Skip to main content

TP-Link's Smart Router Is Easily Hacked: What to Do

UPDATED 12:20 p.m. Saturday, March 30, with statement from TP-Link.

If you own a TP-Link SR20 home wireless router, which also doubles as a smart-home hub using TP-Link's Kasa interface, you'd better watch who or what joins your home Wi-Fi network.

That's because anyone or anything on the network could take total control of the router, and hence total control of all your internet connections and activities.

Credit: Tom's Guide

(Image credit: Tom's Guide)

This word comes from Matthew Garrett, a Google security developer. He said on Twitter and in a blog posting that he found the flaw in December and has been trying to get TP-Link's attention ever since, to no avail.

We hope TP-Link will fix the flaw soon now that Garrett has made it public. But until then, make sure your Wi-Fi access password is strong and unique, don't let any people or devices on the network that you don't trust, and make sure your TP-Link SR20's firewall is turned on.

You might also want to turn off any smart-home devices you don't need, as smart-home devices that have their own security flaws could be exploited and used to launch an attack on the router.

MORE: Best Smart Home Hubs

Garrett's attack is possible because there's a debugging (i.e., diagnostic) protocol on many TP-Link devices that doesn't ask for an administrative password as often as it should. It's possible the attack works on other TP-Link devices, but Garrett didn't get a chance to test them.

In plain English, Garrett found a way to reach out to the TP-Link router, make it ask him for a specific file, and then give the router a poisoned packet that takes over the router.

More specifically, Garrett found he could send the SR20 router a Linux command from a connected laptop and get the debugging protocol on the router in turn request a file from a specific directory on his machine. Once the router receives the file, it is passed to a process running as root. If the file is in fact a executable command, then the router will run it as root.

Garrett has posted a proof-of-concept snippet of code for the attack online. It's only 38 lines long -- small enough to fit into the storage space of a smart light bulb, smart toaster or smart TV. Anything that connects to the router via Wi-Fi will do. (The SR20 also connects to low-power smart-home devices via Zigbee and Z-Wave, but  Garrett's attack shouldn't work over those wireless protocols.)

If a hacker can remotely add Garrett's attack code to a poorly secured smart-home device, of which there are zillions, then the code can take over your TP-Link SR20 router and, possibly, any other TP-Link router that is similarly configured.

Tom's Guide has reached out to TP-Link representatives for comment, and we will update this story when we receive a response.

UPDATE: TP-Link has released a statement, in full:

"TP-Link has been aware of this vulnerability and is working to issue a firmware update to address the vulnerability. To ensure your security, TP-Link recommends that users update to latest firmware, which will be issued early next week."

Paul Wagenseil
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. That's all he's going to tell you unless you meet him in person.