TP-Link Easy Smart Switch security question

ivor

Please do not go off-topic as this thread is about security concerns of TP-Link switch series.

CanYaHearMeNow4

I tried to use my TP-Link "Easy Smart Switch" in a different deployment and the VLAN1/MGMT issue bothered me again so I submitted some security feedback to them via their "Submit Security Feedback" forum. I outlined the issue the best I could and even linked directly to this forum.

I sure hope they respond, because according to TP-Link:

At TP-Link, customer security comes first. That’s why we work diligently to ensure that our products include the highest level of security features, with firmware and hardware that protect customers and their devices from the very latest threats.

If anyone has some free time to submit similar security feedback, it might help the cause: http://www.tp-link.com/us/security

robi

All these "Easy Smart Switch" models have this "feature". I think this is intentionally like this, for very basic home users. To be "easy" to use the GUI…
You have to buy products from their series called "Smart Switches" or "Managed Switches", not the "Easy Smart Switches" series.

"Smart Switches" and "Managed Switches" don't exhibit these problems. I just deployed a network consisting of about 60 such switches in various sizes, all interconnected with optics and offering 2 dozens of VLANs, no unwanted traffic passing between them. On top of this, 2 CARP-enabled pfSense boxes do all the inter-VLAN traffic.

warheat1990

I email their support and technical few times, gave them a link to this thread and never got a response, you get what you pay for I guess.

Finger79

@CanYaHearMeNow4:

If anyone has some free time to submit similar security feedback, it might help the cause: http://www.tp-link.com/us/security

Ironically, that page isn't available over HTTPS, so the entire form contents are in the clear.

johnpoz

It is there via https - just BAD

The certificate is only valid for the following names: *.akamaized.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaihd.net, a248.e.akamai.net

Agree yet another example of not really getting it ;)

VAMike

@johnpoz:

It is there via https - just BAD

The certificate is only valid for the following names: *.akamaized.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaihd.net, a248.e.akamai.net

Agree yet another example of not really getting it ;)

Those are always there when a site is hosted on akamai but not using https.

warheat1990

TP-Link released beta firmware on July 2017 for both SG105E and SG108E, anyone care to try?

Link:
http://static.tp-link.com/TL-SG105E(UN)_V3_170717_Beta.rar
http://static.tp-link.com/TL-SG108E(UN)_V3_170717_Beta.rar

johnpoz

did they release for v2?

stephenw10

Mmm, did they release for anything else? Is there an announcement anywhere?

Steve

johnpoz

Not that I could find.. Typical it seems for this company..

thuety

So my sg108e is directly connected to my cable modem with untagged VLAN x and PVID x.
How worried should I be about the VLAN 1 membership?
Wouldn't an attacker need to be in my cable/wan subnet?

Derelict

I would not use that switch on WAN. It's a sketchy enough proposition with a good switch with a proper management VLAN.

belt9

Security wise for a switch on WAN how about a RADIUS server?

Doesn't pfSense even have a package for that?

Never used it before so might not work at all?

Derelict

What?

lexxai

Will add about security of this devices…
TL-SG1016DE security of changes value without any authentication.
It from testing of my device… VLAN1 is problem.
Now SG1016DE used only internally.

tpham3783

Hi guys,

Since TP-Link refused to give me the source code so I decided to take on this issue myself.

Here is how you can hack ( un-member ports on vlan1). I have already tested on the SG108PE (hw version 3) switch and it worked.

1. Setup your vlan configuration as usual
2. Save the config (config.cfg)
3. Open it up with a Hex-editor. Right after the text "Default_VLAN" you will see FF (that's basically means all 8 ports are member of untagged vlan1). Change it to 00 if you want to un-member all ports from vlan1. As shown in the attached picture, I changed it to 80 because I still wanted port 8 to be a member of vlan1 so that I can manage the switch from web-gui.
4. Save the file, restore the modified config in system:system_tools:restore_config
5. Wait for the switch to reboot, goto vlan config, notice that ports belonging to vlan1 are changed.

Cheers! I still hope for tp-link to fix this VLAN1 bug one day! This is just a work-around.

tp_vlan1_disable_all_ports.png_thumb

tp_link_unmember_vlan1_hack.png_thumb

JKnott

I'll have to give that a try with my 5 port switch. I don't suppose you'd have a fix for their TL-WA901N access point. ;)
It has the same problem where data from the native LAN leaks into the VLAN & 2nd SSID.

I think those TP Link engineers need a lesson or 2 on VLANs.

JKnott

That fix doesn't seem to apply to the TL-SG105E switch.

tpham3783

@JKnott:

That fix doesn't seem to apply to the TL-SG105E switch.

Were you able to see the port assignment changed in step# 5?

by the way, i saw vlan isolation w/ the work-around solution. The only thing I saw strange was that the switch's IP address is a member of all vlans. If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.

However, the switch is no longer behaving like a dumb switch because ports are removed from vlan1.