Nothing in your analysis shows this.
Moreover unless you explicitly deployed a root certificate on your clients (or if an app on the client did it), the router can't decode TLS traffic (deep inspection) without you getting certificate warnings on the client.
In that case, the only thing the router can see is the dns request, the IP and the TLS SNI.
In short your title is misleading.
I agree they couldn't be inspecting the contents of your traffic over TLS, but they could easily view destinations. I also agree, there's nothing in my analysis that proves that all the requests are related to network traffic.
However, if you look at the wording of the reply (directly from TP-Link) to XDA in their review, I don't see how it could be interpreted any other way? Regardless, I probably should have made my title "appears that it may send traffic related data".
I'll be happy if that isn't the case, but the lack of clear explanation from TP-Link when I've contacted support leads me to assume the worst
permalinkembedsaveparentreportreply
[–]2fast2fourier 4 points 12 hours ago
I think it's best not to write something that damaging without proof, especially when most people only read titles. Saying they're sending metadata and violating your privacy is all you'd need to hear.
... and I don't get your point in this useless pedantry? Sure that the data in of itself is not sent, but you seemed to imply that DNS queries don't reveal anything. In practice, you can build a good enough picture to decode what's their interests, what type of places they visit etc., which is worrying of itself. It's like saying to not worry because they didn't know you ordered a Big Mac while the fact that you went to McDonald's is being known is already creepy to a lot of people.
I think the point is the original author did not prove anything was sent to Avira in this case. All they have is speculation that "the router is making DNS queries about a Avira safe things domain and the DNS query QPS is correlated to the amount of traffic in the network".
I agree this is tremendously bad code, but what they observed could also be perfectly explained with "some stupid code doing a Avira subscription check whenever something arrives at the router and they do that without a cache for negative answer, and even if the feature is turned off".
> I agree this is tremendously bad code, but what they observed could also be perfectly explained with "some stupid code doing a Avira subscription check whenever something arrives at the router and they do that without a cache for negative answer, and even if the feature is turned off".
I do wish that it is at least it's Google-like (https://developers.google.com/safe-browsing/v4/update-api) and I hope that it's simply just a bad code, but the simplest method to check if a domain is blacklisted is to simply send the domain - there's no hashing and canonisation to deal with. And before counterarguing, this already happened with Avast (https://www.howtogeek.com/199829/avast-antivirus-was-spying-...), so while I agree that a stronger evidence is needed at the same time I can definitely consider it a smoking gun.
There is really no excuse for any network equipment to be sending anything at all to external parties, unless you've specifically subscribed to some service where it becomes necessary. Which the OP said they don't.
Let's be careful to not normalize this type of data exfiltration from equipment that's supposed to be yours.
I remember reading in the UK government's security assessment of Huawei that one of the issues is not necessarily data being sent to bad places or backdoors in the software, it's that the engineering processes behind these devices/software are completely unable to protect against any sort of supply chain attacks.
The sorts of things they highlighted were: no version control, no code review, production builds happening on arbitrary machines, no automated testing, poor access control on code, no audit trail on code changes, the list goes on, and that's just for the software side. The conclusion was that Huawei were about a decade away from being able to even claim they had no backdoors. And that's a major telecoms hardware provider, trying to sell into governments and major infrastructure projects.
I'm not in the least bit surprised that TP-Link are doing this, and also not at all surprised that when questioned on it they are (so far) unable to actually describe why it's happening or really seem to know anything about it.
I think this sort of product is built in a very different environment to what most HN users would expect.
I had/have a Gemini (Android) from Planet Computers. I disabled wifi and forced its network connections through an ethernet adapter that I connected to a mirror port->wireshark and through a proxy after putting in my own root certificates.
My goal was to silence its network activity when I wasn't using it. One by one I removed APKs and blackholed IPs and domains, starting with everything from Google. I was disturbed to discover that, even having nothing installed and everything ripped out that I could, once every week or two while sitting untouched it would phone home to an IP address in China that I failed to connect to any software on the phone and whose IP WHOIS made no sense. I asked Planet Computers about it and they had no idea.
