TP-Link Routers Could Direct Consumers to Malicious Sites

We’ve all had to deal with the hassle of installing a home wifi network at some point, but now there’s a possibility your device could catch a virus before the network is even set up. The flaw in an already-frustrating process is thanks to one of the largest sellers of wifi access points, TP-Link, who failed to renew two crucial domain names needed to properly set up a network.

The two domains — “tplinklogin-dot-net” and “tplinkextender-dot-net” — are printed on the back of all router models made in 2014 or earlier. Before, the links let users set up their network with a name, password, and other security features. But when the domains expired, TP-Link forgot to re-register them, leaving both domains vulnerable to becoming phishing sites capable of swiping users’ information across many devices.

Amitay Dan, CEO of Cybermoon, first discovered the fault and posted it to the security mailing list Bugtraq last week. An unknown buyer now owns the two domains, and has offered to sell back the more popular of the two for $2.5 million. Dan says TP-Link isn’t going for it, so a widely-publicized domain will remain in a random person’s hands.

In 2013 alone, when the expired domains were in use, TP-Link was the top selling consumer router. They held 39 percent of the market share in the United States, and shipped more than 98 million units, according to data from ABI Research.

Fortunately for new users, the bug shouldn’t affect routers that are being set up for the first time. Computer World columnist Michael Horowitz noted in his testing that if you own and are connected to a TP-Link router, the device should direct users to an internal login page, rather than the public page over the internet. But if you already have your router configured are connected to the internet, trying to access the outdated login page to do additional administrative tasks (like changing passwords or opening ports) could leave you vulnerable to a malicious attack. Even non-TP-Link users could be vulnerable if they visit the bad websites. Instead, the new stable address for TP-Link logins is www.tplinkwifi.net.

In his email, Dan said the company’s biggest mistake was using an internet domain in the first place. Direct IP addresses are far more secure and don’t risk the security of their users. Then, of course, forgetting to register the domain was a pretty bonehead move as well.

But it’s OK, TP-Link, it happens to the best of us. Oculus forgot to register oculusrift.com at one point, and Tesla only recently got its paws on tesla.com, so the TP-Link name just joins a long line of internet-era companies who have forgotten their own address.