford $12 last year...

Re:

[jittles]

I use TP-LINK network bridges. There are other people in the world besides yourself.

Well maybe you should reconsider since, apparently, the company must not be solvent enough to afford a $10 per year domain registration.

Much like Google [businessinsider.com] couldn't afford $12 last year...

If I recall correctly, that was actually due to a software bug in Google's own domain registration service that allowed him to register the google domain. If I recall correctly, the software reverted the registration almost immediately, too.

You didn't actually read that article.

[Anonymous Coward]

You didn't actually read the article, it wasn't that they didn't pay for their domain, it was that there was a bug in their own registrar software that allowed someone else to register their domain even though the domain was already registered.

Re:

[Dunbal]

I won't. They happen to fix my wifi coverage problem nicely and are on my side of the network, so good luck to anyone who wants to "hack" in. I won't invite them to my house anymore.

Re: Who gives a shit?

[corychristison]

I use one of their wireless routers.

I think I paid $30 for it over 3 years ago when my $120 Netgear router crapped out.

I chose this one specifically because I could install DD-WRT on it. While I would have prefered Tomato Firmware, I needed something cheap and fast at the time.

No issues with it since I installed DD-WRT on it. Someone maintains an up to date firmware for this specific device (I don't have the model number with me), with regular updates every 2-3 months.

Re:

[ledow]

Because this is commodity hardware that's available in almost any IT-related shop, even the dumbest:

http://www.pcworld.co.uk/gbuk/... [pcworld.co.uk]

Lots of people have bought that router, and they could now all be compromised. Besides that, this is an IT site. If it was Cisco, you'd be up in arms.

Re:

[Anonymous Coward]

Why does a router need "a domain through which to configure it"? Don't you just connect to a 192.168 address with a browser?

Re:Who gives a shit?

[mysidia]

That was what you did PRE-CLOUD. Now all the vendors want you to go through their website.

That way, later, when they discontinue the product --- they can require you purchase an upgrade, next time you want to make changes.... Or even better, they can bill you a monthly fee, and turn your network off if you forget to renew the license; e.g. Meraki.

Re:

[Anonymous Coward]

And they can upgrade the firmware of your router to add a backdoor when needed...

Re:

[tripleevenfall]

Well, I for one think this is important. How else can the government ensure we are safe from terror, tax evasion, and political subversion if they aren't allowed to install backdoors in our network hardware?

Re:

[Calydor]

I'm curious.

If your router's settings are fubar and won't let you go online, how do you connect to the cloud to change the router's settings so you can go online?

Re:

[war4peace]

Phone, 3G.

Re:

[bws111]

It has nothing to do with 'the CLOUD' or any such nonsense. The internal name server in the router resolves that name to ITSELF.

Re:

[mysidia]

If your router's settings are fubar and won't let you go online, how do you connect to the cloud to change the router's settings so you can go online?

You call customer support. Usually they have a 'factory reset' button which will revert the device to grabbing its configuration from DHCP, so it can get back online.

They may have one of those 'diagnostic acoustic interfaces', where you do a button sequence, then hold your phone up to the device, and new settings are loaded onto it.

They may d

Re:Who gives a shit?

[bws111]

The router resolves that domain to the 192.168 address of the router. It has nothing to do with 'the evilz CLOUD'. Only on /. does idiocy like this get modded 'insightful'.

Re:

[mysidia]

Network vendors are doing this. So I get the update that this is not what TP-LINK is doing here. That does not invalidate my point though..... Be VERY careful about other vendors requiring you to use an external link to configure local equipment or making Calls out to home.

I would check really thoroughly, and if there's not a way to turn it off, return the product to merchant before the return period runs out.

Re:

[mysidia]

you can't get the new firmware, which means if there is a vulnerability in your version, you're screwed.

Cisco has a Free security updates policy for their equipment. You don't need a support contract --- you just will not be able to download it directly without calling in TAC on the phone.