The UK has been indecisive about trusting Huawei [0 (sorry for the Daily Mail link),1,2,3]; I don't know why and find it very interesting. I am used to reading about nation states having an unwavering opinion, not flipping back and forth (unless because of political lines). They claim that their hand has been forced by the USA [4].
Yeah the actual position of the government is all over the place and it's all tied up in the politics of US/China relations.
I think the findings in the report are still a concrete assessment of Huawei's abilities that we can draw conclusions from about their product security.
Is this stuff not par for the course? Everything hardware/embedded in my experience is like a decade or two behind the current norms for c/c++ programming. What I never understood from that audit, was this code quality unusual? I didn't get the sense they audit European and American companies - so sure they looked at the source and said "lol your code sucks" but there was no baseline for comparison
But it sounds like you know the situation better - maybe you have better context. I've been curious to know from someone more familiar with the subject
I'm not at all suggesting that Huawei (or TP-Link, or anyone else) are actively attempting to subvert security systems or intentionally adding backdoors. In that sense it's probably right to conclude this is ignorance.
The problem is that an attacker, especially those with the backing of a nation state, can trivially attack those insecure supply chains and install backdoors or data exfiltration.
As for whether others are as bad, I think the sort of audit that was done on Huawei is done for other companies attempting to sell into that level. These audits are not really about looking at the code – sometimes they do, but you're never going to get a useful security audit of 10s-100s of millions of lines of code. They're more about the security posture of these companies, and in that way, Huawei failed.
I do expect that Cisco, HP, other network hardware vendors are better at this. Do they still have crap code? Sure. Do they still have security vulnerabilities? Of course. Could a nation state still get a backdoor in? Probably. But would it be significantly harder to do, easier to detect, and easier to resolve? Yes, and that makes them better suited to critical infrastructure.
"But would it be significantly harder to do, easier to detect, and easier to resolve? Yes, and that makes them better suited to critical infrastructure. "
But like what is that conclusion based on?
I'm not saying you're wrong - just curious why you hold HP and Cisco in high esteem.
At least in terms of engineering talent I'd expect them to be much worse. Huawei is prolly the Google of China paying huge salaries and getting the county's top engineers (along with Alibaba). When I lived in Santa Barbara Cisco didn't have a good rep and they didn't pay well. A typical bureaucratic officespaceesque soul sucker. I don't know about HP but I don't get the sense it's a presitgious place to work either.
Again, these are very shaky ill informed judgments on my part I admit :) hence why I'm curious if you're talking from a position of knowledge on the subject
It's based on a few assumptions, but ones I feel are reasonable to make. The fact these companies will have been audited in the same way, but that the concerns have not been raised (by government, industry, security consultants) suggests that these processes are very different.
Version control, code auditing, code review, reproducible builds, etc, those will all contribute to being able to protect against attackers.
You're right that there's a huge talent pool in China, and there is good engineering happening in China, but there are also cultural barriers to it in some places. The 9/9/6 working culture in Chinese tech companies optimises for throughput not quality, and the general impression I have from reading about internal engineering cultures at other Chinese tech companies aligns with the Huawei report.
I'm not speaking from a position of expertise, I am judging this and drawing my own conclusions, but I don't feel they are ill informed (nor do I think yours are). I'm confident in the facts I know, have evidence for my opinions, and have reason to believe my suspicions.
"The fact these companies will have been audited in the same way .."
Have they? Are you sure? The Huawei audit were not a routine audit. According to Wired it was done by the special British "Huawei Cyber Security Evaluation Centre". I can't find any evidence the UK National Cyber Security Centre has done the same with Cisco or HP.
> am judging this and drawing my own conclusions, but I don't feel they are ill informed (nor do I think yours are)
The difference between us is that I definitely think MY conclusions are ill informed. Hope someone who knows what they're talking about can chime in
It all sounds very reasonable untill you remember that multiple backdoors and hardcoded hidden admin accounts have been found in Cisco products. I have yet to see any proof that Huawei are worse (or better) than Cisco. IMO absolutely nothing have been proven in terms of quality versus other manufacturers outside of political standpoints in all this. As far as I can tell this audit have not been done (or at least not published) to any other manufacturer than Huawei. It's 100 % politics and zero evidence of quality when only one side gets tested and published.
Exactly, that was their point. I suspect there are a lot of software supply chains that are actually compromised, because it's just too easy when this is the standard of software engineering.
