But if their actual headquarters are in Shenzhen, then they are part of China.
2 Likes
That could be why my AT&T Orb went to factory settings.
1 Like
It is not w/out risk of those types of issues, which is why experienced users often disable auto-update if it's possible.
Also Hubitat's reasoning.
I do remember that folks that worked on independent firmware with the Asus, Buffalo, and Linksys routers were always improving security. There was:
- Merlin for Asus
- Tomato for various broadcom routers (Buffalo, etc)
I went back and verified that Merlin is still alive and kicking and he even calls out security improvements in the release notes:
1 Like
Thought some of you guys might find this video interesting:
2 Likes
For people who say things like "I'm not the Pentagon, there's no reason I would be a hacking target "... here's an example of leveraging a low security network to get to an unrelated high-value target:
I actually said that above re: my house and the pentagon.
That sounds like an extremely sophisticated and apparently novel attack that had nothing to do with built-in back doors by a manufacturer?
It does seem like an interesting story.
But not relevant to whether TP-Link does a generally poor job of patching security flaws in their products? Does a poor job of communicating with security researchers? Are they really just a Manchurian candidate?
Rumors fly quickly on the internet.
ETA: I’m not trying to be dismissive. I’m realistic too about whether I’m a hacking target. I have a public facing webserver 
.
yes i use merlin on all my asus routers now 5 in 3 locations
3 Likes
Before I changed to a unifi router and switches/APs, I had several asus routers. Loved the Merlin firmware.
Yep. 
Tangential to TP-Link specifically, I was trying to illustrate the more general issue -- that security flaws in devices that don't seem to be targets worth a lot of effort are being used in the real world by hackers to access much more valuable targets.
Owners of those low-end consumer devices, such as TP-Link routers, Hubitat, etc. may not be feel urgency to secure their network. (Let's shelve all the huge issues about the availability of patches, vendor outreach to notify owners, and the ability of owners to maintain secure environments.)
Your house might not have Pentagon secrets, but the work-from-home office in the neighboring house may, elevating the risk that you will be hacked to access them...hacking your equipment to get to them may be less obvious than a hacker parking a panel van parked on your cul-de-sac for hours in order to get into your neighbor's network directly.
Most consumers definitely won’t, as @danabw already pointed out.
I’m not advocating for lazy security vulnerability patching practices by consumer or enterprise level router manufacturers. Those should be discovered and then publicized responsibly by journalists, if a company has a habit of not dealing with the information responsibly themselves.
But fact remains I can choose to put a Hikvision camera on my property (which admittedly doesn’t have much going on) regardless of what a commercial enterprise or government agency around me thinks about Hikvision Inc. or any IoT device that could conceivably be used in a particularly sophisticated attack.
I have a different risk perception and threat tolerance for my house.
3 Likes
This topic was automatically closed 365 days after the last reply. New replies are no longer allowed.
