US may ban the sale of TP-Link routers

Distracted said:
I think the point being made was that if the US really cared about dealing with spyware, etc on this level then they would be targeting all brands of networking hardware. Foreign and domestic. Especially those with a past history of problems in this regard.

But they aren't, they are only targeting specific foreign interests, something they have a history of doing, despite being aware of vulnerabilities in other companies kit. This does sound like protectionism.

It doesn't mean that foreign networking kit doesn't contain vulnerabilities. Both things can be true.
Click to expand...

The difference is that while all these routers are susceptible to hacking from all and sundry, TP-Link being Chinese means that they may be suborned at a nation-state level.
 
Distracted said:
I think the point being made was that if the US really cared about dealing with spyware, etc on this level then they would be targeting all brands of networking hardware. Foreign and domestic. Especially those with a past history of problems in this regard.

But they aren't, they are only targeting specific foreign interests, something they have a history of doing, despite being aware of vulnerabilities in other companies kit. This does sound like protectionism.

It doesn't mean that foreign networking kit doesn't contain vulnerabilities. Both things can be true.
Click to expand...
True enough. It's hypocritical, since hundreds of American companies make a living out of stealing and selling peoples data.
 
Quartz said:
The difference is that while all these routers are susceptible to hacking from all and sundry, TP-Link being Chinese means that they may be suborned at a nation-state level.
Click to expand...

If the US wants to pre-emptively ban all devices made in China/by a Chinese company that have the ability to execute code and are connected to the internet then coming out and saying that would make a lot more sense than landing on TP Link alone being an issue. If they want to claim it's about security then some basic product standards would be helpful to make that case, but I don't get the impression that additional regulation of consumer goods is particularly high up the agenda.
 
Caged said:
If the US wants to pre-emptively ban all devices made in China/by a Chinese company that have the ability to execute code and are connected to the internet then coming out and saying that would make a lot more sense than landing on TP Link alone being an issue. If they want to claim it's about security then some basic product standards would be helpful to make that case, but I don't get the impression that additional regulation of consumer goods is particularly high up the agenda.
Click to expand...

The challenge comes with proving the security. Unless you've got fully open firmware for the entire device, and fully open source chips (and... some way to prove that the chips in this given router are the same as the engineering samples which were proven?), you have no way to prove any guarantees or assurances made by the manufacturer about security, lack of backdoors etc. All you've really got is "Trust me, bro".
 
Sure but that's the case for all these types of regulations, including PSTI. What it does is set out in law a process by which breaches can be punished rather than having to try and use existing laws.
 
Quartz said:
The difference is that while all these routers are susceptible to hacking from all and sundry, TP-Link being Chinese means that they may be suborned at a nation-state level.
Click to expand...

Stealing my data, in order of caring...

1. Amazon.
Because they pester me with adverts.

2. The UK government.
I'm not doing anything wrong so I don't care, but having said that, they will probably lose my data to hackers.

3. The Chinese government.
I can't think of anyone that my data is less useful to....other than maybe "Ladies Underwear Dot Com".
 
And suppose you are working from home on a new product? Say Rolls Royce’s new aero engine. Don’t you think China would be interested in that? How about cargo shipping costs?
 
Quartz said:
And suppose you are working from home on a new product? Say Rolls Royce’s new aero engine. Don’t you think China would be interested in that? How about cargo shipping costs?
Click to expand...

What is the attack that you see happening here, broadly speaking? How is your particular router being identified as one to target, and what does the attack look like?
 
I opened this forum because I was just about to buy a TP-Link ethernet adaptor and wanted to do a quick check on the brand's reputation. This thread is the first thing I see! :D

But honestly, it's a long way to go and a lot of hassle for Chinese agents to hassle me about something I've done they don't like. Whereas PC Plod is just down the road if I make an illegal tweet. So as long as the product works fine I'd rather Chinese Spyware than Whitehall and Washington.
 
Caged said:
What is the attack that you see happening here, broadly speaking?
Click to expand...

