Security related questions about VR2800

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Security related questions about VR2800

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Security related questions about VR2800
Security related questions about VR2800
2021-01-15 01:00:50 - last edited 2021-01-15 01:05:47
Model: Archer VR2800  
Hardware Version: V1
Firmware Version: 0.6.0 0.9.1 v006c.0 Build 201104 Rel.33677n

As a casual user I'm quite satisfied with my VR2800 that I purchased more than a year ago. It has decent performance and I like the hardware design: fanless (no noise and no moving parts to fail mechanically) and my unit doesn't have coil whine that some of my previous routers suffered from. The admin UI is well organised, easy to use and looks good.

 

Unfortunately there are a few security related issues that always bothered the nerd inside me but up until this point I tried to ignore them:

 

  1. Before upgrading to the latest firmware (Jan 2021) the max admin password length was 15 characters. This has been fixed by the firmware upgrade: I could successfully set a 30 characters long password.
  2. I can't find an option to disable the insecure HTTP admin port. I'd prefer HTTPS-only out of the box even if the default certificate is self-signed. Don't see the point of HTTP.
  3. The default certificate has a lot of issues:
    1. The key size is only 1024 bits. The recommended secure minimum has been 2048 bits for ages and it will be 3072 bits starting with year 2030.
    2. The validity of the certificate is between years 1970 and 2038. Today the max validity period of a valid certificate is 825 days and this might become even shorter (about one year) in the future. The validation rules can change with newly released SSL libraries.
    3. Due to the weak key size and the insanely long validity period modern client libraries treat this certificate as "insecure" or "invalid" even after marking it as trusted. A certificate with such ridiculously long validity period that ends in 2038 should have a very strong future-proof key (3072 or 4096 bits). Even better: I'd prefer an option to provide my own certificate that is accepted as valid/secure by my browser after marking it as trusted. Currently this would require a decent key size (at least 2048 bits) and not too long (at most 825 days) validity period.
  4. I checked whether it's possible to connect to the router via telnet or ssh.
    1. Telnet is running and login is possible using the admin password.
    2. There is an ssh server running on the router and I don't know the login. This raises a few question marks...

 

Some of the above issues bother me because they seem to be rookie mistakes and I'd expect better solutions from someone who's developing the firmware of a security sensitive device like this. This makes me think whether my router has some even more serious issues (something that could grant remote access to an attacker).

 

Questions:

 

  1. Can we expect a fix to the easy-to-fix issues? (disabling plain HTTP, increasing cert key size)
  2. What about the SSH server? I'd like to have control over it. Login access and/or an option to disable it.
  3. I've seen the source code of the firmware on the download page. Is that the full source code or only a part of it?
  1      
  1      
#1
Options
2 Reply
Re:Security related questions about VR2800
2021-01-17 15:37:11

@genji_shimada 

 

Short answer

 

Given what you are expecting and testing on this device you would be better considering a Business or Enterprise grade solution, this is a SOHO grade device and that is reflected in the price of the device.  The vast majority of the users of this device would not critique it to the standard you have.

 

If security is your main driving factor I would recommend you consider a higher grade of device, ideally away from the SOHO grade hardware.    This should contain all the features you are requesting but will come a much larger price tag. 

  1  
  1  
#2
Options
Re:Security related questions about VR2800
2021-01-17 16:55:00 - last edited 2021-01-17 17:01:13

@Philbert Thanks for your answer but I respectfully disagree.

 

The hardware is a perfect fit for my requirements (as I described in my first post) and in terms of performance the router offers significantly more than I need at home. It is actually far from being the cheapest router (price is usually above £150). I was dissatisfied with the "rookie mistakes" in the firmware part.

 

TP-link is a popular brand and most casual users will buy something like this router or quite often something much cheaper. The world is full of these cheaper devices. Do you believe it's fine to equip these devices with firmware that was written by software engineers who aren't qualified for the job?

 

Why should I buy an enterprise grade router to have an SSL certificate with a key size between 2048 and 4086? The correct solution to this problem: TP-link should have someone who knows that a key size of 1024 has been considered vulnerable since 2014. They don't need a security expert per project but all of their projects should be audited by an expert before it goes to market. And it should be a security expert who sets the guidelines/standards before development (this guy doesn't even have to be there during development).

 

Why should I buy an enterprise grade router to not have an ssh server (a potential backdoor) running on my router? It actually requires less resources to not run any telnet or ssh services on the router. They could perhaps turn them off and reimburse me for the price of those services if these parts affect the price tag as much as you suggested.

 

EDIT: I'm fine with reducing the feature set of consumer grade devices but find substandard security practices (like the 1024 key size and ssh server problem) to be unacceptable even in case of the cheapest devices.

  2  
  2  
#3
Options