TP-LINK loses control of two device configuration domains

Security researcher Amitay Dan warns that tplinklogin.net, a domain through which TP-LINK router owners can configure their devices, is no longer owned by the company, and that this fact could be misused by malware peddlers.

TP-LINK config domains

What’s the problem?

In a post on the Bugtraq mailing list, Dan says that TP-LINK has confirmed that they no longer own the domain in question, and will not be trying to buy it from the unknown seller for now.

Instead, they intend to change the domain in the manuals to a newer one that’s already in use.

Michael Horowitz noted that, for a while now, TP-LINK has been directing users of its newer routers to a new domain for configuration – tplinkwifi.net – which is under the company’s control.

Unfortunately, the labels on older routers can’t be easily changed, and will still direct users to the old domain.

“If cybercriminals get their hands on this router configuration domain, it could become a significant tool for malware distribution using simple instructions, for example, to ‘download new firmware to your router,'” Lior Kohavi, CTO at CYREN, told Help Net Security.

“There is also the possibility it could be used for phishing. After all, this is a domain that receives a large number of visitors each day, as users are actually instructed to visit the site. It’s this large number of ‘natural’ and trusting visitors that makes this domain so potentially valuable to criminals. I would not be surprised to find the domain for sale in underground forums for a substantial amount of money, as crooks would see a likely path to recouping their ‘investment’ while also raking in hefty profits in a relatively short amount of time.”

How big is the problem, really?

At the moment, though, the domain is not malicious.

Nor is tplinkextender.net, a domain used for the configuration of TP-LINK Wi-Fi extenders, which also been let to expire and is currently offered for sale.

But Horowitz claims that the “lost” domains should not present a problem for the owners of those TP-LINK devices.

“A TP-LINK router or extender should intercept requests to tplinklogin.net and tplinkextender.net and direct them to the router/extender rather than the Internet,” he noted. His testing revealed that that was, indeed, correct, and users would be taken to the devices’ internal logon page/ administrative website.

It’s everybody else that, should the domains turn malicious, will be in danger.

“Anyone not connected to a TP-LINK router, that goes to tplinklogin.net, will see a public Internet web page rather than their routers internal logon page. Currently that page is an advertisement, but it could turn malicious at any time,” Horowitz pointed out.

Update: Friday, July 8, 2:10 AM ET: TP-LINK reached out with the following information for our readers.

Configure TP-LINK networking devices safely

TP-LINK offers users the option of using either an IP address or a domain to access and configure their TP-LINK networking devices. Below are the domains currently in use:

  • Router – http://tplinkwifi.net
  • Cable Modem Router & DSL – http://tplinkmodem.net
  • Range Extender – http://tplinkrepeater.net
  • Wireless PLC – http://tplinkplc.net

For users with older or end-of-life TP-LINK products with discontinued site domains, please use the IP address to access the device. Below are the default IP addresses for TP-LINK networking devices:

  • Routers: 192.168.0.1 or 192.168.1.1
  • DSL and Cable Modem and Router: 192.168.1.1
  • Range Extender and Powerline Extender – Default: 192.168.0.254; Configured: Find the IP address for the device in your router’s DHCP Client list and then use that IP address to access the device.