back to article TP-Link 'smart' router proves to be anything but smart – just like its maker: Zero-day vuln dropped after silence

TP-Link's all-in-one SR20 Smart Home Router allows arbitrary command execution from a local network connection, according to a Google security researcher. On Wednesday, 90 days after he informed TP-Link of the issue and received no response, Matthew Garrett, a well-known Google security engineer and open-source contributor, …

  1. GnuTzu

    No Trust

    I tend not to trust products with the word "smart" in it the product name. Or at least, my first question will be "what makes it 'smart'". See today's article on the Huawei router with the UPnP flaw.

    "Smart" usually means that the device automates things in a way that inherently creates vulnerabilities--and way too many of them.

    1. phuzz Silver badge
      Thumb Up

      Re: No Trust

      S.M.A.R.T. on the other hand, is pretty useful.

      1. GnuTzu

        Re: No Trust

        True, but that's more a standard, and it's for technical people; it's not a "product" marketed to general consumers, just to clarify.

  2. Rajesh Kanungo Bronze badge

    I doubt if TP-Link is organizationally capable of handling security issues. When a guy from Google sends me an email I respond right away. Whoever is TP-Link decided to ignore this request is deliberately hiding his head in the sand.

    1. shovelDriver

      When A Guy from . . .

      Funny! When I receive email from "a guy from Google" or "a guy from Microsoft", I automatically treat it as spam and delete it without viewing it.

      Unless of course I have a case open with either. Which, as I recall, has not occurred for the last 10 years or more. Why? Because spending hours on a paid call with people who fail to listen when I detail the steps I've already taken and then ask me to take those same expensive time-consuming steps again was and is a waste of time.

      Besides, everyone knows that Microsoft requires a credit card before going past "Hello", and that Google makes it so difficult to contact them, for any reason, that it's often cheaper to spend hours - or days - doing it yourself.

      1. big_D Silver badge

        Re: When A Guy from . . .

        Given that, when a Google server DOSed us, Google's response to all "normal" (abuse@, webmaster@ etc.) email accounts was "we receive so many emails on this account that we don't read any," and phoning them just landed in an automated system that jumped back and forth for 10 minutes before cutting the line, I wouldn't bother responding to them either.

        They also didn't respond on Twitter either.

        In the end, we contacted our ISP, got the Google server blocked at their perimeter for a month and changed our external IP address.

      2. This post has been deleted by its author

    2. Anonymous Coward
      Anonymous Coward

      TP-Link security - oxymoron

      My experience with TP-link is that the hardware specs look alright but are let down by the software which I felt was just thrown together and then forgotten.

      Similar IMHO as to why the Raspberry PI is still the best hobbiest SBC even though it's hardware is generations behind it's rivals.

  3. Stuart Halliday

    Obviously TP-Link don't want to sell any more Routers then. Gee....

  4. Will Godfrey Silver badge

    I'd have some sympathy if at least made an effort

    But silence? fingers in ears and lalala. They deserve to sink without trace,

    1. big_D Silver badge

      Re: I'd have some sympathy if at least made an effort

      Agreed, but on the other hand, Google shouldn't throw the innocent users under a bus!

      If Google had just publicly reported a zero-day and warned users to switch routers or shame TP-Link into repsonding, I'd be right behind them, but releasing a zero-day script against all those users is irresponsible.

      1. chuBb. Bronze badge

        Re: I'd have some sympathy if at least made an effort

        "If Google had just publicly reported a zero-day and warned users to switch routers or shame TP-Link into repsonding, I'd be right behind them"

        Ummmm thats exactly what that have done though, 90 day response period, vendor did nothing, not even acknowledge the issue in 3 months, so its fair game to publish, without the 90 day chance to respond it would be irresponsible, but all the google employee did here was follow the industry best practices. If anyone here is irresposible then its tp-link, as its not like google sec research doesn't have a track record of following through on disclosure just ask apple, or MS.... As for not releasing the script how would you deliver a proof of concept with non functional code, nope gotta disclose the how as well and the where and why

