Latest Massive Router Vulnerability Highlights Need for Total Security

By Chris Knight

Your business protects its network and data with traditional security solutions, but what happens when the network hardware itself is the weakest point? A recent vulnerability highlights the need for complete and smart business protection.

TP-Link is a fast-growing brand providing networking equipment to home users and business. Starting in China in the nineties, selling network cards, they now have a global reach and offices in the U.S., United Kingdom and elsewhere.

As networking equipment, wireless routers and switches have become a part of every office, demand has soared and traditional vendors with high-end products have had to meet the challenge from the likes of TP-Link and others, with brands and products that can be 30% cheaper.

However, with lower costs comes reduced budget for security and testing. So, it comes as little surprise that some of TP-Link’s routers have had a major security hole in them dating back to 2017, including theWR940N and WR740N models.

These have allowed even the more brainless hackers and script kiddies out there to take control of TP-Link routers and attack the networks and data that use them. And even though the company was warned about the risk, it continued to use the same firmware in other devices, increasing the chance of users being hacked or their devices being turned into botnets to launch further automated attacks.

TP-Link didn’t help the situation by not publishing the patches on its website until very recently. Even so, while the models have had patches released for them to fix the security vulnerability, not every business has the IT staff to check they are updated, or any staff at all to manage their hardware. And home users are even less likely to know the risks.

Antivirus vendor Avast reveals that some 30% of TP-Link routers exhibit weak HTTP credentials, using the basic user name:admin and password:admin to log in. If those are not changed, it means anyone can access the router. These are instantly updated by any networking professional, but if your business grabs a router from a store and rushes to set it up to solve a networking problem or because the startup is growing fast, it might get overlooked.

TP-Link is far from the only vendor who has these issues, but while other brands and devices might have a problem, they tend to be more proactive in fixing them. This news should give all businesses cause to look around the IT in their offices, check that drivers are up to date, security protection is in place and ask what more they can do to stay safe.

How to Defend Your Business

All of which puts the onus on having good, smart, security for your business IT, allowing you to get on with running the company while the smart services like can provide defenses against the latest cybersecurity risks.

They can protect your data from theft, your hardware from attacks that could cripple the business and keep intruders out of all your systems, including PCs, printers, routers and other hardware, each one of which adds an element of risk to your IT footprint.

Penetration testing can be used to test your networks automatically to check how secure they are, but all workers and users need to be taught the basics of cybersecurity to ensure the business remains secure.

When Developers and Cybersecurity Go To War

Some developers love to create crafty code, others utilize strange code bases or off-the-reservation services, all of which creates a running battle with cybersecurity teams trying to protect the business and users. Here’s how both can coexist in relative peace with a good balance between features and security.

Regardless of whether developers are building a Windows or Linux application, a mobile app, cloud service, chatbot, docker utility or progressive web app, great risks are often, sometimes unknowingly, being taken.

Cybersecurity teams know it can take just one weakness across the application or any service it touches to make the business or its customers vulnerable to hackers and their army of automated tools.

The risks come into play regardless of the history of the coding team. From rockstar developers to fresh-out-of-college graduates, missing one port reference, ignoring one internal rule or borrowing one dubious codelet that solves a problem can wreak havoc on the business.

Let’s Be Coding Friends

Both sides of the equation are under pressure, business leaders want their coders to churn out apps and tools to use or sell yesterday. That’s as cybersecurity teams are tasked with being as invisible and frictionless as possible, while protecting everyone from the armies of darkness beyond the firewall.

The key to success is clarity of message and a well-defined plan for each project. Security must play an equal part of the quality checklist that any project goes through. Many code shops are moving to the DevOps model, where modular, goal-based milestones mark the lifecycle of the project.

In tandem with agile development, they help move projects rapidly, but within a structurally-defined process for quality, goal-meeting and feature management. Add security to that list and a business can proceed to develop apps that meet all the company’s security requirements, tested for integrity and meet any industry or governmental standards.

To achieve this, both heads of security and the development teams need to be on the same page, highlighting the security-as-quality message. By building in security checks, code validation and training all developers in the aspects of vulnerabilities, along with regular check-ins along the way to completion, a secure outcome for the application is guaranteed.

Every Business Needs a Security Master

An increasingly common role in larger enterprises is a chief digital/information security officer (or similar). In any smaller business, someone suitably qualified needs to take on that role and be responsible for the reporting, cataloguing and management of security solutions, risks and flaws.

That person is an ideal focal point for getting the development teams in line with the security needs of the business. This person can be one of the development team, and with responsibility for any future issues is more likely to police the team’s efforts. To help build a strong bond between the two, when launching and development project, teams must follow the ground rules set by the security team.

The Rules of the Coding Road

Training lessons or days that highlight the need for security, what happens when it is ignored, and highlight the main and minor flaws in coding techniques that lead to hacks will help alert the developers to the risks, and highlight the issues.

Code bounties and rewards can help encourage developers to spot flaws across the project code base, and any business should offer company-wide training in spotting hacks, flaws and other ways that hackers could access native code.

These guidelines along with strong rules on “borrowed” code, use of outside services and other likely weakpoints will see any business develop stronger, secure applications.