Affordable and reliable routers have long been the cornerstone for connecting consumers and businesses to the internet. However as we move deeper into an age of hyperconnectivity, these unassuming devices have taken on a pivotal role in a world increasingly defined by geopolitical tensions, trade wars, corporate espionage and cyber threats.
This editorial examines the recent controversy surrounding TP-Link, exploring potential mitigation strategies and alternative solutions for securing networks.
The news
In some very fresh news, TP-Link the leading provider of Wi-Fi devices with distribution in over 170 countries has found themselves in the crosshair of the US government. If ongoing investigations find that the use of TP-Link routers used in cyberattacks poses a national security risk, then the likelihood of a US ban of their routers could be enacted as early as 2025. This is significant when TP-Link’s market share has grown to approximately 65% of the US SOHO market.
A brief history lesson
TP-Link’s dominance in the global SOHO router market is no accident. Their competitive pricing and accessibility have made their products a staple for home users, gamers, and businesses alike. Additionally, many Internet Service Providers (ISPs) bundle TP-Link routers as part of their onboarding packages, further cementing their market position.
However TP-Link’s security track record has been a recurring concern. While no vendor is immune to vulnerabilities, what sets companies apart is their response to these issues. Over the years, TP-Link has faced criticism for:
Backdoor Access: Researchers have uncovered backdoors in some TP-Link routers, allowing attackers to gain unauthorised access. This often stems from hardcoded credentials or poorly secured remote management features.
Firmware Issues: TP-Link routers have been found to contain outdated or unpatched firmware, making them susceptible to exploits such as command injection, buffer overflows, and arbitrary code execution.
Default Passwords: Many TP-Link devices ship with default administrative credentials that users often neglect to change. This creates an easy entry point for attackers.
Weak Encryption: Some TP-Link models use outdated encryption standards for Wi-Fi networks or management interfaces, increasing vulnerability to interception and eavesdropping.
Notable Incidents
There has been a few, particularly in 2024.
CVE-2024-21833: This critical vulnerability affects multiple TP-Link router models, including the Archer and Deco series. It allows unauthenticated attackers to execute arbitrary OS commands through insufficient input validation in the router’s web management interface.
Similar vulnerabilities such as incorrect address controls, weak default credentials for administrator accounts, network-adjacent unauthenticated attacker access to execute arbitrary OS commands are listed in multiple CVEs in 2024.
Botnet Exploitation: TP-Link routers have frequently been targeted by botnets like Mirai and its derivatives. These botnets exploit known vulnerabilities to compromise devices, which are then used for Distributed Denial of Service (DDoS) attacks or other malicious activities.
Exploitation by Nation-States: TP-Link routers have reportedly been targeted by advanced persistent threat (APT) groups for espionage and cyber warfare purposes, raising alarms about their use in critical infrastructure.
Some Potential Reasons for the Security Challenges
Cost-Cutting Measures: TP-Link’s focus on affordability often comes at the expense of advanced security measures, leaving devices vulnerable to modern threats.
Lack of Timely Updates: Firmware updates, which are critical for patching vulnerabilities, are often delayed or unavailable for older TP-Link models.
User Negligence: Many users fail to change default passwords, update firmware, or disable risky features, exacerbating security risks.
Oversight: Who is leading the charge to implement a security first approach to routers?
Broader Fears About Chinese Technology
The concerns surrounding TP-Link routers are part of a larger narrative about the security risks of Chinese-made technology. As a Chinese company, TP-Link operates in a context where geopolitical tensions and allegations of state influence amplify scrutiny. These fears are rooted in several key issues. In this editorial we will focus on national security risks which is what the US Government is basing their concerns on.
State-Mandated Cooperation: Chinese laws, such as the National Intelligence Law of 2017, require companies to cooperate with state intelligence efforts. This raises fears that Chinese technology firms could be compelled to create backdoors or share data with the Chinese government.
Espionage Allegations: Numerous allegations have been made against Chinese technology companies, including Huawei and ZTE, accusing them of enabling espionage. These accusations have created a general mistrust of Chinese-made networking equipment.