It's easy to forget that git for example is not just a big "undo" button, it's a cryptographically secure audit log of all changes made, that allows you to know exactly what software you're actually shipping.
> cryptographically secure audit log of all changes made, that allows you to know exactly what software you're actually shipping.
To be pedantic: not quite.
Git is certainly a cryptographically secure audit log[ß] but it only tells you what the source code was that went _into_ the build at the time of checkout. You can subvert the process through malice (eg. Solar Winds), through incompetence (eg. off-tree "magic" patching as a build step), or through sheer negligence.
Reproducible and auditable builds are a much harder problem than source code provenance.
ß: from my previous job: once auditors understood what git is, they loved it. They, by their profession, love immutability. Failing that, they consider tamper-evidence a really good second-best.
Of course, I was simplifying this somewhat to make a point. I think git can be a significant part of the solution, but there's a lot more that goes into it.
I find it hard to believe that Huawei does not use version control. No company is perfect, but surely software developers (at a multinational company) with advanced degrees in CS and ECE are using version control.
This is why for home and small office use, I usually get AVM Fritz [1] network devices. They have been around for since forever, provide regular updates for their devices and over a long period. Their web interface allows for a lot of fine-grained configuration and their devices have been rock solid for me. They are a German company and as far as I know software development is also done in Germany, so I expect that they operate within the relatively strict privacy regulations of the EU.
This kind of shenanigans make (once again) the case for 3rd party post market FLOSS firmware to be installed on every device I own. Sure, I spend some extra time researching which router/AP/phone/ereader/smart appliance will be compatible with OpenWRT/LineageOS/KOReader/Tasmota/ESPHome/etc., but I feel more confortable this way. I have more trust in a bunch of people doing this for owning their devices than some corporation whose goals clearly don't align with mine.
openwrt is not possible to use on a lot of new hardware, it's also not possible to use new versions on older hardware, they started to require more minimum RAM/FLASH.
DSL or GPON is of the table
> it's also not possible to use new versions on older hardware, they started to require more minimum RAM/FLASH.
You shouldn't imply that OpenWRT is in any way bloated.
The kind of hardware that doesn't have enough RAM or storage for OpenWRT is truly pathetic. Those devices don't have enough CPU power to route traffic at reasonable speeds, their WiFi radios are so outdated that operating them in a crowded 2.4GHz band is an obscene waste of airtime, and even with the manufacturer's firmware those devices usually can't support features like IPv6. A router that old is usually only worth using as a managed Ethernet switch, if it even supports gigE.
Is that the same Broadcom that makes the closed GPU on RaspberryPi? Why, oh why, can't they just play nice and document their hardware. Maybe they want to get bought by NVidia!
IME small ARM SBCs generally have a miserably slow bus arrangement for this sort of thing (and no hardware switch chip, of course). People have had some success with routers built on x86 mini-PCs[1], but these lean towards the “flexible and performant” side, not the cheap side.
I just built a relatively decked out router from eBay and Amazon parts for less than $300.
- used HP Elitedesk 800 G3 SFF (4 core i5-6500, 8GB ram, 240gb SSD, 4x PCIe slots) $170 shipped
- 2x new dual 2.5Gbe PCIe cards $40 each
- 1x used quad port Internet gigabit $30 shipped
So for $280 I have a machine that will route at 2.5Gbe for a few machines and gigabit for the rest of my network while using about 25 watts. If you don't need that many ports you can cut the cost down considerably with a smaller machine like a Prodesk 400 or 600.
I'm using VyOS but OpenWRT, Untangle, OPNsense or Sophos Home would also be perfectly fine choices.
I am using an older Intel NUC with a Coffee Lake U CPU, together with 4 USB Ethernet adapters, to increase the number of Ethernet ports to 5.
The measured average power over 24 hours is around 12 to 13 W. The idle power is under 10 W and the maximum power consumption can be up to 60 W, but even a large number of active network services, e.g. firewall, e-mail server, Web server and Web proxy, DNS server and DNS proxy, NTP server and so on, require just a power consumption not much above the idle level.
