TP-Link's Smart Router Is Easily Hacked: What to Do

UPDATED 12:20 p.m. Saturday, March 30, with statement from TP-Link.

If you own a TP-Link SR20 home wireless router, which also doubles as a smart-home hub using TP-Link's Kasa interface, you'd better watch who or what joins your home Wi-Fi network.

That's because anyone or anything on the network could take total control of the router, and hence total control of all your internet connections and activities.

Credit: Tom's Guide

(Image credit: Tom's Guide)

This word comes from Matthew Garrett, a Google security developer. He said on Twitter and in a blog posting that he found the flaw in December and has been trying to get TP-Link's attention ever since, to no avail.

We hope TP-Link will fix the flaw soon now that Garrett has made it public. But until then, make sure your Wi-Fi access password is strong and unique, don't let any people or devices on the network that you don't trust, and make sure your TP-Link SR20's firewall is turned on.

You might also want to turn off any smart-home devices you don't need, as smart-home devices that have their own security flaws could be exploited and used to launch an attack on the router.

MORE: Best Smart Home Hubs

Garrett's attack is possible because there's a debugging (i.e., diagnostic) protocol on many TP-Link devices that doesn't ask for an administrative password as often as it should. It's possible the attack works on other TP-Link devices, but Garrett didn't get a chance to test them.

In plain English, Garrett found a way to reach out to the TP-Link router, make it ask him for a specific file, and then give the router a poisoned packet that takes over the router.

More specifically, Garrett found he could send the SR20 router a Linux command from a connected laptop and get the debugging protocol on the router in turn request a file from a specific directory on his machine. Once the router receives the file, it is passed to a process running as root. If the file is in fact a executable command, then the router will run it as root.

Garrett has posted a proof-of-concept snippet of code for the attack online. It's only 38 lines long -- small enough to fit into the storage space of a smart light bulb, smart toaster or smart TV. Anything that connects to the router via Wi-Fi will do. (The SR20 also connects to low-power smart-home devices via Zigbee and Z-Wave, but  Garrett's attack shouldn't work over those wireless protocols.)

If a hacker can remotely add Garrett's attack code to a poorly secured smart-home device, of which there are zillions, then the code can take over your TP-Link SR20 router and, possibly, any other TP-Link router that is similarly configured.

Tom's Guide has reached out to TP-Link representatives for comment, and we will update this story when we receive a response.

UPDATE: TP-Link has released a statement, in full:

"TP-Link has been aware of this vulnerability and is working to issue a firmware update to address the vulnerability. To ensure your security, TP-Link recommends that users update to latest firmware, which will be issued early next week."

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.