An exploit has been found to affect various TP-Link routers. The exploit tries to change the upstream DNS server of the router to one that an IP address the attacker then has control of, this means that traffic is then routed through the attackers control and allows for man in the middle attacks to take place.

A man in the middle attack is a form of active eavesdropping in which the attacker makes independent connections with the victims and relays messages between them, making them believe that they are talking directly to each other over a private connection, when in fact the entire conversation is controlled by the attacker. The attacker must be able to intercept all messages going between the two victims and inject new ones, which is straightforward in many circumstances (for example, an attacker within reception range of an unencrypted Wi-Fi wireless access point, can insert himself as a man-in-the-middle)

The researcher who has documented the exploit, Jason Lell, has already "spotted the exploit five times on totally unrelated websites." As well as noting that all  "five instances of the exploit tried to change the primary nameserver to three different IP addresses and it is likely that there are more of them".

He then goes on to give reccomendations to mitigate the problem which we will echo below.

The list of affected devices is currently limited to what he had available to test, so even if your device isn't listed it would be worth upgrading the firmware just in case.

Recommendations to mitigate the problem

If you are using an affected TP-Link router, you should perform the following steps to prevent it from being affected by this exploit:
* Check whether the DNS servers have already been changed in your router
* Upgrade your router to the latest firmware. The vulnerability has already been patched at least for some devices
* If you don’t get an upgrade for your model from TP-Link, you may also check whether it is supported by OpenWRT
* Change the default password to something more secure (if you haven’t already done so)
* Don’t save your router password in the browser
* Close all other browser windows/tabs before logging in to the router
* Restart your browser when you’re finished using the router web interface (since the browser stores the password for the current browser session)

Full details of the Exploit have been reported here TP-Link has issued firmware updates for some of the devices which fixes the problem altogether, you can find firmware updates available directly at http://uk.tp-link.com/

 

Enjoyed this article? share it!