Critical Infrastructure Vulnerabilities: The presence of Chinese technology in critical infrastructure, such as telecommunications and energy, has raised concerns about potential sabotage or disruption in times of conflict.
The implications of TP-Link router vulnerabilities include:
For consumers
Privacy Breaches: Vulnerable routers can be exploited to access personal data, including browsing histories, passwords, and sensitive documents shared over the network.
Device Hijacking: Attackers can take control of compromised routers to redirect traffic, inject malicious content, or disrupt internet access.
Financial Losses: Cybercriminals can exploit routers to steal banking credentials or facilitate fraud, leading to direct monetary losses for individuals.
For organisations
Data Security Risks: Businesses using TP-Link routers are at risk of data breaches, which can compromise sensitive customer or proprietary information.
Network Downtime: Router exploitation can lead to network outages, affecting productivity and customer service.
Regulatory Consequences: Organisations may face penalties for failing to secure their networks adequately, especially in industries governed by strict data protection laws.
Greater ramifications
Botnet Expansion: The exploitation of TP-Link routers contributes to the growth of botnets, which are used for large-scale attacks on governments, corporations, and critical infrastructure.
Cyberwarfare Potential: Nation-states targeting insecure routers can use them as entry points for espionage or to disrupt essential services.
Mitigation Strategies
There are a few simple steps to improve your router’s security posture. These include:
- updating your router firmware regularly;
- change all default passwords to strong, unique ones;
- disable remote management features; and
- my favourite topic to harp on about, segregation of networks to isolate IoT devices
Of course most of that is useless if the vendor is slow to provide updates if any at all during the lifecycle of a product. A cheap entry level product is unlikely to get any love from a vendor for on-going support.
In comes down to, unless vulnerabilities are patched by a vendor, no amounts of good security practice by a user is worth anything. Assuming your standard end user even have an idea of where to start.
Alternatives
Where do we start?
Personally the first thing I would do is to throw out the garbage that is bundled from your ISP. Brutal but fair advice. No ISP gives away anything good for free and you will thank me for this tip because pretty much anything would be better.
Unless you are with TPG and use their VoIP. Don’t get me started but anyone who BAKES their config into special firmware and locking you into their devices should not be allowed to conduct business.
Secondly is to identify vendors that have a track record of providing on-going support for their products, even if it is getting on with age.
Thirdly, relying on someone to manually check for firmware updates then applying it is a recipe for failure. People are forgetful, people are lazy. If an end user have to learn to do a technical task, it is certainly going to be in the too hard basket.
Granted many routers have the ability to schedule an update time and automatically apply it. It only works if the vendor will provide security updates. Commodity routers are just that, they are cheap, cheerful (maybe) and quickly forgotten in terms of support.
The importance of robust cybersecurity practices
The TP-Link router security issue underscores the critical importance of robust cybersecurity practices in consumer networking devices. While TP-Link’s vulnerabilities have exposed significant risks, they also highlight the broader fears associated with Chinese technology in a global context. By adopting best practices, investing in secure technologies, and fostering a culture of awareness, users and organisations can mitigate risks and build more resilient networks.
There are many alternatives out there such as Synology, D-Link, eero, Netduma, Zyxel. They have different strengths and weaknesses.
Taking Synology as an example. Although they are better known as a NAS (Network Attached Storage) company. In reality, the company has been pivoting to an application and cloud solution provider for years, making their hugely popular DiskStations essentially an entry point. As part of that strategy, the company has a small line up of routers which has been extremely well received in the market.
A spotlight on Synology
Good security is not by luck, it is by careful design and continuous fostering the focus. The industry calls it a zero trust framework, but it is much more than that, it requires a security mindset. Synology has a dedicated Product Security Incident Response Team (PSIRT) with a four-phase software development process.
Design phase: When a new Synology product or feature is put in place, the Product Security Assurance (PSA) Program is initiated. The PSIRT team then collaborates with the development team in reviewing the security infrastructure and design, offering constructive suggestions for improvement.
For instance, the root privilege was removed in DSM 7.0 to adhere to the least privilege principle, granting users only the minimum necessary permissions to reduce security risks. This proactive approach establishes a strong security framework from the outset, avoiding future security-related complications.