Sorry I missed this, but they attack everyone and see what crops up. If they find something interesting they then focus. In the early 2000s I was working in the defence sector and logged all attempts to hack me and the drive-bys were relentless.
 
Quartz said:
The difference is that while all these routers are susceptible to hacking from all and sundry, TP-Link being Chinese means that they may be suborned at a nation-state level.
Click to expand...
You said that like the US (NSA, CIA) haven't subverted everything from SuperMicro to Cisco in the past, and even outright run cryptography companies and leveraged NIST to add backdoors, persistent RATS and all sorts. What you meant to say, I think, is they don't want *someone else* to do what they're doing. :p If they really cared, they'd pass a bill to enforce minimum security standards and long lifetimes for any networking equipment being sold. Want to sell a router? It needs x responsiveness to CVEs, transparent security publishing and a minimum of 10 years' software support. Easy. But that's not what this is really about - it's 'I don't want you to have fingers in the pie, that's for me not for thee!'.
 
Quartz said:
Sorry I missed this, but they attack everyone and see what crops up. If they find something interesting they then focus. In the early 2000s I was working in the defence sector and logged all attempts to hack me and the drive-bys were relentless.
Click to expand...

I'm sort of familiar with the broad context, I'm just wondering what the attack looks like against what is presumably a well managed endpoint. Any attempt to redirect traffic would surely fail if the client was using Entra Internet Access/Cloudflare Warp/Zscaler/Cisco whatever, the device wouldn't be configured in a way that can bypass TLS errors caused by trying to intercept the traffic etc. All I can really come up with is denying service to try and prompt a call to a support team that you manage to intercept by already having access into the mobile network to try and social engineer an MFA token out of the victim. A work laptop should be able to exist on a network with compromised devices trying to attack it, and if the data is incredibly sensitive then it needs to be handled in a way that it can't be obtained by kidnapping someone off the street and threatening them in the back of a van until they unlock their laptop by e.g. only existing at a facility with guards present.

I'm not saying router exploits don't exist, bad coding is everywhere, but I'm struggling to see how you burn a 0day on a router firmware bug and then pivot to getting access to a system connected to it. Dropping spyware onto a phone via a WhatsApp bug would appear to be more fruitful.
 
Last edited:
Rainmaker said:
You said that like the US (NSA, CIA) haven't subverted everything from SuperMicro to Cisco in the past,
Click to expand...


And so what? Two wrongs don't make a right.

Caged said:
I'm just wondering what the attack looks like against what is presumably a well managed endpoint.
Click to expand...

I'm sorry but it was 20 years ago and I don't recall the details but I just set things up that attempts would get logged and silently dropped. I'm sure attacks these days can be much more sophisticated but the basics remain. Car thieves still look for unlocked cars.
 
I'm not trying to interrogate you on the details of something 20 years ago, I'm trying to understand the threat model that a compromised router is deemed to pose. I am not aware of compromised routers being used to try and attack targets on the LAN side of the network, they commonly appear as botnet members to be deployed in DDoS attacks.

All I can really come up with is a compromised router redirecting some common web requests to a compromised site and the user clicking through the TLS warnings and loading malware on their device, or calling a fake technical support number listed on the fake site and opening up a path for remote access, but no managed endpoint from a competent organisation should permit any of that to happen.

I'm not saying that it's fine to have a router with a bunch of malware running on it sat on your internet connection DDoSing other hosts, but no consumer router should ever be considered part of the security posture of their PC.
 
Caged said:
I'm trying to understand the threat model that a compromised router is deemed to pose.
Click to expand...

If someone compromises your router they can divert your traffic or read all the data that goes through it. For instance they might learn that you are into midget porn or whatever and try to blackmail you. Or they might learn of health issues and offer to help, for a price - that's more of a problem in the USA with healthcare being so expensive. Or... If you have a more sophisticated router then they might try to gain root access and try to run programs on it to probe your LAN.

But you should really talk to someone with much more recent expertise.
 
You must log in or register to reply here.
Back
Top Bottom