Over the years, manufacturers have made various efforts towards making router configuration a simple and straightforward process for everyone. While with some routers you can still login via SSH and change its configuration to your heart's content, most people tend to rely upon the graphical user interface.
A more recent "innovation" has been to assign a domain name to access the router rather than relying upon users to remember an IP address. In the case of Netgear, the domain name associated with their routers is currently routerlogin.net while, for TP-Link, tplinklogin.net is the domain name of choice.
However, according to the domain whois records, it appears that someone at TP-Link forgot to renew the registration for tplinklogin.net towards the end of May this year.
Unfortunately, for owners of TP-Link routers, this means that when they attempt to access their routers using tplinklogin.net they will be directed somewhere other than the router login page. At the time of writing, the address redirects to a page indicating that the domain name "may be for sale." A subsequent click redirects to a page on Above.com, an Australian-based domain parking broker, which is accepting offers on the domain.
However, should an attacker obtain the domain name, they could redirect it to a webpage which could attempt to load malware on to a system. Given that TP-Link is not a minor manufacturer, this could have dire consequences for their customers.
In a post on SecLists.org, Cybermoon CEO Amitay Dan wrote that:
As for now, the company decided to make minor fixes. Yet - they don't like to buy the domain from the unknown seller, for now.
Also, according to a tweet from Dan, these "minor fixes" merely involve changing the user manuals rather than attempting to regain control of the lost domain name. Unfortunately, TP-Link stopped communicating with Dan sometime after having brought the issue to their attention.
In the meantime, it would be best to avoid accessing these routers using the tplinklogin.net address. Otherwise, Dan has recommended that ISPs block the domain name in order to customer computers from being hijacked.
Source: SecLists.org
20 Comments - Add comment