Like most Americans, I have a TP-Link router at home and am contemplating what to do with it. The company is under scrutiny for potential backdoors, and authorities are considering it as the next potential target for a ban. Is replacing the TP-Link router really the only option?
The short answer is yes, according to the three cyber pros Cybernews talked to. I thought I could add a firewall or install custom firmware to limit exposure. All the other alternatives are worse security-wise.
Even if you firewalled your home network and installed custom firmware, you can’t be sure that the router isn’t phoning back to China.
However, a replacement is not feasible for everybody, and some things can be done to improve security.
A lock made by burglars?
If you own a TP-Link router and you’re worried about Chinese hackers, you've already answered your own question, says Terry Dunlap, senior vice president of corporate strategy and development at NetRise.
“I don't buy hardware from vendors with ties to authoritarian regimes that have a habit of cyber espionage. You wouldn't install a lock made by burglars – why would you trust your network to companies with a track record of security failures?” Dunlap said.
Chris Sherwood, a networking expert who runs the YouTube channel Crosstalk Solutions, explains that most TP-Link products have features that can block source or destination traffic to global locations.
“But if a customer already believes that TP-Link is sending data back to China, then they're not likely to trust that blocking traffic to/from China at the router level is going to work,” Sherwood said. “If you're concerned about the possibility of a backdoor to China in TP-Link products, then yes – the only real recourse is to replace your router.”
Mithilesh Ramaswamy, a senior engineer at Microsoft, destroyed the remaining hopes of keeping the device.
“While workarounds and stopgap measures are respectable band-aids, I encourage users to think about this problem long-term. It's common for users to misconfigure firewall rules and stay in tune with various applications and their interactions,” Ramaswamy said.
He compared the internet to a highway – you don’t want any safety issues with your car’s seatbelt.
Option 1: adding a separate firewall
It would seem that adding a separate router and firewall could be a good approach to protect the home network. This way, the TP-Link device could still function as the wireless access point. You can find some cheap firewalls on Amazon for a few dozen bucks.
This way, if some hackers know how to exploit the router, their request couldn’t reach the device. Alternatively, firewalls can be used to block part of outgoing traffic, say, to China.
But cyber pros are somewhat skeptical.
“You could likely do the same geographic blocking of traffic to prevent the access point from phoning home. However, keep in mind that this is not a bulletproof solution. TP-Link could theoretically spin up some servers in AWS, or in any US-based VPS provider and still gather the same data on US soil,” Sherwood explains.
He also noted that cheap firewall devices are often also made in China and could have many of the same backdoor issues.
“US-based companies such as Netgear still manufacture their equipment in China and Taiwan.”
The cheapest off-the-shelf consumer routers/firewalls are deliberately made simple and lose a lot of visibility, control, and other security functionality. That may not prevent bad actors from getting into your network or third-party devices from phoning home.
According to Dunlap, spending $30 on a refurbished “firewall” is an invitation to hackers and users should never cheap out on security.
Prosumer gear, such as Ubiquiti's UniFi line, pfSense developed by Netgate, and similar, would be preferred for visibility and control. These devices are more expensive, so users might as well change the whole router.
“Adding a firewall is always a good move, but think of it like putting a deadbolt on a house where the back door is wide open. Suppose the TP-Link router is compromised or has a supply chain backdoor. In that case, it's already a risk before traffic even hits your firewall,” Dunlap added.
“Running it in access point mode might reduce some attack surface, but you're still dealing with firmware and hardware that could be calling home to places you don't want.”
Yet another downside is the learning curve. The more advanced the equipment, the more complicated it is for home users.
“Most non-tech people just want their Netflix to work and don't want to spend time becoming experts in cybersecurity,” Sherwood said.
Both experts agree that using used enterprise gear can be a good addition to the network, but there is a risk that it is no longer receiving updates or that the box has already been tampered with.
