Home Network Community > All Threads > Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
< All Threads

Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
2020-09-10 20:40:26 - last edited 2020-09-16 01:17:37

One of the critical features missing is the ability to set "WPA2 Only" as your wireless security protocol on the Deco M5 (which is what I have) and many other Deco units. The device defaults to WPA/WPA2 mixed mode and *cannot* be changed. This means the device always has the older, inferior, and insecure WPA mode available to all potential clients. iOS and Android are about to roll out an update on all their phones which will cause them to warn and then refuse to connect to any device still using the out-of-date WPA protocol. So, when that happens, these devices will virtually be useless. Many devices already have safeguards built-in that refuses to connect to any network still running WPA… so odds are you may have a handful of smart devices that won’t work with this system out of the box.

Users have been trying over and over again to get some kind of response from TPLink about this issue, and it's either ignored or we're told: "we'll take it under advisement". Why can't you give us what other routers and devices have been giving us for 10 years? I see you have bee doing firmware updates, but for features nobody is asking for (like "smart" commands). 

 

I'm giving it another week before I will simply have to return my Deco M5 (so I am within my product return window) and get another product. It's absurd that this feature has been an afterthought. Especially when you consider iOS and Android are just about to release the new versions of their software which will render these devices useless. Basically, most Deco units will soon become nothing more than glorified paperweights.

 

If you can't offer us any solid indication as to *when* an update that allows us to choose "WPA 2 Only" will be available, I strongly encourage EVERYBODY here to return their devices and get another brand. It's simply not worth it having such a gaping security hole in their network, no matter how much more "convenient" TPLink thinks it is for the end-user.

 

As somebody who can also provide some insider information: There are already numerous high-profile tech blogs and review websites lined up with articles drafted and ready to publish as soon as the iOS and Android updates go live to expose all devices forcing users to use WPA. It's going to be bad news for TPLink when all these articles recommend to people to trash or return their Deco units. Things are going to get very interesting for TPLink in the coming days. 

  5      
 
  5      
 
#1
Options
2 Accepted Solutions
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"-Solution
2020-09-15 17:00:38 - last edited 2020-09-19 23:23:07

While I appreciate TPLink finally getting back to us with more information, for me it's actually too late...

 

I have already returned my Deco M5 mesh system and upgraded my home to an enterprise-level access point and mesh system that not only has more advanced features (like being able to set the WPA protocols, channel selection, the ability to create multiple and separate 2.4GHz and 5GHz networks and SSIDs, and much more), but it ended up being cheaper than the Deco M5 system.

 

My advice to TPLink going forward would be to communicate with more transparency, especially regarding matters of user security. Also, please work on providing your customers with access to more advanced features like this, even if they have to be accessed via a deeper set of menus in the app (so that novice users don't have to be confused by them). This will go a long way to having the best of both worlds: keeping your devices simple to use for novice users, but also very dynamic for advanced users who prefer to have more control over their network and security. When it comes to matters of WiFi safety and security, it is very silly for a company to make "assumptions" about its user base for the sake of convenience, which is precisely how these security flaws end up happening in the first place. 

 

Lastly, please stop marking these threads as "resolved" simply because TPLink has responded. Many of us would prefer you only mark a thread as "resolved" once the solution has actually been implemented and confirmed as working (in this case, the release of the upcoming firmware update you speak of).

Recommended Solution
  9  
  9  
#8
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"-Solution
2020-09-16 01:17:31 - last edited 2020-09-30 02:35:06

Hello all, thanks very much for your patiently waiting and support.

 

Our developers recently have provided a beta firmware for the Deco devices, which allows you to change the wireless security type for your Deco network, here is the download link if you are willing to update it:

https://community.tp-link.com/en/home/forum/topic/227662

 

Note: Ensure you are running the latest Deco app on your phone first, Android version 2.2.1, and iOS 2.2.2.

 

Let the community know if you have any inquiries, thanks a lot~

Check What's Currently Going on With DecoDeco Starts Supporting Changing Wireless Channels!Deco X50-5G-V1-1.2.0 Supports WireGuard VPN, Hybrid Mesh and More Try to leave a Message if urgent help is required.
Recommended Solution
  1  
  1  
#10
Options
11 Reply
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
2020-09-11 17:44:43

We can see TPLink staff actively responding to many of the other threads on this forum, mainly the "easy" questions, but when it comes to this major security flaw that will basically render most Deco customers' devices useless soon, its crickets. 
 

Is this really how they value their users? 

  2  
  2  
#2
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
2020-09-12 05:23:26

@MrWolf just the worst timing for me, just bought a 2nd 3-pack of m5 to expand coverage in my home.  Could we reasonably expect this to be fixed via firmware update, or is the issue hardware specific?

Might have to exercise the returns policy on set #2 if there's no sign of life from the devs very soon...

  1  
  1  
#3
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
2020-09-14 13:57:25

pitiful that this is even an issue, even worse that they don't act on it.

 

great stuff guys!