Development phase: The development phase will officially commence after the product specifications have been confirmed. To ensure the quality of the code from the start, Synology implements Static Application Security Testing (SAST) with automatic tools to screen out potential vulnerabilities and defects. This helps prevent the use of insecure or forbidden source code from the get go.
As the development progresses and reaches completion, Dynamic Analysis Security Testing (DAST) will be performed on an ongoing basis to detect changes in the code and ensure that all functionality is thoroughly tested on the application, reducing potential security threats.
Verification phase: In early 2022, a talented group of in-house hackers with extensive professional experience, the Synology Red Team, is dedicated to examining their products from an attacker’s perspective to identify and exploit any vulnerabilities. In just six months, the Red Team has already made a significant impact, identifying over 21% of system bugs before the official release.
Further, Synology offers a bounty program that takes a proactive approach and actively engage with the hacker community through various initiatives. Since 2017, they have invited external researchers to help identify security vulnerabilities. To date, over 200 researchers have participated in their bug bounty program, and were rewarded more than US$270,000 for their efforts.
Release phase: The Red Team actively seeks out vulnerabilities while the Synology Blue Team vigilantly monitors for security threats. Upon reporting of a vulnerability, the Blue Team promptly initiates a preliminary assessment to determine the impact within eight hours. Once identified as critical issue, the vulnerability will be promptly remediated within 24 hours, significantly outpacing the industry average of 60 days of mean time to remediate (MTTR).
Securing your home network with SRM
The Synology routers run SRM (Synology Router Manager) which is a reimagination of how router OS should run. The concept and execution is loosely based on their DSM (DiskStation Manager) pedigree – a friendly, visual interface with a shallow learning curve. And in the same vein as DSM, SRM functionality can be extended with packages from the Package Center.
I reviewed the very first Synology router, the RT1900AC all the way back in 2016 and that stayed in my network for a long time. SRM made it easy for me to maintain network security by gatekeeping traffic at the network perimeter. Sime also reviewed the RT2600AC in 2017. And more recently in 2023, Paul reviewed the WRX560.
Save to say Synology are not punching routers out like arcade tickets, but each iteration has been a solid release.
Where I talked about mitigation strategies earlier, SRM has these built in by design.
Home network: The primary network where core devices that tend to receive consistent security updates can reside.
Safe Access: SRM’s package for web filtering. It integrates Google Safe Browsing and other external databases to identify and block domains that contain unwanted content such as malware, social engineering, potentially harmful applications, and phishing.
Parental Control: With Safe Access, you can already implement Albo’s social media ban at home (provided the device is on your WiFi network).
Isolated Networks: SRM allows up to 15 SSIDs, with ability to isolate networks or allow one-way communications to minimise attack surfaces
Last Thoughts
Synology’s commitment to security is evident as there are no existing exploits on Synology products according to the KEV (Known Exploited Vulnerabilities) Catalog by Cybersecurity & Infrastructure Security Agency (CISA) since introduced in 2021.
Conversely TP-Link has two, one dating back to 2015 and the second to 2023, both relating to Archer devices. To be fair, a few other names from what I mentioned earlier also have KEV (not me, I’m a totally different vulnerability!) listed.
I have been a very long time user of Synology products. My first experience with DSM was right at the very tail end of DSM 3, about a week before DSM 4 was officially launched. Carbon dating puts that around March 2012. In the time since, I have had constant and regular DSM updates for security, bugfixes and features on many DSM units I have had running on my network.
In more recent times, Synology has email Security Advisories warning of new vulnerabilities and that an update is ready for me to apply. The Synology commitment to fix critical vulnerabilities within twenty-four hours of notification. The industry average is sixty days for a zero-day attack.
Over the dozen years of running DSM and to a lesser length of time SRM, I have watched lots of attempts at probing at my Synology units and none has been successful. Over time my network security posture has also evolved but my standing recommendation for DSM to family and friends has not changed.
Don’t settle for the cheapest or the bundled option, why take unnecessary risks? The full Synology range of routers can be viewed here.
The full Synology range of routers can be viewed here.