Headline
US Ban on TP-Link Routers More About Politics Than Exploitation Risk
While a number of threat groups have used TP-Link bugs to infiltrate networks, a proposed ban of the company’s popular routers is more about geopolitics than actual cybersecurity — and that may not be a bad thing.
Source: metamorworks via Shutterstock
With US government agencies and lawmakers reportedly considering a ban on TP-Link’s products in the United States, one might think the company would rank high on the list of networking vendors with the most vulnerabilities currently being exploited by cyberattackers.
Not by a long shot.
The Chinese firm, whose products are popular among consumers and small businesses, currently has two security issues gracing the Known Exploited Vulnerabilities (KEV) list curated by the Cybersecurity and Infrastructure Security Agency (CISA), compared with 74 for Cisco Systems, 23 for Ivanti, and 20 for D-Link.
Yet US government officials’ concern is less about known vulnerabilities, and more about unknown risks, including its routers’ popularity in the United States — where it accounts for about two-thirds of the market — and the degree to which the company is beholden to China’s government.
While no researcher has called out a specific backdoor or zero-day vulnerability in TP-Link routers, restricting products from a country that is a political and economic rival is not unreasonable, says Thomas Pace, CEO of extended Internet of Things (IoT) security firm NetRise and a former head of cybersecurity for the US Department of Energy.
“The value to me [of a ban] is almost more around economic policy value than pure technical cybersecurity value,” he says. “To me, there is value in saying you shouldn’t buy these things because of X, Y, and Z reasons [and to make it] more difficult for small businesses, or whoever, to get their hands on devices from these companies.”
Related:BlackBerry to Sell Cylance to Arctic Wolf
TP-Link — Not a Vulnerability Stand-Out
In April 2024, one of two TP-Link vulnerabilities attracted the most vulnerability scanning by threat actors, according to an analysis by cloud and application-security firm F5. The issue, a command injection vulnerability for TP-Link’s Archer AX21 router (CVE-2023-1389), allows an unauthenticated attacker to easily compromise a device via a simple POST request.
TP-Link ranks low on the list of networking vendors with known exploited vulnerabilities. Source: Author from CISA data
In another incident, security firm Check Point Software Technologies discovered that TP-Link devices were also compromised with an implant known as Camaro Dragon. The implanted components were discovered in modified TP-Link firmware images, and not the original software shipped by the company, says Itay Cohen, research lead at Check Point Research.
Yet Cohen stresses that the implants were written in a firmware-agnostic manner and not specific to any particular product or vendor.
“It is worth noting that this kind of attack is not aimed specifically at sensitive networks, but rather at regular residential and home networks,” he says. “Therefore, infecting a home router does not necessarily mean that the homeowner was a specific target, but rather that their device was merely a means to an end for the attackers.”
Related:Versa Introduces Integrated Endpoint Data Loss Prevention in SASE Solution
The threat posed by such vulnerabilities and implants are real, but the data from the KEV catalog shows that other manufacturers are just as likely to have their vulnerabilities exploited — and there are more of them. The lesson is that vulnerabilities in embedded devices are not unique to any one manufacturer or country of origin, says Sonu Shankar, chief product officer at Phosphorus Cybersecurity, an extended IoT cybersecurity provider.
“Nation-state actors frequently exploit weaknesses in devices from companies worldwide, including those sold by American manufacturers,” he says. “Devices lacking basic security hygiene — such as the use of strong passwords, timely firmware patching, or proper configurations — can become easy targets for cyberattacks.”
TP-Link stressed this fact in a statement sent to Dark Reading.
“Many brands of consumer electronics are targeted by hackers, and we support government efforts to hold all producers to the same standard,” a company spokesperson said. “We welcome opportunities to engage with the federal government to demonstrate that our security practices are fully in line with industry security standards, and to demonstrate our ongoing commitment to the American market, American consumers, and addressing US national security risks.”
Related:Test Your Cyber Skills With the SANS Holiday Hack Challenge
China’s Government Oversight Is Pervasive
But those assertions may be minimizing the influence of the Chinese government on the company’s operations: Most Western companies do not understand the degree to which Chinese officials monitor China’s business sectors — and cybersecurity firms — as a component of government policy and national strategy, NetRise’s Pace says.
“It’s a totally different business culture,” he says. “There is a member of the PRC in every company — that’s not even like an opinion, it’s just how it is. And if you think they’re not there to exert their influence, then you’re just an unbelievably naive person, because that’s exactly what they do, [including] for the purposes of intelligence gathering.”
Threat intelligence analysts have flagged the Chinese government national strategy documents and evidence showing their increasing efforts to compromise rival nations’ infrastructure — such as the attacks by Volt Typhoon and Salt Typhoon.