I assume that a NUC-like computer with a Jasper Lake CPU should have an average power consumption under 10 W. At least with Intel or AMD CPUs and associated peripherals you do not have to worry about software compatibility.
Sure. There are plenty of platforms you can start with that use less power. For the record I haven't actually measured it, that's just a guess. I'll throw it on a power monitor sometime and check.
A Raspberry Pi 4 can route at gigabit speeds, even with a USB3 nic.[1]
There is also a router board for a CM4 module that adds a second nic through PCIe.[2] The nics still aren't super nice but they are more than good enough for a home router.
The problem is that you can't actually buy a Raspberry Pi right now due to supply chain issues, and that may not change for a while.
I just installed the x86 version on a used (ebay) Dell Optiplex 790 with a quad 1gbe ethernet card, total was about $80. It's far faster than any off-the-shelf wifi router, and will let me easily upgrade to 10gbit when Frontier FIOS rolls that out (it's in their roadmap). I still use my same wifi routers but now only for wifi. Also, total power consumption is about 18 watts at idle, so it's not going to cost me much more on my electric bill.
I repurposed an old hp thin client for this. It's basically an x86 laptop thrown in a case with a single x8 pcie slot that I threw a dual 10gbe network card in (entirely because it was basically the same price used as a multiport 1gbe card and I already had a spare 10g port on my switch). It still cost more overall with adding an external AP to it but it's been roxk solid when I'm not trying to abuse it's emmc storage.
Thanks, I saw them mentioned elsewhere here as well. How was the setup experience? Is it something I can set up if I'm not a BSD or networking expert? Do you use a wireless AP with it?
So why is the first line of their marketing material says "lifetime subscription for the life of the device" and not for a monthly fee? Also, I have an Asus Router with AiProtect and it didn't upsell me, and definitely no monthly dues (I'm not shocked if the data collected is resold however though).
Yes but the feature is optional, and tells you how it works if you turn it on.
And realistically, most of the extended features on consumer routers are ineffective at best and network-destroying in typical cases.
For example, I've never used a router ever turning on QOS did anything but trash network performance.
I use and recommend Asus routers because in spite of them being shitpiles when you turn on anything but the basic functionality, the industry standard is that low that consistently good basic functionality is a stand out success.
The router industry makes printer companies look like Apple.
I came here to say the same.
I even purchased a LAN throwing star to look to see if my Asus router was sending anything to TrendMicro but never did get around to it.
You have some makers like Turris and GL.iNet that ship their devices with some customised flavor of OpenWRT. I just wander through OpenWRT's table of hardware, looking what devices fulfill my needs and are available in my country.
In the forums [0](Discourse alert) you have many threads with suggestions, too!
The WRT1200AC family is not well supported. The Ethernet part should work fine, but the Wifi is unsupported since some years now, see here the repository: https://github.com/kaloz/mwlwifi The vendors are not interested in this hardware any more, but they have very good marketing and sales. Linksys and Marvell also did not really support the OpenWrt community, they just had good marketing. If your WRT1200AC device does not work well with OpenWrt do not complain to OpenWrt, but complain to the Linksys support.
The WRT1200AC family for example does not support WPA3, because the closed source Wifi firmware does not support it. The 15 years old WRT54G supports WPA3, it is just very slow. ;-)
Currently I would suggest the Linksys E8450 / Belkin RT3200 (same hardware) or some other device using the current Mediatek platform with MT7622 + MT7915 + MT7531. (2 X Cortex-A53, Wifi 6) All chips are supported in recent upstream Linux kernel, including Wifi. The Mediatek router team is currently doing pretty good upstream open source work for their chips.
I own an Omnia and despite it having been a bit rough a few years ago, it's now nearly flawless. The MOX is modular and could be more interesting for your use-case but it can also get pretty expensive.
It’s a lost cause. The router should be treated as hostile and shouldn’t be allowed to know anything if possible. DNS over HTTPS and that SNI encryption stuff should be used.
I have found that rather than finding a way to sneak ads in, most non browser apps will just detect that the ads are missing and throw up an error refusing to display the content.
My go to home router is the pcengines apu2. I run openbsd on them(not for security but because I really enjoy using openbsd), But just about any os will work well. They have opensource firmware.
Full disclosure, I have never built the firmware but I take great comfort that it is developed in an open source manner, and that I could build it if I wanted to.
