TP-link is reportedly being investigated over national security concerns linked to vulnerabilities in its very popular routers.

  • Dark Arc@social.packetloss.gg
    link
    fedilink
    English
    arrow-up
    28
    arrow-down
    4
    ·
    edit-2
    5 days ago

    It’s a good idea, but there’s going to be firmware at lower levels (roughly the BIOS) that could still be compromised. It’s best to just not buy Chinese hardware designed and manufactured by a Chinese company with no western involvement when you can avoid it.

    • DominusOfMegadeus@sh.itjust.works
      link
      fedilink
      English
      arrow-up
      7
      ·
      4 days ago

      This didn’t even occur to me when I bought my new router recently. I just went with one of the best-reviewed models that had all the features and speed I needed.

        • LifeInMultipleChoice@lemmy.world
          link
          fedilink
          English
          arrow-up
          1
          ·
          4 days ago

          Out of curiosity, what would happen with older models. Also other devices, like I don’t have a TPlink router but I do have a TPlink Ethernet to power to Ethernet I bought when I lived in an appartment and didn’t want to drill holes in the walls. (Wifi ran from center of house, but outed it to a 110 in the wall and hardwired to a PC into a RAP for work in bedroom at the time.

          • paraphrand@lemmy.world
            link
            fedilink
            English
            arrow-up
            3
            ·
            edit-2
            4 days ago

            Older devices stop getting software/firmware updates.

            But usually simpler things like USB to Ethernet adapters and switches don’t have much going on update wise. If anything at all. Switches often do, adapters rarely do.

            The best you can do is keep an eye on updates for the devices, if any. Keep an ear out for reported vulnerabilities, and then retire devices when they are no longer maintained.

            But all of that is quite a burden for a device most people set up and forget about. At some scale, and in some senses, there is no good answer. New vulnerabilities are found all the time in hardware/software.

            If you just mean “will old devices stop working”? No. This would just impact new sales.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            2
            ·
            4 days ago

            Eh, something like a dumb switch or PoE injector shouldn’t cause any problems since they don’t really have any exploitable logic, and they’re behind a router anyway.

            • LifeInMultipleChoice@lemmy.world
              link
              fedilink
              English
              arrow-up
              2
              ·
              4 days ago

              Really not sure how much tech they have in them. I’m more familiar with PoE and switches. The Ethernet to 110 to Ethernet I guess is just pulses being sent to transmit the data over power lines within the residence, but yeah I agree it is behind the router. That doesn’t say someone couldnt hack say a smart fridge and pick data off the same power and then transmit that data back through a backdoor. But then again that fridge would be behind the router as well. Idk, havent spent much time looking at any of it. It would have to mimic the sync signal used by the receiver though, not sure what security protocols are there.

              • sugar_in_your_tea@sh.itjust.works
                link
                fedilink
                English
                arrow-up
                2
                ·
                4 days ago

                Unless you’re operating a military base or something, you’ll be fine with anything that’s not “smart.” I don’t trust most “smart” devices unless I can self-host them (e.g. block them from phoning home).

                • LifeInMultipleChoice@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  4 days ago

                  Probably wise, thankfully I don’t have to many smart devices… Even my microwave/air fryer combo started shooting sparks out of another outlet on the breaker. Unplugged it and decided to use it as a cat treat holder for now. He can’t open that… Cabinets though…

    • frankgrimeszz@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      4 days ago

      I’m not sure, but with routers, I think OpenWRT installs/flashes at the firmware level. There could be hardware level vulnerabilities I suppose.

      In the case of Lenovo laptops used in Iraq (2004), China had additional hardware chips snooping and sending data back via Ethernet cable.

    • Avid Amoeba@lemmy.ca
      link
      fedilink
      English
      arrow-up
      1
      arrow-down
      1
      ·
      4 days ago

      An even better way is to leave vulnerable pieces in all parts of the firmware / software stack. E.g. old version of SSH with a known vulnerability or two, old web server, etc. Then just exploit as needed.

      • Dark Arc@social.packetloss.gg
        link
        fedilink
        English
        arrow-up
        5
        arrow-down
        2
        ·
        4 days ago

        The examples you gave are all at the OS level and installing OpenWRT would fix them. The firmware/BIOS level is much more custom and can be susceptible to attacks the OS is completely unaware of (effectively pre-installed rootkits). Hence why I mentioned it may not be enough to install OpenWRT.

        • richmondez@lemdro.id
          link
          fedilink
          English
          arrow-up
          3
          arrow-down
          1
          ·
          4 days ago

          You are talking about the boot loader, but even that is pretty standard. There could be hardware exploits in place, sure, but we are mostly talking about a very low margin product and the volume of data that you’d need to retrieve and process to sift out anything useful would be massive and obvious so in general I think this is mostly conspiracy level thinking. Any shenanigans is going to be done in small targeted batches if it’s done at all to try to infiltrate specific targets and reduce risk of some curious researcher or enthusiast accidentally stumbling across it and ruining it.

          • Dark Arc@social.packetloss.gg
            link
            fedilink
            English
            arrow-up
            2
            arrow-down
            1
            ·
            4 days ago

            but we are mostly talking about a very low margin product and the volume of data that you’d need to retrieve and process to sift out anything useful would be massive and obvious so in general I think this is mostly conspiracy level thinking

            Bold of you to assume they actually need to make money on these.

            They also don’t need to sort through data to be problematic; they just need to be able to be remotely disabled or remotely given the order to start sniffing if they are one of the higher end systems that would be used in major infrastructure (that could process at volume).

            Sure a researcher could stumble upon something… But closed source, embedded deep in the hardware, etc the number of researchers working at that level is not all that high AFAIK. The research is also from my understanding very very difficult at that level. It would be borderline equivalent to reverse engineering the Intel remote management engine or something.

        • Avid Amoeba@lemmy.ca
          link
          fedilink
          English
          arrow-up
          2
          arrow-down
          1
          ·
          4 days ago

          Yes of course, you’re right. The point I’m making is that wherever you’re putting in backdoors, instead of backdoors, you can just leave unlatched vulnerabilities. Gives you solid plausible deniability.