“In recent years we see Chinese threat actors’ increasing interest in compromising edge devices, aiming to both build resilient and more anonymous C2 infrastructures, and to gain a foothold in certain targeted networks,” Check Point stated in its analysis, but added that the “discovery of the firmware-agnostic nature of the implanted components indicates that a wide range of devices and vendors may be at risk.”
China’s networking products are not alone in being targeted by the US government, which also banned the products of antivirus firm Kaspersky because of national security concerns, given that it’s a Russian company.
The Global Cyber Reality of Home Routers: Buyer Beware
Companies and consumers should do their due diligence, keep their devices up to date with the latest security patches, and consider whether the manufacturer of their critical hardware may have secondary motives, says Phosphorus Cybersecurity’s Shankar.
“The vast majority of successful attacks on IoT are enabled by preventable issues like static, unchanged default passwords, or unpatched firmware, leaving systems exposed,” he says. “For business operators and consumer end-users, the key takeaway is clear: adopting basic security hygiene is a critical defense against both opportunistic and sophisticated attacks. Don’t leave the front door open.”
For companies worried about the origin of their networking devices or the security their supply chain, finding a trusted third party to manage the devices is a reasonable option. In reality, though, almost every device should be monitored and not trusted, says NetRise’s Pace.
“It’s a crazy world that exists when it comes to device security,” he says. “You’re accepting this device that you know nothing about — and that you really can’t know anything about — unlike Windows [or another operating system] … where you can also install three agents and a firewall in front of it to mitigate the risk of the software.”
About the Author
Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline Journalism (Online) in 2003 for coverage of the Blaster worm. Crunches numbers on various trends using Python and R. Recent reports include analyses of the shortage in cybersecurity workers and annual vulnerability trends.
Related news
The threat actors behind the AndroxGh0st malware are now exploiting a broader set of security flaws impacting various internet-facing applications, while also deploying the Mozi botnet malware. "This botnet utilizes remote code execution and credential-stealing methods to maintain persistent access, leveraging unpatched vulnerabilities to infiltrate critical infrastructures," CloudSEK said in a
CloudSEK reports that the Androxgh0st botnet has integrated with the Mozi botnet and exploits a wide range of…
Moobot, Miori, AGoent, and a Gafgyt variant have joined the infamous Mirai botnet in attacking unpatched versions of vulnerable Wi-Fi routers.
TP-Link Archer AX21 suffers from an unauthenticated remote command injection vulnerability.
By Deeba Ahmed FortiGuard Labs has identified numerous Condi DDoS botnet samples that exploit other known security flaws, putting unpatched software at a higher risk of being exploited by botnet malware. This is a post from HackRead.com Read the original post: New DDoS Botnet ‘Condi’ Targets Vulnerable TP-Link AX21 Routers
A new malware called Condi has been observed exploiting a security vulnerability in TP-Link Archer AX21 (AX1800) Wi-Fi routers to rope the devices into a distributed denial-of-service (DDoS) botnet. Fortinet FortiGuard Labs said the campaign has ramped up since the end of May 2023. Condi is the work of a threat actor who goes by the online alias zxcr9999 on Telegram and runs a Telegram channel
Categories: Exploits and vulnerabilities Categories: News Tags: Oracle Tags: WebLogic Tags: CVE-2023-21839 Tags: CVE-2023-1389 Tags: CVE-2021-45046 Tags: CISA Tags: reverse shell An easy to exploit vulnerability in Oracle WebLogic Server has been added to the CISA list of things you really, really need to patch. (Read more...) The post Oracle WebLogic Server vulnerability added to CISA list as “known to be exploited” appeared first on Malwarebytes Labs.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has added three flaws to the Known Exploited Vulnerabilities (KEV) catalog, based on evidence of active exploitation. The security vulnerabilities are as follows - CVE-2023-1389 (CVSS score: 8.8) - TP-Link Archer AX-21 Command Injection Vulnerability CVE-2021-45046 (CVSS score: 9.0) - Apache Log4j2 Deserialization of Untrusted
Microsoft has confirmed that the active exploitation of PaperCut servers is linked to attacks designed to deliver Cl0p and LockBit ransomware families. The tech giant's threat intelligence team is attributing a subset of the intrusions to a financially motivated actor it tracks under the name Lace Tempest (formerly DEV-0950), which overlaps with other hacking groups like FIN11, TA505, and Evil
TP-Link Archer AX21 (AX1800) firmware versions before 1.1.4 Build 20230219 contained a command injection vulnerability in the country form of the /cgi-bin/luci;stok=/locale endpoint on the web management interface. Specifically, the country parameter of the write operation was not sanitized before being used in a call to popen(), allowing an unauthenticated attacker to inject commands, which would be run as root, with a simple POST request.