TP-Link smart home router zero day bug found
A zero-day bug has been found in the TP-Link SR20 smart hub and home router, which can allow a local hacker to execute arbitrary commands on the device without authentication and create a persistent backdoor for remote access. The SR20 is an all in one router that can also work as an Internet of Things hub. it supports ZigBee and Z-Wave, two popular wireless IoT standards for short range connections to smart lights, smart outlets, the Nest thermostat, video doorbells.
According to Google developer Matthew Garrett, who found and reported the flaw, the problem is in the TP-Link Device Debug Protocol ( tddp ), which runs with root privileges on many TP-Link routers. According to Garret, version 1 has no auth, version 2 requires the admin password. The SR20 still exposes some version 1 commands, one of them is the command 0x1f, request 0x01. It appears to be for some sort of configuration validation, a hacker can send it a filename, a semicolon and then an argument. When the router receives this command, it then connects back to the requesting machine over TFTP, which is a file transfer protocol that requires no authentication, to validate its configuration. In order to validate it's configuration, it requests the filename via TFTP and imports it into a LUA interpreter, which is also running with root privileges.
With a specially crafted file, it's possible to execute whatever the hacker wants, and they are running it as root without authentication. Garrett created a proof-of-concept demonstrating the problem. Garrett also added that the default firewall rules on the router block WAN access, so a hacker would need to be on the same local network as the router to be successful. A compromise would allow a hacker to break into these systems if they still have default passwords, and would open the door to man-in-the-middle attacks or malware installation on any vulnerable connected systems.
According to Garret, he never received any feedback from TP-Link after contacting the company via what seems to be its official Security Advisory page. Since his original report was made in December 2018, Garrett has gone public with his findings, following Google's policy that 90 days ought to be enough time for a vendor to deal with a security issue of this kind. If you own an affected router, be aware that anyone you allow onto your Wi-Fi network can probably take it over by using Garrett's proof-of-concept code. In particular, if you run a public free hotspot, avoid using an SR20 for your free Wi-Fi access point. Whichever brand of router you have, go into the administration interface and check your Remote access setting. At home, you almost never need or want to let outsiders see the inside of your network, so make sure that remote access is off unless you are certain that you need it.