        I suspect though that tp-link are unable to respond on a technical level though, as they are just rebadgers of cheap reference boards coming out of which ever factory city has entertained the purchasers the best, not that this snafu would cause them a jot of discomfort, their market is for cheap and bundled consumer networking kit, and i very much doubt anyone outside of the networking/security echo chambers would give a toss about this, i.e. imagine the response of joe blogs when told his crappy router sent to him by his cheapest on the market ISP, could be commandeered to launch a DDoS or (doubt it has the computational chops) mine crypto currency, as long as access to farcebook or youtube isnt effected then shits given would be 0

        1. big_D Silver badge

          Re: I'd have some sympathy if at least made an effort

          As I said, I have nothing against Google reporting it after 90 days. What I do disagree with is Google providing malware writers with a zero-day kit to work with.

          You don't need to publicy issue a proof of concept on day zero. They could privately disclose that to other security researchers to get them to validate their findings, for example. Releasing a script a week or 2 after the initial report would also be, in my opinion, "responsible.

          1. Crypto Monad

            Re: I'd have some sympathy if at least made an effort

            It's not "zero-day": it's day 90. That's the whole point. Read the definition:


            1. Crypto Monad

              Re: I'd have some sympathy if at least made an effort

              Day zero is the day the vulnerability was disclosed to the vendor - by definition.

              If the exploit had been publicly available on that day, then it would be a zero-day exploit.

  5. Richard Appleby

    Re: Nearshore?

    They make reasonably spec'd, well-priced hardware though. Just the thing on which to deploy OpenWRT...

    1. DropBear

      Re: Nearshore?

      Exactly. I have no intention of going the "it's your fault for not reflashing it immediately with OpenWRT" route, but I know it's without question what I'd do with any router I'd buy...

    2. Mage Silver badge

      Re: Nearshore?

      Yes, Eir & Vodafone supply semi-locked down Huawei models. It's not Chinese Gov that worries me on those, but BOTH are only remote Firmware update (but DSL / VDSL security is not like Cablelabs DOCSIS 2.x and 3.x), both are rubbish for blocking URLs or IPs and Eir remotely enables "public" WiFi sharing for Eir customers. Without telling you, by default. Can only be turned off by Eir, no setting on user settings of modem on LAN.

      My experience over the last 15 years is that all the makers are rubbish to deal with. Even if you are the ISP buying them!

    3. Captain Badmouth

      Re: Nearshore?

      Quite, although TP-Link seem to recommend DD-WRT.

      But, no warranty!

      "To Use Third Party Firmware In TP-Link Products

      Some official firmware of TP-Link products can be replaced by the third party firmware such as DD-WRT. TP-Link is not obligated to provide any maintenance or support for it, and does not guarantee the performance and stability of third party firmware. Damage to the product as a result of using third party firmware will void the product's warranty."

  6. ProbablyUnknown

    I've tried contacting TP-Link and they seem to abandon hardware in favour of consumer purchasing the next model. That doesn't work for me and really disappointed with most residential router manufactures. This nonsense needs to change or bring in legislation requiring retailers to plant a big sticker on these things saying not secure and no longer updated by manufacture.

    1. Anonymous Coward
      Anonymous Coward

      As a TPL Fan

      I have to agree that I dont like their very Chinese way of dropping support 10 minutes after the product has left the factory.

      They havent issued updates for several severe issues discovered over 2 years ago that affect my current router.

      As much as I am a fan, I will probably jump ship the next time my router needs replacing.

      Are Xiaomi routers any good??

  7. Anonymous South African Coward Silver badge

    Will bridged mode override the router's backdoors?

    1. Mage Silver badge

      Bridged Mode?

      No idea. Probably not. Some ISPs now supply modem / routers with no bridge mode. No idea if this includes TP-Link.

  8. Anonymous Coward
    Anonymous Coward

    My national ISP supplies TP-Link routers as standard.

    There is little choice, due to an unusual VLAN setting requirement

    1. Anonymous Coward
      Anonymous Coward

      Sky / Option 61?!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020