TP-Link Routers - Is there a security risk?

[OMB]

I am starting this thread to highlight a debate that has started in a different thread that may otherwise go unnoticed by other members. I know there are a lot of TP-link users out there so thought it might be of interest to bring it out into its own thread and hopefully receive further input form some of the networking boffs out there.

The debate centres around the following posts and responses:

Anyone that has a TP Link ADSL router burn it. It shows your ADSL account and password in clear text when you telnet to it.

If you dont understand what I am saying here let me put it like this.

A TP Link by default has TCP port 23(Telnet) and TCP port 80 (HTTP) open and the default username and password is admin and admin.... or some dumb people use admin and 1234.... thus to hijack hundreds of ADSL accounts its very easy when people are usinge TP Link chipset ADSL routers. When you log in via telnet you go to the pppoe username details and just below it is the password. I am studying for my CEH and did some self study and found more than 50 accounts in 1 day. Please throw your ADSL TP Link router away and go buy a nice Netgear.

I understand where you’re trying to go with this but what you’ve posted isn’t quite accurate, you’ve omitted fairly key points!

Yes, a TP-LINK by default has port 23 and port 80 open on the LAN port but by default its not open to access from the WAN port, this can be enabled as it can be on most ADSL routers including Netgear and yes if the default username and password were left unchanged with remote access enabled it would pose a serious security risk, a risk exclusive to TP-LINK? No, not at all, ANY mainstream ADSL router that has remote access or remote support enabled with default username and password would be vulnerable and you would be able to access all of the information on the router regardless of brand!

Yes, default username and password is admin:admin but don’t 99% of networking products on the market have this default username / password? It’s common knowledge that you'll get a list of default username / passwords off the internet in a matter of minutes, a clever guy like you studying your CEH would then probably be able to write a pretty nifty script that scan's the ADSL subnet attempting to log into ADSL routers with these default credentials logging successful attempts to a log file for later manipulation, I honestly believe that what you’d find from something like this would not be a particular brand standing out as being most vulnerable but rather poorly secured or configured devices across a multitude of vendor platforms as a result of a poorly configured device.

By default, TP-LINK devices as well as Netgear, SMC, D-LINK, Billion etc… will have most security settings disabled out of the box, the reason is so that initial configuration is not complicated, I agree to leave any network device on a public network with this default configuration is a bit silly and would most likely see your device and possibly your network compromised but its unfair to blame the manufacturer for this, its probably fair in a case like this to blame the individual who configured the unit no?

There’s no such thing as a TP-LINK chipset, their ADSL routers (like most ADSL routers) use either Broadcom or Trendchip chipsets.

.. the chipset used by TP-LINK adsl routers is insecure is the same as some edimax adsl routers. Below accounts proves my point. I have added an (X) so that the accounts cant be used. Also if you can telnet to 196.210.228.181 and see for yourself.

lll050@wadsl
ipeyir(X)31

[email protected]
bhf(x)svnl

arishworth@axxesslite
k(X)aevz25

[email protected]
4zk(x)5cn2

I have hundreds more. You are missing the bloody point bud. ADSL ACCOUNT INFO IN CLEAR TEXT xD Its not the broadcom chip sets There are a number of ways gaining access to a home network. but yeah if you dont mind a router that keeps passwords in clear text go for it.

What does the chipset have to do with the device security? Surely this is decided by the O/S or Firmware and not the chipset!

I still fail to see how this "proves" your point, if remote access is enabled then yes I agree with you the device is vulnerable but once again this is not vendor specific and any device regardless of who manufactured it would be vulnerable if this was enabled all of which I said in my previous post!!!!!

I'd like comments from other forum members on this because I really don't agree with your comments and think that maybe you're the one talking from the wrong end.

Other responses?

 

[eCliPSe]

Please Note I have no vendetta against TP-LINK. I like some of their products and used it in high profile clients homes. I was personally surprised to find clear text passwords that cant be seen when connecting via http but can be seen when connected via telnet.

PS the command is "show all" forgot to mention it

 

[PsyWulf]

Most routers show PPPoE passwords in the page source in browsers,this is commonly exploited to steal accounts. While telnet displaying this same information makes automated harvesting sligthly easier it doesn't make the users of these routers any less responsible if they don't change their router passwords

The fact that WAN access to telnet and the router management pages is blocked by default these days negates this risk by far

 

[eCliPSe]

Indeed Users needs to take responsibility to ensure they secure their ADSL routers then it become much harder gaining access to your info or your home network if you change the default username and password. The other problem is that its not just home users but even some companies that doesnt secure their ADSL routers ( SMB's ).

 

[RoganDawes]

OK, there are a couple of things here.

1. Most routers do not expose their admin interfaces (http/telnet) to the WAN, but only on the LAN interface. So, in order to compromise the router, you have to be on the LAN already.

2. Any router that needs to authenticate to a PPPoE server will need to store the credentials in clear, or in a recoverable format. That is because the PPPoE server expects cleartext passwords to be provided. If you store them hashed on the router, how do you get clear text passwords to send to the PPPoE server? And if you store them encrypted, there is not much benefit, as the algorithm and the key must be available on the router in order to decrypt them again.

3. Actually displaying the credentials is probably not a great idea. As mentioned, some routers used to include the original password in a password input field when showing the config page. Just View Source, and look, and you'll see the actual password. This is not good practice, as often enough, pages like that may be cached by the user's browser, and anyone with access to the browser will be able to extract those credentials. This is obviously less of an issue when interacting via telnet, as there is no caching of telnet traffic.

4. It is obviously good practice to change passwords from defaults. No argument there.

 

[DrJohnZoidberg]

@eCliPSe - I think out of courtesy you should mask the IP address you posted earlier, that router is now accessible to everybody that reads this post (unless of course it's your own router hehe).

 

[syntax]

I have answered this in the other thread, but agree with posters here and there.
Unless the admin specifically allows management on the outside / wan interface, then the only risk is having a weak Wireless password or encryption standard.

It is incredibly rubbish the device stores the passwords in plaintext, but it is equally dumb allowing management on the wan with default usernames and passwords

 

[StonerStuart]

Serious network-noob here.

Is the above mentions issues the same with the 3G Router?
Can you "telnet" into this router or is that only a feature of the ADSL routers?

And please be gentle as i have stated i have no idea when it comes to networking but i own a TP-Link 3G router and as far as i know i am secure.

 

[syntax]

Serious network-noob here.

Is the above mentions issues the same with the 3G Router?
Can you "telnet" into this router or is that only a feature of the ADSL routers?

And please be gentle as i have stated i have no idea when it comes to networking but i own a TP-Link 3G router and as far as i know i am secure.

Im not sure if your device supports telnet to it. But if you have not enabled management on the wan interface, then you are very likely safe.
Just ensure you use strong wireless passwords and a decent encryption scheme

 

[StonerStuart]

As you can most probably tell from my username i am most likely paranoid...

I do not use the WAN port. I use WPA-2 PSK or something like that and my password is 32 digits long.
I have set my 'auto IP thing' to only allow 3 connections at the same time.

 

[Brandon.click]

Ok I just want to get a few thigns straight as a noob. If you disable remote access on a TP-link ADSL router it should be safeish provided you've done things like use a strong encryption/ password and hide AP etc...?