Can I disable remote management on a Deco M5

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
12

Can I disable remote management on a Deco M5

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Can I disable remote management on a Deco M5
Can I disable remote management on a Deco M5
2019-05-09 21:41:02
Model: Deco M5  
Hardware Version: V1
Firmware Version:

I just noticed that I can connect to my M5 router's admin settings with the Deco app on my phone using my cell phone provider's network.  This looks like a big security risk because if my TP Link username and password are ever leaked anyone can get in.  Is there a way to set the router to only accept Deco app connections when my phone is connected to its wi-fi network?  Or there is a way to at least setup two-factor authentication?

 

On every other router I've own there was always a way to disable remote admin access.

  2      
  2      
#1
Options
14 Reply
Re:Can I disable remote management on a Deco M5
2019-05-10 15:41:21

@RSF 

 

There is not a way to disable remote access once the Deco as it is a cloud based device.

 

What it will come down to is practicing safe habits that apply to other things such as banking or email. Make sure your password is not easily guessed, your TP-Link ID can go up to 32 characters, you can have certain special characters too (https://community.tp-link.com/us/home/kb/detail/263). And the most important thing is to not share your login credentials.

  0  
  0  
#2
Options
Re:Re:Can I disable remote management on a Deco M5
2019-09-05 14:52:13

This sounds like a critical vulnerability. Is the remote management at least end-to-end encrypted? If it’s not then any Deco owner is vulnerable to a hostile government that sends a warrant compelling tplink to give it control of the customer’s Deco. 

 

End to end encryption should be the default combined with optional 2FA. 

  6  
  6  
#3
Options
Re:Re:Can I disable remote management on a Deco M5
2020-04-20 16:37:41 - last edited 2020-04-20 16:39:10

Agree with Mark. Given the list of controls available on the P9s I just bought I see absolutely no reason for any of those features to be accessible from outside of the LAN (setting up a VLAN, blacklisting, LED control, operating mode etc...). I've resorted to setting up MAC filtering to block all of the nodes from communicating with the Internet.

 

(Apologies for the late bump)

  4  
  4  
#4
Options
Re:Can I disable remote management on a Deco M5
2021-01-11 21:53:11

@Tony Which is fine as long as TP-link never ever suffer a password data breach, at which point there's potential for an attacker to tinker with people's networks.

 

It'san unacceptable policy. Users should have the option to allow cloud management or disable it and rely on local web-based management.

  5  
  5  
#5
Options
Re:Can I disable remote management on a Deco M5
2021-08-21 11:21:24

@Tony 

 

Hello,

 

I know, it is an old topic but looks like the issue is the same.

 

I have just set up my three Deco S4 units as APs and I blocked them to access the internet (on my firewall). My Deco app can't recognise them anymore despite my phone is on the network which was created by the same Deco units. 

 

Is there a way to set my Deco app to find the Deco units on the local network? Or it is only checking some sort of Cloud account where the Decos wanted to check-in?

 

If I can't have the app working with the S4 units without your cloud service, can you recommend another of your products that can be used as mesh APs and happy to work without internet access (like the BT Whole Home WIFI)? After all, I don't really need a cloud account, I need only local Access Points. 

 

Thank you.

  3  
  3  
#8
Options
Re:Can I disable remote management on a Deco M5
2021-12-25 18:21:23
@tp-link, why has this not been addressed? I have the x60 with the same security flaw.
  4  
  4  
#9
Options
Re:Can I disable remote management on a Deco M5
2021-12-28 03:45:36 - last edited 2022-03-24 02:01:11

@x60man 

Nice to see you again. I am still waiting for your update on the other post:

https://community.tp-link.com/en/home/forum/topic/516580

 

The remote management of Deco M5 is only via Deco APP from the TP-Link Cloud service.

And there is no potential security risk for it.

 

  1  
  1  
#10
Options
Re:Can I disable remote management on a Deco M5
2021-12-28 12:47:51

@TP-Link I layed out a couple specific scenarios in which the cloud management feature introduces large security risks. Saying "there is no risk" either indicates you didn't even read my post before replying or you know nothing about security.

  11  
  11  
#11
Options
Re:Can I disable remote management on a Deco M5
2021-12-28 17:06:10

@Mark123 Exactly. In my other thread he said that there are no plans to allow users to disable this feature. These units need to be returned. The security risk is huge. I am waiting for they day they are hacked and everyone is pissed. 

  2  
  2  
#12
Options
Re:Can I disable remote management on a Deco M5
2021-12-29 02:53:19 - last edited 2022-03-24 02:02:18

@x60man @Mark123 

Hi, Thank you very much for your concern.Currently there is no plan to disable the remote control via Deco App, but we do plan to support 2FA / MFA on the Deco APP.

We have made great efforts to protect privacy matters and will keep it in the future.

  0  
  0  
#13
Options

Information

Helpful: 2

Views: 10353

Replies: 15

Related Articles