I recently received an email notification from Spectrum, my internet service provider. It warned that some TP-Link routers may be vulnerable following a recent FBI-identified security issue. Because I don’t rent my modem and router from Spectrum, they can’t fix it remotely. They recommend that I (1) update the firmware, (2) change the admin password, and (3) replace the router if it’s over 5 years old.
I explored the links provided in the Spectrum email notification. The first is a link to an FBI Public Service Announcement (PSA). It says that the Russian military, specifically the group known as APT28, Fancy Bear, or Forest Blizzard, is conducting attacks on vulnerable home and small-office routers around the world. This allows them to intercept internet traffic so they can steal passwords, authentication tokens, emails, and browsing data. High-value targets include military, government, and critical infrastructure.
Specifically, the PSA refers to CVE-2023-50224 where CVE stands for “common vulnerabilities and exposures”, 2023 is the year the vulnerability was found, and 50224 is a unique identifier for the flaw. A TP-Link security advisory lists the legacy products that are impacted by CVE-2023-50224 (i.e., the models targeted by APT28) and their remediation status.
Fortunately my TP-Link Deco S4 version 3.6 mesh router system is not on the list. I updated the firmware just over a year ago to build 20240927 (i.e., September 27, 2024). The firmware description does not comment on whether specific CVEs have been fixed, but given that CVE-2023-50224 was identified in 2023 and the firmware update was Build 20240927 (i.e., September 27, 2024), I assume the vulnerability, if it existed on my model in the first place, has been patched.
On a related note, I came across a list of TP-Link End of Life Products and discovered that my TP-Link Deco S4 version 3.6 has an “EOS Notification Date” of 7/27/2025 and an “EOS Date” of 1/27/2026. TP-Link defines End of Life (EOL) products as “products where the production has either ended on the model or the specific version of the model.” Of greater relevance to security vulnerabilities are 2 additional milestones as defined in the TP-Link EOL Policy. The End of Sales (EOS) date is when TP-Link discontinues a product. The End of Maintenance (EOM) date is when TP-Link will no longer provide support or maintenance for a product. So if I interpret these definitions correctly, the first thing that happens is EOL when TP-Link stops producing a model. Then EOS occurs when TP-Link stops selling and accepting new orders for the product. And finally EOM occurs when TP-Link no longer supports the product (I assume this includes firmware updates). So even though my Deco S4 version 3.6 is no longer sold (at least not by TP-Link; it is still sold by Amazon via the link above) according to the EOS Date, I have not received any clear indication that it is no longer maintained. According to ChatGPT, TP-Link does not publicly disclose EOM dates but in general, EOM occurs roughly 3 years after EOS and the only way to determine the EOM date for a specific model is to contact TP-Link support.
The PSA also refers to a UK National Cyber Security Centre Cybersecurity Advisory. It provides a more detailed description of APT28 malicious activity and provides a non-exhaustive list of specific TP-Link router models targeted by APT28 that closely resembles the TP-Link security advisory for CVE-2023-50224.
The bottom line, as described in the Spectrum email notification, is that your router is a device that can have security holes, similar to your desktop/laptop computer or phone. It is therefore important to keep your router firmware updated similar to how you’d update the operating system on your computer or phone. Additionally, you should practice good security hygiene by using strong passwords and replacing equipment that is no longer supported by the manufacturer.
No comments:
Post a Comment