One alternative could be, instead of buying a router, getting a single board computer designed to run whichever routing software you like. Banana pi is an example that comes to my mind. You'd need to get a case, and it won't be as neat as a commercial router.
I would love to replace these "routers" with a normal computer. The thing is these computers would need special ports for either phone lines or fiber optic connections, as well as built-in modems. I've never seen a computer with this sort of hardware built into it. Even on dedicated network cards I only ever see ethernet ports, nothing compatible with whatever it is my ISP is using (SFP?). Decades ago in the dial up days I used to be able to buy modems separately but not anymore, and I'm not even sure what sort of hardware components are needed for a fiber connection...
My ISP gives me a box that terminates the fiber and has ethernet on the other side. They also rent and sell routers that are configured to handle the pppoe and vlan settings needed for the WAN interface to this box. Plenty of routers can do this, and a dedicated Linux box like you are proposing should work, or you can throw a cheap managed switch in between if not. The hardest part is knowing what settings are needed (e.g. I had to call my ISP to ask for the pppoe password).
DSL standalone termination is still widely available, as are standalone DOCSIS cable modems.
If you're on DSL, the DLink DM200 has an integrated adsl/vdsl modem that's supported by OpenWRT, and the platform is quite powerful. You'll need a second device for wifi though but that suits my use case.
If you want a dedicated OpenWRT device Mikrotik would be my suggestion.
TP-Link became a big no-go for me as soon as ax came out and I saw that they required account registration[0] for managing a personal, local router. Probably has to do with the fact that they're not western-owned and are 'legally required' to have such a system in order to be covered from 'borrowing' your data. I expect other vendors(Huawei,etc) to do the same, and it's insane that people don't revolt against such practices, especially considering we still have such vendors being installed by default in people's homes by the ISPs.And whilst a router is replaceable by the end user, something like an ONT is harder to find in most places, and the ISP doesn't usually give config details for an ONT.
[0] Edit: An online account for the mobile application, not the web interface of the router itself.
This was alarming since I use a TP-Link router, so I tried figuring out to what extent it's able to inspect and record regular (encrypted) traffic.
My TP-Link Archer AX50, running software version "1.0.11 Build 20210730 rel.54485(4A50)" is doing at least some sort of DPI on outgoing connections. I found a page in its settings (Advanced -> Security -> Antivirus -> History) that contains a log of connections I've made to "suspicious" domains, which include quite a few that I would consider innocuous.
After clearing that log, I loaded a few domains I'd seen in it, and verified that new entries were created. Wireshark shows that no DNS requests were made, and the DNS-over-HTTP used by Chrome didn't leak that traffic. I believe the router must be inspecting TLS headers for the ServerName field.
Didn't try to verify whether that data is being sent to a third party, but given that this thing is collecting data that it has no business looking at, it wouldn't surprise me if it's shipping it somewhere.
That's not as common any more, due to the broad adoption of TLS-capable CDNs (Cloudflare, Fastly, etc) over the past ~10 years.
In this case the site I tested with had a few different subdomains backed by the same IP, which I verified from a remote VPS. Using `curl` locally, with the `--resolve` flag to bypass DNS resolution, caused the router's log to contain entries for the specific subdomains requested.
The software answer would be easy: use OpenWRT or any other *BSD based alternative, but what about the hardware? A quick search for WAN interfaces for PCs returned nothing.
Interface most of the time is going to be a dedicated modem for whatever uplink you have, unless you already get Ethernet directly. Depending on your specific situation, you might have to use whatever the ISP gives you and set it to play as dumb as possible.
I would agree that it can be difficult to find quality hardware that supports the open source software stack.
For example, what wireless access points are compatible with an openbsd router/firewall? I’ll admit that my initial searches were short but only finding results about wireless chipsets to use in the router were frustrating (I guess if I wanted to build my own access points that information would be valuable).
Like the ability for the ap to understand how the vlans the router setup work. I’m still quite the network novice but it seems like if I wanted a bsd firewall -> managed switch -> wireless ap I would need to confirm some level of interoperability for decent performance?
