TP-Link routers can be hacked: What to do now

TP-Link Archer C5 router
(Image credit: TP-Link)

Look out, TP-Link router owners. IBM X-Force researchers have found a flaw in some models that lets miscreants hijack the devices simply by entering a password that's too long. 

Yep, that's right. Any overly long password creates a data overflow that busts down the gates and lets anyone in as the device administrator. 

The attacker only has to use the ancient Telnet protocol to connect to the router on the local network, then make it look like a login request comes from the web address "", the same address TP-Link routers use during setup. None of this is hard to do.

Even worse, the attack would nix the legitimate owner's administrative password and freeze them out. The attacker could also flip on remote access to get permanent access to the router, or direct user web traffic to malicious sites.

The exploit works on three LTE-based routers sold in the European Union: the Archer MR200 version 4, Archer MR400 version 3 and Archer MR6400 version 4. It also works on the TP-Link Archer C5 AC1200 home Wi-Fi router, sold in many countries, but the vulnerable hardware version for that model is version 4, which has not been released in North America or the EU. 

Now comes the fun part. Some newer TP-Link routers (there's a list here) let you update their firmware by going to their administrative interfaces -- the already-mentioned -- and logging in as an administrator. (The factory-default administrator credentials are username "admin" and password "admin", which are just God-awful and which you should change immediately.)

From there, you would go to the Advanced tab in the admin interface, scroll down to the System Tools section, click on Firmware Upgrade and click Check for Upgrade or Check for Update. There may also be a notification in the upper right corner of the admin interface that an update is available. TP-Link has illustrated instructions under "Case 2" here.

Our own Marshall Honorof suggests that you back up your TP-Link router's settings by using the Backup & Restore feature in System Tools before you do the firmware update, as the update may throw the router back to factory settings. Once that's done, you can return to Firmware Upgrade and follow the instructions.

Unfortunately, the four models shown to be affected by this flaw don't seem to be on the easy-update list. That means you'll have to do it all manually, and it's not something many people will understand how to do. 

You'll have to download the firmware-update files to a PC, unzip the compressed files, connect the PC to the router via an Ethernet cable, go into the administrative interface as directed above, go to the Firmware Update/Upgrade section as above and then browse to the firmware-update file on your PC to install it. TP-Link's illustrated instructions are here.

But hold on -- you do NOT want to update the firmware manually unless you're certain you have the correct regional version and hardware version. Installing the wrong firmware could permanently brick your router. You can usually make certain by checking the sticker on the bottom of the router, as TP-Link explains here

Here are links to the firmware for each of these models:

We would normally suggest that you update your firmware on any model of TP-Link router anyway, as there may be other vulnerable models that the IBM X-Force researchers did not test. 

But manually updating the firmware on older TP-Link routers is so involved and risky that we can't recommend doing so unless it's absolutely necessary.

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.