  1  
  1  
#4
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
2020-09-14 16:20:18

No to mention, now that Windows and Microsoft have jumped on the bandwagon of highlighting these networks (which are stuck still running WPA) as "Insecure", it means that more and more devices are basically going to flag your network with a giant, loud, flashing beacon which says "HEY! INSECURE NETWORK RIGHT HERE! COME AND GET IT!" to everybody around you. 

 

Yep... my deco is already getting replaced, and I encourage others to do it too. Because TPLink isn't going to take any responsibility if people's networks are compromised as a result of this security hole, and really: they don't have to. The only thing you can do to guarantee this problem is solved is to get rid of your Deco device and buy one from a company that takes this kind of thing more seriously. 

  1  
  1  
#5
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
2020-09-15 08:20:01 - last edited 2020-09-16 01:15:36

@MrWolf  @freo  @Bogbrush 

 

Hello all, sorry to respond late.

 

Deco supports the mixed security of WPA/WPA2-AES/TKIP. For the clients who support both security types will negotiate to the WPA2/AES automatically, which is supposed to be more secure. While there is currently no way to fix the security to WPA2 or AES only on the Deco device and it is suggested to create a strong wireless password for your wireless network for any security concerns.

 

We will soon release an official firmware to allow you to change the wireless security type on the Deco system in weeks, please kindly wait for it and keep an eye on your Deco app.

 

Thanks a lot~

Check What's Currently Going on With DecoDeco Starts Supporting Changing Wireless Channels!Deco X50-5G-V1-1.2.0 Supports WireGuard VPN, Hybrid Mesh and More Try to leave a Message if urgent help is required.
  2  
  2  
#6
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
2020-09-15 09:24:42
Thanks for the reply, looking forward to the firmware update
  0  
  0  
#7
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"-Solution
2020-09-15 17:00:38 - last edited 2020-09-19 23:23:07

While I appreciate TPLink finally getting back to us with more information, for me it's actually too late...

 

I have already returned my Deco M5 mesh system and upgraded my home to an enterprise-level access point and mesh system that not only has more advanced features (like being able to set the WPA protocols, channel selection, the ability to create multiple and separate 2.4GHz and 5GHz networks and SSIDs, and much more), but it ended up being cheaper than the Deco M5 system.

 

My advice to TPLink going forward would be to communicate with more transparency, especially regarding matters of user security. Also, please work on providing your customers with access to more advanced features like this, even if they have to be accessed via a deeper set of menus in the app (so that novice users don't have to be confused by them). This will go a long way to having the best of both worlds: keeping your devices simple to use for novice users, but also very dynamic for advanced users who prefer to have more control over their network and security. When it comes to matters of WiFi safety and security, it is very silly for a company to make "assumptions" about its user base for the sake of convenience, which is precisely how these security flaws end up happening in the first place. 

 

Lastly, please stop marking these threads as "resolved" simply because TPLink has responded. Many of us would prefer you only mark a thread as "resolved" once the solution has actually been implemented and confirmed as working (in this case, the release of the upcoming firmware update you speak of).

Recommended Solution
  9  
  9  
#8
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
2020-09-15 18:28:57

>>> the clients who support both security types will negotiate to the WPA2/AES automatically, which is supposed to be more secure. 

 

Sorry, but I don't think this is true. Are you really saying that iPhone 11 Pro and Surface Pro 7 are not  "clients who support both security types"?? Because they are both companing about "weak security" as of now. 

  1  
  1  
#9
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"-Solution
2020-09-16 01:17:31 - last edited 2020-09-30 02:35:06

Hello all, thanks very much for your patiently waiting and support.

 

Our developers recently have provided a beta firmware for the Deco devices, which allows you to change the wireless security type for your Deco network, here is the download link if you are willing to update it:

https://community.tp-link.com/en/home/forum/topic/227662

 

Note: Ensure you are running the latest Deco app on your phone first, Android version 2.2.1, and iOS 2.2.2.

 

Let the community know if you have any inquiries, thanks a lot~

Check What's Currently Going on With DecoDeco Starts Supporting Changing Wireless Channels!Deco X50-5G-V1-1.2.0 Supports WireGuard VPN, Hybrid Mesh and More Try to leave a Message if urgent help is required.
Recommended Solution
  1  
  1  
#10
Options
Re:Major security issue on most Deco devices (incl. Deco M5) - no way to set "WPA2 Only"
2020-09-16 06:48:23

@TP-Link_Deco 

 

hi

I don't mind testing the new firmware (as well as assisting in field-testing with future builds as well) but please - can we have the change log for the new beta firmware?

I am asking for this because I want to ensure what to test as well as asses the risk factor in testing it on our home/office setup (I wish I had separate test environment but I don't)

thanks!

  1  
  1  
#11
Options
12

Information

Helpful: 5

Views: 12276

Replies: 11

Related Articles
Deco P9 PLC security issue
75 1
DECO XE75 AND VIRGIN HUB 5 MAJOR ISSUE
40 0
[SECURITY] Over 100 Wi-Fi routers fail major security test. TP Link routers included
1980 0
Deco M5 and Sky Q major problems
4059 0
Major Deco M5 HW version confusion!
3154 0
Deco app security issue
705 0
About Us
Press
Copyright © TP-Link Systems Inc. All rights reserved.