Serious security flaw in Deco X60 - No way to disable remote management

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Serious security flaw in Deco X60 - No way to disable remote management

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Serious security flaw in Deco X60 - No way to disable remote management
Serious security flaw in Deco X60 - No way to disable remote management
2021-12-25 17:16:55 - last edited 2021-12-27 00:56:44
Model: Deco X60  
Hardware Version: V3
Firmware Version: Latest

Hey,

Just picked up a Deco X60 at Costco. Here are some serious design flaws and some areas that need improvement for this to be competitive. Speeds are more than adequate for my needs, the issue I have is with features and functions. 

 

1) Surprisingly there is no way to disable remote management. This means the router is always open to the net and in the event there is a breach at TP-link or there is a vulnerability your network is at risk. Every other router I have ever used gives you the OPTION to turn this function off.

 

2) No full web browser UI. While you can log into the router via browser it basically displays information but you cannot change settings etc. This is obsurd.

 

3) DHCP reservation, no way to give the device different ip address than its currently on. This is silly, let me enter the ip I want to reserve for this device. I reboot the device and it grabs the ip. 

 

4) No guest network intranet on/off option. Many users like to use the guest network to isolate IoT devices. The setup of many of these devices require that your phone and the device be temporarily connected to the same network during setup. There should be an option to allow this. (Asus does). A better alternative would let me setup a separate and isolated wifi network for my Iot devices. 

 

5) The app itself can use a complete overhaul, its confusing at best. 

 

 

  6      
  6      
#1
Options
8 Reply
Re:Serious security flaw in Deco X60 - No way to disable remote management
2021-12-27 12:18:59

 

1) Surprisingly there is no way to disable remote management. This means the router is always open to the net and in the event there is a breach at TP-link or there is a vulnerability your network is at risk. Every other router I have ever used gives you the OPTION to turn this function off.

 Deco does not support remote management via web interface and the only remote access is via Deco APP from TP-Link own cloud server.

 

2) No full web browser UI. While you can log into the router via browser it basically displays information but you cannot change settings etc. This is obsurd.

5) The app itself can use a complete overhaul, its confusing at best. 

Since Deco is mainly designed for APP control, there would be limited configuration on the web UI. 

Could you mind providing more details about which parts of Deco APP that you want to be optimized? 

 

3) DHCP reservation, no way to give the device different ip address than its currently on. This is silly, let me enter the ip I want to reserve for this device. I reboot the device and it grabs the ip. 

It is still under evaluation and no ETA has been provided yet.

 

 4) No guest network intranet on/off option. Many users like to use the guest network to isolate IoT devices. The setup of many of these devices require that your phone and the device be temporarily connected to the same network during setup. There should be an option to allow this. (Asus does). A better alternative would let me setup a separate and isolated wifi network for my Iot devices. 

There is a on/off switch for guest Wi-Fi under Deco APP>More>Wi-Fi

 

 

 

 

@x60man 

Hi, please see the bold letters and feel free to update if there is any misunderstanding.

Thank you very much.

  0  
  0  
#2
Options
Re:Serious security flaw in Deco X60 - No way to disable remote management
2021-12-28 03:54:41 - last edited 2021-12-28 03:55:49

For number 1 you failed to address the security FLAW. You dont have an option to disable remote management. This is insane. This thing will be going back to costco as soon as I can find a replacement unless you indicate it will be fixed in a new firmware release.

For number 4, I am asking about intranet (NOT INTERNET) access. Please read again.

THanks

  5  
  5  
#3
Options
Re:Serious security flaw in Deco X60 - No way to disable remote management
2021-12-28 08:14:12

@x60man 

Hi, I am afraid currently there is no plan to turn off remote control/management via Deco APP.

As for the intranet, I do see Asus mentioned that:

https://www.asus.com/support/FAQ/1009857/

6. Access Intranet: Allow guests to access the intranet.

If select [disable], guest would not be able to use devices behind router, which connect by cable

It is more related to the wired clients from the main router so if your smartphone is on the main wifi during setup, I don't think they are accessible from each other.

But it did help if there are a bunch of IP cameras connected to the guest network but the NVR is wired to the router.

And I will note it down and see if other users have the same request.

  0  
  0  
#6
Options
Re:Serious security flaw in Deco X60 - No way to disable remote management
2021-12-28 15:39:23

@TP-Link "Hi, I am afraid currently there is no plan to turn off remote control/management via Deco APP"

This is a huge security flaw and everyone should return their units. You MUST provide an option to disable it, like EVERY other router brand. TP link will eventually get hacked an all our networks will be compromised. Shame on TP-LINK. Looking for a replacement now. Back to costco this unsafe junk goes. 

  2  
  2  
#7
Options
Re:Serious security flaw in Deco X60 - No way to disable remote management
2021-12-29 02:40:35

@x60man 

Hi, I am afraid I could not agree with you that there is a huge security flaw on the remote control via Deco APP.

We have made great efforts to protect privacy matters and will keep it in the future.

Maybe there is no plan to disable the remote control via Deco App now, we do plan to support 2FA / MFA on the Deco APP.

Thank you very much.

  0  
  0  
#8
Options
Re:Serious security flaw in Deco X60 - No way to disable remote management
2021-12-29 16:35:19

@TP-Link You could not agree but you would be lying. Would you like me to publish a list of big name brands much larger than tplink whose accounts have been hacked? Once they have my email and password game over. 

Additionally, this allows tp-link employees to access my router. UNACCEPTABLE. Failing to acknowlege this major issue will cause a loss of sales. Thankfully I purchased mine at costco and will return it once my replacement arrives. Others should do the same. 

The WORST part of this is that there is no technical reason for NOT allowing us to disable remote management. Every user here should ask themselves WHY you are not allowing it. I will be spreading the word on reviews as well as other forums to avoid tp-link. 

  7  
  7  
#9
Options
Re:Serious security flaw in Deco X60 - No way to disable remote management
2021-12-29 21:32:08

@x60man 

 

In regard to the following: "DHCP reservation, no way to give the device different ip address than its currently on."

 

I run Deco mesh in AP mode, so I can't test it, but according to TP-Link FAQ it is possible to give the device different IP address after it were added to the list of devices with reserved IP addresses. See the following, and scroll down to Step 5: How to configure Address Reservation with Deco?

 

---------------

 

As for general security matters you mentioned, you are right and also wrong. You are right that bad actor could penetrate TP-Link "cloud" and cause havoc on consumer Deco systems worldwide. Where you are wrong is in assumption that this can be fixed. The concept of Deco mesh is convenient management through cloud services, which means all cloud security shortcomings are by design, come with the territory so to speak.

 

This is not different from such things as Ecobee smart thermostat, Apple iCloud, Microsoft OneDrive, Windows 11 with Microsoft account, Google account combined with Android smartphone, etc., etc. 

 

The solution is simple: if you understand security implications of cloud based systems and don't like them, do not use cloud based systems. It is personal choice. 

  3  
  3  
#10
Options
Re:Serious security flaw in Deco X60 - No way to disable remote management
2021-12-30 03:00:30

@Alexandre. 

You are wrong and you are wrong. Those other services are cloud based services with no device in your home and they provide two factor authentication - tp link does not. Cant wait to laugh my ass off when this results in a PR disaster. TP-link could provide end users the option to disable remote management like asus does. This allows both options for users. You suggestion that it cannot be done because of the "concept" of cloud services is a silly attempt at a defense. Bottom line is these routers are unsafe and users should return them in droves. Most troubling from a Shenzhen, China based company like TP link. Caveat emptor.

  10  
  10  
#11
Options