TP-Link Easy Smart Switch security question

VAMike

@johnpoz:

It is there via https - just BAD

The certificate is only valid for the following names: *.akamaized.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaihd.net, a248.e.akamai.net

Agree yet another example of not really getting it ;)

Those are always there when a site is hosted on akamai but not using https.

warheat1990

TP-Link released beta firmware on July 2017 for both SG105E and SG108E, anyone care to try?

Link:
http://static.tp-link.com/TL-SG105E(UN)_V3_170717_Beta.rar
http://static.tp-link.com/TL-SG108E(UN)_V3_170717_Beta.rar

johnpoz

did they release for v2?

stephenw10

Mmm, did they release for anything else? Is there an announcement anywhere?

Steve

johnpoz

Not that I could find.. Typical it seems for this company..

thuety

So my sg108e is directly connected to my cable modem with untagged VLAN x and PVID x.
How worried should I be about the VLAN 1 membership?
Wouldn't an attacker need to be in my cable/wan subnet?

Derelict

I would not use that switch on WAN. It's a sketchy enough proposition with a good switch with a proper management VLAN.

belt9

Security wise for a switch on WAN how about a RADIUS server?

Doesn't pfSense even have a package for that?

Never used it before so might not work at all?

Derelict

What?

lexxai

Will add about security of this devices…
TL-SG1016DE security of changes value without any authentication.
It from testing of my device… VLAN1 is problem.
Now SG1016DE used only internally.

tpham3783

Hi guys,

Since TP-Link refused to give me the source code so I decided to take on this issue myself.

Here is how you can hack ( un-member ports on vlan1).  I have already tested on the SG108PE (hw version 3) switch and it worked.

1.  Setup your vlan configuration as usual
2.  Save the config (config.cfg)
3.  Open it up with a Hex-editor.  Right after the text "Default_VLAN" you will see FF (that's basically means all 8 ports are member of untagged vlan1).  Change it to 00 if you want to un-member all ports from vlan1.  As shown in the attached picture, I changed it to 80 because I still wanted port 8 to be a member of vlan1 so that I can manage the switch from web-gui.
4.  Save the file, restore the modified config in system:system_tools:restore_config
5.  Wait for the switch to reboot, goto vlan config, notice that ports belonging to vlan1 are changed.

Cheers!  I still hope for tp-link to fix this VLAN1 bug one day!  This is just a work-around.

JKnott

I'll have to give that a try with my 5 port switch.  I don't suppose you'd have a fix for their TL-WA901N access point.  ;)
It has the same problem where data from the native LAN leaks into the VLAN & 2nd SSID.

I think those TP Link engineers need a lesson or 2 on VLANs.

JKnott

That fix doesn't seem to apply to the TL-SG105E switch.

tpham3783

@JKnott:

That fix doesn't seem to apply to the TL-SG105E switch.

Were you able to see the port assignment changed in step# 5?

by the way, i saw vlan isolation w/ the work-around solution.  The only thing I saw strange was that the switch's IP address is a member of all vlans.  If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.

However, the switch is no longer behaving like a dumb switch because ports are removed from vlan1.

johnpoz

I will give this a try on 105E v2 tonight when I get home..  Great info.. Thanks.

lexxai

Some analyze information about apply this method to TL-SG1016DE (HW:2)

vlan:777,port: 5tag, name: TESTVVV
777 = 0x0309 (0x09 0x03)
5 =  0x10  (0001 0000) 5 bit.

vlan:777,port: 5untag, name: TESTVVV
777 = 0x0309 (0x09 0x03)
5 =  0x10  (0001 0000) 5 bit.

source: http://lexxai.pp.ua

thuety

@tpham3783:

Here is how you can hack ( un-member ports on vlan1).  I have already tested on the SG108PE (hw version 3) switch and it worked.

Worked on my TL-SG108E 2.0, thanks!
Why didn't I think of this…  ::)

JKnott

Were you able to see the port assignment changed in step# 5?

No, there was very little recognizable text in the hex editor.  I did not see the word "Default", as shown in lexxai's post.

The only thing I saw strange was that the switch's IP address is a member of all vlans.  If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.

On managed switches I've worked on, there was a specific management interface, which was assigned an IP address.  I've also set up networks where the management interface was on a separate VLAN.

thuety

@JKnott:

The only thing I saw strange was that the switch's IP address is a member of all vlans.  If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird.

On managed switches I've worked on, there was a specific management interface, which was assigned an IP address.  I've also set up networks where the management interface was on a separate VLAN.

Even after setting the VLAN 1 membership to port 8 only… I can still connect a client to any switch port, set the IP to the same subnet and then access the switch web login.
So the VLAN 1 has no relevance for web admin access... I guess we can kill all VLAN 1 membership with the HEX hack..!?

stephenw10

Hmm, well this is interesting. Implies it's a gui limitation only.

The exact string Default_VLAN does not appear in the config from a TL-SG1016DE v1. Not quite the same as the v2 either. Some experimentation needed….

Steve

.cfg - GHex_311.png)
.cfg - GHex_311.png_thumb)