Option 2: flashing the firmware
If you flash some other custom firmware, your router is no longer TP-Link. Alternative open-source projects, such as OpenWRT or DD-WRT, allow you to significantly enhance router functionality.
“OpenWRT is a great option since it's open-source and the code can be checked – but it's not possible to install on every router,” Sherwood said.
OpenWRT community supports certain devices and the database includes dozens of TP-Link models, mostly older and cheaper ones.
“The main issue with OpenWRT is that you're now getting into a pretty deep learning curve of figuring out how to re-flash the firmware of a consumer device, and then learning how to configure OpenWRT itself. It's a project for network nerds – not something that the general consumer would likely want to attempt,” Sherwood warns.
He recalled that some of the most popular YouTube videos on his channel were those in which viewers were “spoon-fed the complete setup of a device.”
“People don't want the learning curve - they just want instructions to ‘make it work.’”
Dunlap agrees – if you think that setting up a PlayStation is complicated, you’ll have a bad time and no internet connection while tinkering with the device
“Flashing OpenWRT can sometimes be a way to neuter vendor backdoors, but it's not a silver bullet. Suppose the hardware itself is compromised. Hello, supply chain attacks. In that case, you're just putting a fresh coat of paint on a potentially rotten foundation,” Dunlap explains.
“Plus, if you don't know what you're doing, you can brick the device or introduce new vulnerabilities. If security is the goal, just buy a router that isn't shady in the first place.”
If you’re still keeping it: things to do
If you insist on keeping your TP-Link router, Dunlap suggests at least doing the following:
- Disable remote management (because why would you ever need that?)
- Change default credentials (seriously, stop using “admin/admin”)
- Turn off UPnP (Universal Plug and Play, networking protocols for device discovery and communication), unless you like devices opening ports without your permission.
- Segment your network (IoT devices should never be on the same network as your work laptop);
- Monitor DNS traffic (if your router starts resolving weird domains, that's your cue to burn it).
Sherwood would add VPN to the list.
“It's also a great idea for users to have access to a VPN proxy service such as Private Internet Access or NordVPN. These services are easy to use, and especially important when connecting your devices to public WiFi hotspots at airports, restaurants, and hotels.”
He reminded us of the importance of standard cybersecurity best practices, such as using a password manager, using multi-factor authentication everywhere, keeping everything up to date, and avoiding clicking on unsolicited links.
“For my own home network (which is also my work network), I use all of the best practice cyber security tips, plus I take it a bit further,” Sherwood assured.
“I use VLAN segmentation to separate out my 'secure' devices such as my Windows PC from IoT devices like my robot vacuum and smart light switches. The IoT network is blocked from seeing anything in the secure network.”
He also uses a Fing Agent device in the IoT network, running on a Raspberry Pi, which is configured to block any new connection until he explicitly allows it. The guest network is separate and isolated from the other network subnets.
TP-Link routers are best sellers in the US
On Amazon, TP-Link dominates the networking products segment despite national security concerns: seven out of ten top-selling networking products in the US are from TP-Link. TP-Link also holds four out of ten best-selling WiFi router positions, including the top one.
Previously, the Wall Street Journal reported that TP-Link has roughly 65% of the US market for routers.
However, most of the public-facing routers in the US are from Asus (22%), MikroTik (20%), Cradlepoint (Ericsson, 11%) and Ubiquiti (9%), the Shadowserver foundation data reveals. Publicly discoverable TP-Link routers had only a 1.7% share in the US.
Worldwide, there are almost 300,000 publicly discoverable TP-Link routers, which is 3.1% of all discoverable routers. Most consumer devices, however, will not respond to scans as they have all ports closed.
“Sure, you can try firmware updates, segment your network, and throw in all sorts of compensating controls, but at the end of the day, you're still trusting hardware and software built by a company with… let's say questionable oversight. What is the best way to eliminate risk? Stop using tech from vendors that consistently show up in security advisories for all the wrong reasons,” Dunlap concluded.
Your email address will not be published. Required fields are markedmarked