As long as the model is not end of life, you can call in TAC support for a free security update, and you'll get the version with security bugs patched.

You will not get other upgrades, bugfixes, or enhancements. The

Re:

[__aaclcg7560]

Why does a router need "a domain through which to configure it"?

Corporate networks typically have domain servers.

Don't you just connect to a 192.168 address with a browser?

Most corporate networks are set to 10.0.0.0 for addresses. When I did a PC refresh project at a Fortune 500 company, the engineers wanted to keep their old workstation but the IT department wouldn't open more ports and/or provide switches. The engineers brought old routers from home to use the switch portion but didn't turn off the DCHP server for the router. Nearby workstations picked up the 192.168.0.0 addresses, unable to access the corporate network, and

Re:

[__aaclcg7560]

If they don't have dedicated switches, they probably aren't very good engineers. They are like 10 bucks for a 5 port switch and no network issues.

These engineers were trained computer scientists. From my experience with computer scientists, they don't know squat about hardware. They just pulled hardware out of their junk boxes, put it into service and whined to help desk when the network goes FUBAR.

Re:

[__aaclcg7560]

Took all morning? Really?

The single IT tech had to search multiple floors in a office building to find the half-dozen rogue routers hidden behind multiple workstations underneath the desks.

I would hope a fortune 500 would do things better than have such an open network in this day and age.

This particular company had an open network where anything plugged in could get on the network. I've worked at other Fortune 500 companies that required a help desk ticket to open a port on the switch. If you have a rogue wireless access point at Cisco, security will immediately show up to confiscate the AP and investigate you for criminal intent

Re:

[SmokeBogey]

Presumably because home users are afraid of the scary computer language address they'd have to type in, so they used those domains. I would be OK with that if the domain always resolved locally via the router, but why the fuck would I ever want to go on the internet to configure my LAN?

Re:

[bws111]

It IS always resolved locally via the router. The issue is NOT for people with these routers, it is for anyone else who goes to that domain.

Re:

[TheRaven64]

It's only resolved by the router if it's the only router on the network. If you're configuring a new AP on an existing network then you will already have DNS set up and so the external thing will resolve.

Re:

[Hall]

Because a sequence of random numbers, 'dots', and so on are too complicated for most users. Everything they type in the address bar has to start with "dubbayu, dubbayu, dubbayu" anyway, doesn't it ?

Re:

[Niddix]

You don't have to go to the web to configure the router. Its a hard coded DNS entry that points to the router address. Netgear does it as well. This could be an issue if you've changed the DNS you are using from the router to something else. But I'd bet if you've done that, you are managing the router through the IP address and not this tplinklogin.net.

Re:

[Maritz]

See where you went wrong there is, you thought anyone would give a fuck what you think. I racked one for a customer today because he's a cheap bastard. So they get used. And this is a gigantic bollock to drop as a tech company, hence, newsworthy.

Re: Who gives a shit?

[slazzy]

Tp link dispite being a noname router manufacturer to many actually makes great equipment for about 1/2 the price of other brands often performing better. Don't beleive me? Check out reviews anywhere. Not sure the domain control thing matters as most people just use the lan address.

Re:

[Rufty]

TP-Link stuff is generally pretty OK, but with OpenWRT (for the models and versions which are capable) is very nice.

Re:

[aglider]

Not everyone is like you! Here it's how it can happen!

Summary makes it sound worse than it is

[Anonymous Coward]

The CW article says the router intercepts that domain name and redirects to an internally hosted web page.

Re:

[WallyL]

I confess, I've used lots of home routers over the years, and have set up friends' and neighbors' routers, and I've never heard of using a domain name that the router intercepts. I've always just used IP addresses. If 192.168.1.1 or 192.168.0.0 wasn't it, I just googled the defaults for that router.

Re:

[wbr1]

Yes. May do this, netgear uses routerlogin.net. I am old school and always use the IP.