That kind of interoperability has nothing to do with the OSes though if you straight-up configure things. VLANs are VLANs, regardless if it's Linux, Windows, BSD, Cisco, ... on the other end of the cable. (And if you expect some kind of automatic configuration sync etc the answer is in reverse "doesn't work unless you buy everything from one vendor", for that part there is little standardization)
That is good to know. Far too many guides I have read for home networks are for single vendor network stacks and despite that never being the case at any of my jobs.
Sorry, used the wrong term. By WAN I meant the broadband telephone line. Modem cards for dial up connections were common back in the day, but since ADSL and beyond I don't recall any commonly available products, USB winmodems aside. VDSL/Fiber capable cards would be very handy to build 100% FOSS broadband routers, but they seem next to unobtanium.
I never rued the day when I switched off the last "appliance" router after switching to a virtual router - OpenWRT running in a container on a Proxmox-managed host. I use a number of repurposed "appliance" routers (also running OpenWRT) as access points, some of them connected to additional "dumb" PoE-switches for IP-camera's. Those camera's run over their own VLAN and never get to touch the 'net, the same goes for "IoT" things (heat pump, PV-inverter etc). Xi and friends will be disappointed, even if they built backdoors in their equipment these only lead to a dead-end street.
I was annoyed by the Deco APP too. It provides remote management, which I believe that all data is forwarded through TP-Link's server.
My solution is running those devices as a Wi-Fi to LAN bridge, also setup my own NAT gateway (by bare-metal Linux, Openwrt... etc). Then blocking there devices from accessing Internet at gateway.
If I have more IoT devices at home, I will apply such policy to all of them.
Hasn't avira been just generally for a lack of better words completely fucking awful over the past year or two? The last I remember hearing about them was installing crypto miners along with their AV, which I can only imagine being bottom quality at this rate of insanely bad behaviour...
If you want to see TP-Link routers track record, and if you have an existing TP-Link router, check the updates page on their support website. Same kinds of vulnerabilities are fixed often across devices, as if not learning from their mistakes.
When it comes to budget routers I still turn to TP-Links when I can easily find a decent model on the market that is supported by openwrt.
TP Link is a Chinese company. I won't trust them personally.
In China's current political status, it is impossible for Chinese companies to reject the autocratic government's requests for surveillance. You may endup in jail or even get killed.
Only partially: Rejecting the request won't get you killed. You also have the option to close your company to avoid jail, see https://en.m.wikipedia.org/wiki/Lavabit as a good case study.
Thus, I would prefer the US to China in this regard.
This is a good point. Probably most people are not aware of the country of origin of most of the tech products (resp forna given product, how many important, modular subparts come from Chinese companies).
It would be highly interesting if there would be a website where you could type in the name of a product (e.g. sime Cisco) router and it would give you a detailed decomposition of where and by whom is parts where made.
Something like (highly simplified) :
- CPU design: Company X
- CPU manufacturing: Company
- RAM design and manufacturing: Company Z
- Overall remaining logic: Cisco
Anecdotally, I've seen that TP-Link routers are ubiquitous in Chinese households. I don't draw any conclusions from that, but I did stop buying TP-Link devices.
It would be nice if the US took import controls as seriously as export controls.
Nothing in your analysis shows this. Moreover unless you explicitly deployed a root certificate on your clients (or if an app on the client did it), the router can't decode TLS traffic (deep inspection) without you getting certificate warnings on the client. In that case, the only thing the router can see is the dns request, the IP and the TLS SNI. In short your title is misleading.
permalinkembedsavereportreply [–]ArmoredCavalry[S] 11 points 14 hours ago*
I agree they couldn't be inspecting the contents of your traffic over TLS, but they could easily view destinations. I also agree, there's nothing in my analysis that proves that all the requests are related to network traffic. However, if you look at the wording of the reply (directly from TP-Link) to XDA in their review, I don't see how it could be interpreted any other way? Regardless, I probably should have made my title "appears that it may send traffic related data". I'll be happy if that isn't the case, but the lack of clear explanation from TP-Link when I've contacted support leads me to assume the worst
permalinkembedsaveparentreportreply [–]2fast2fourier 4 points 12 hours ago I think it's best not to write something that damaging without proof, especially when most people only read titles. Saying they're sending metadata and violating your privacy is all you'd need to hear.