Weak Security - feel duped

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.

Weak Security - feel duped

This thread has been locked for further replies. You can start a new thread to share your ideas or ask questions.
Weak Security - feel duped
Weak Security - feel duped
2020-10-21 17:57:07
Model: RE450  
Hardware Version: V2
Firmware Version: 1.0.4 Build 20171220 Rel. 73615(8583)

 

WPA2-TKIP is very hackable. So is WPS connectivity. These are searchable in an IoT search engine (Shodan). WPS is hackable in 5 seconds. Your guides show the ability to disable WPS but I see it nowhere. I am connected to the ethernet web management page, not the tether app. It's not in the tether app either. I am a legal penetration tester/security researcher. I thought you can disable WPS in the RE450 wifi extenders? Why isn't the firmware updated newer standard to at least WPA2-AES or even better WPA3??? I updated the latest firmware and it's from 2018? Once again, I feel like I have been misinformed as all the "guides show that you can disable WPS. This seems to echo within the community as well. Please let me know to proceed or if there is a newer firmware going to be released. I feel like returning this extender now unless I get a solid answer. I also want to inform the rest of your customers of the hackable security their running on if this can't be resolved.

  0      
  0      
#1
Options
2 Reply
Re:Weak Security - feel duped
2020-10-22 20:45:26

@Tchie 

 

Please note if the extender is on extender mode (default) the WPS is only enabled if you physically press the button. The option to disable WPS is seen when the RE450 is configured to run as an access point.

 

AES can be achieved by configuring your router to use AES, and setting up the extender through the web browser.

 

Should you find security flaws that you are able to present, please reach out and submit your feedback to our security team so they can work with you to resolve it: https://www.tp-link.com/us/press/security-advisory/

  0  
  0  
#2
Options
Re:Weak Security - feel duped
2020-10-23 17:48:03

@Tony thanks for the response but you can virtually spoof the pyhsicsl WPS button press. I would own this network in a Pentest. Since I do own this device I will submit a POC to your security team. You need to update your firmware to give your customers the ability to disable WPS in extender mode.

  0  
  0  
#3
Options

Information

Helpful: 0

Views: 782

Replies: 2

Related Articles