But, imagine Joe User. Let us say that there are 150,000,000 Joe user routers out there. Let us say Joe User needs to access his router 1.5 times per year. Let us say that after accounting for everything, .5% of the time Joe user remembers the bad tplink address, but no longer uses a tplink router. That is 750,000 chances to redirect Joe User to a password phishing page, or.. download this critical TP-Link update!

Re:

[wbr1]

Unfortunately, I cannot FTP to the SRI server from here. I have to telnet to another network, FTP the file from there, then ymodem it back across this link.

Don't buy shit that calls home!

[denis-The-menace]

If it needs to call home to function, this shit will happen.

Cisco does this shit too.
Sure they still own the DNS address but it sets YOU up for a DNS-based attack, a oops-we-bricked-your-shit, or Spooks need access to your network.

Re:

[LVSlushdat]

I don't care.. As long as I can put Tomato/DDWrt/OpenWRT on a router, getting rid of the universally crappy f/w that comes with these commodity routers, I'll use em... My customers are cheap, but they keep food on my table...

OpenWRT on DIR-645

[xarragon]

I couldn't agree more. Just replaced my old WRT54GL router with a dirt-cheap D-Link DIR-645 that was on clearance sale. Just checked that it could run OpenWRT before I bought it. Works like a dream with my USB 3G dongle, have had it for 3 months now. The original firmware would not even support modems, forcing you up to more expensive models despite the hardware being more than capable.
You can easily flash back the original firmware if you need to return it for warranty purposes. Most routers run U-Boot the

Re:

[bill_mcgonigle]

TP-Link is not known for smart decisions. They were the first to interpret the new FCC regs as a big F-U to the open source community:

http://arstechnica.com/informa... [arstechnica.com]

It's a shame - I have one of their devices serving my guest network pretty much flawlessly (using openwrt, of course). Never again.

Re:

[laurencetux]

most geeks that are within 2 gens of The Elders have typed that so many times its not even conscious behavior.

However script kiddies won't have this habit

random geek test for you

1 The next 2 lines of the following are?
He died at the console,
Of hunger and thirst.

2 what is this a reference to?

3 the main difference between a 56K modem handshake and a 33.6 handshake is what sound pattern??

4 what is the difference between a PS/2 connection and an S-Video connection??

5 how is a 568A connection wired? (and what ha

Re:

[Qzukk]

These days, routers seem determined to pick random IP addresses to try and force you to use their configuration tools. My home router is .1.254. Thankfully route still works to tell me where the router is.

Chrome used to do a pretty fancy thing where it would autocomplete your router's IP address (and say that this is your router's address). It doesn't seem to do that anymore.

Are you fucking kidding me?

[ilsaloving]

They screwed up in a breathtaking way by losing their domain, and they arn't even going to fix it, putting countless people at risk of unknown bad actors?

I've never used these autoconfig domains myself, and I recently stopped using a TP-Link router I had because I just happened to buy an Asus instead. But with this news, I will *never* buy another TP-Link router again.

Decent network security is hard enough to maintain as it is, without having this sort of gross incompetence happen on top of it. Between th

Because $15/year is worth more than...

[Gondola]

...the security of thousands of customers. Way to go, TP-Link.

Re:

[msauve]

You're a naif if you think the domain squatter who bought the expired domain will give it back for nothing.

Re:

[Gondola]

You're a poor reader if that's how you interpreted my statement.

It's a company's responsibility to renew their domains *before* they expire.

Isn't there a trademark issue?

[BitterOak]

If the new owner of the domain puts anything up at tplinklogin.net, especially a fake login/phishing page, couldn't they be sued by TP-Link for trademark infringement?

Please protect me

[peawormsworth]

I just want a router that I buy and goes in my home, but protects me from going to all the bad sites, disturbing content that offends me and can be turned off if a terrorists break into my home and try to use it to access hate material. Do they sell that?