Shopping Discussion

TP-Link Products pulled from Bestbuy shelves

  • Last Updated:
  • Jul 13th, 2018 9:40 am
[OP]
Newbie
Mar 6, 2011
21 posts
8 upvotes
Mississauga

TP-Link Products pulled from Bestbuy shelves

After checking online stock of a TP-Link router on the bestbuy website, I went in store to buy it only to be unable to find it on shelves. Asked an associate and they had 9 units in stock which were nowhere to be seen. After he discussed it with his manager, turns out Bestbuy has pulled all TP-Link routers from their shelves due to a "security risk", and even if a store has stock, they are unable to sell the router.

Just an FYI!
10 replies
Deal Addict
User avatar
Aug 29, 2012
4419 posts
1669 upvotes
Probably because the Trump administration pressured Best Buy into doing so... they're a company based on Schenzen, China.
This is the great ideological divide of our times: not between left and right but between those of us who believe in truth; and those who believe, Oprah style, that we’re all entitled to our own truths and that everyone’s is equally special.
Deal Guru
User avatar
Jun 27, 2004
10573 posts
747 upvotes
Vancouver.bc.ca
I would contact BB Canada HQ to ask them what's up.
Sr. Member
Jan 12, 2017
608 posts
361 upvotes
Maple Ridge
go buy some where else?
Pretty sure we would have heard about it by now if there was something serious enough for BB to pull them off the shelf
Deal Fanatic
User avatar
Sep 13, 2003
9156 posts
965 upvotes
Don't buy it from Best Buy than, support another company.
One blind human - a tragedy
Ten blind humans - a disaster
One million blind humans - a statistic
Deal Addict
User avatar
Mar 28, 2005
3997 posts
385 upvotes
Ontario / Quebec
First thing that popped into my head was that this is related to the FBi warning a short while ago to reset certain routers because they are vulnerable to a major cyber attack.
The the comment was reset wasn't enough one had to reboot.
Maybe for some routers even reboot is not enough
Member
Dec 23, 2015
376 posts
317 upvotes
https://www.tp-link.com/en/faq-2213.html


VPNFilter Malware Security
This Article Applies to:

We at TP-Link are aware of the new security vulnerability named “VPN Filter” which may bring risks to some routers. According to the Cisco Talos’s investigation, this security vulnerability may take use of the existing vulnerabilities on the devices and try to launch attacks. Up till now, we did not receive any new vulnerability feedback and as for the existing old ones, we have already fixed them via firmware release.

To protect against this possible malware, we strongly advise our customers to take following steps:

1. Make sure you are running the latest firmware version on your router.

You can check if the firmware running on your device is latest or not via this link:

https://www.tp-link.com/download-center.html

2. Please change default admin username and password on the web interface. For more detailed operation, you can refer to this link:

https://www.tp-link.com/faq-73.html

3. If remote management feature is not necessary for you, please turn off Remote Management on the web interface. As if remote management feature is configured improperly, it will enhance possibility of attacks.

4. If you concern that your router might be attacked, you may try to restore factory default settings of your router first and then take steps above.

TP-Link is investigating and will update this advisory as more information becomes available.




It's not just TP-Link Devices affected
https://en.wikipedia.org/wiki/VPNFilter#Devices_at_Risk

VPNFilter
From Wikipedia, the free encyclopedia
Jump to navigation
Jump to search

VPNFilter is malware designed to infect routers and certain network attached storage devices. As of 24 May 2018, it is estimated to have infected approximately 500,000 routers worldwide, though the number of at-risk devices is larger[1]. It can steal data, contains a "kill switch" designed to disable the infected router on command, and is able to persist should the user reboot the router.[2] The FBI believes that it was created by the Russian Fancy Bear group.[3][4]

Contents

1 Operation
1.1 What it does
2 Mitigation
3 Devices at Risk
3.1 Epidemiology
4 FBI investigation
4.1 FBI Recommendation on Removing the Infection
5 Notes
6 References

Operation

VPNFilter is malware infecting a number of different kinds of network routers and storage devices. It seems to be designed in part to target serial networking devices using the Modbus protocol to talk to and control industrial hardware, as in factories and warehouses. The malware has special, dedicated code to target control systems using SCADA.[5]

The initial infection vector is still unknown. The CISCO Talos security group hypothesizes the malware exploits known router security vulnerabilities to infect devices[6].

This software installs itself in multiple stages:

Stage 1 involves a worm which adds code to the device's crontab (the list of tasks run at regular intervals by the cron scheduler on Linux). This allows it to remain on the device after a reboot, and to re-infect it with the subsequent stages if they are removed. Stage 1 uses known URLs to find and install Stage 2 malware. If those known URLs are disabled, Stage 1 sets up a socket listener on the device and waits to be contacted by command and control systems.[7]
Stage 2 is the body of the malware, including the basic code that carries out all normal functions and executes any instructions requested by special, optional Stage 3 modules.
Stage 3 can be any of various "modules" that tell the malware to do specific things, like spying on industrial control devices (Modbus SCADA) or using secure "dark web" Tor software to communicate via encryption.[5]

What it does

VPNFilter uses multiple third stage operations after the initial infection. One such function of VPNFilter is to sniff network data on a network connected to the infected device, and gather credentials, supervisory control and data. The data are then encrypted and exfiltrated via the Tor network.

It can also serve as a relay point to hide the origin of subsequent attacks.
Mitigation

Both Cisco and Symantec suggest that people who own affected devices do a factory reset. That is typically accomplished by using a small, pointed object, such as a straightened out paperclip, to push the small reset button on the back on the unit for 10 to 30 seconds (time varies by model). This will remove the malware, but also restores the router to all original settings. If the router has remote management enabled, a factory reset will often disable this (the default setting of many routers). Remote management is thought to be one possible vector for the initial attack.

Before connecting the factory-reset router to the internet again, the device's default passwords should be changed to prevent reinfection[8].
Devices at Risk

The initial worm that installs VPNFilter can only attack devices running embedded firmware based on Busybox on Linux compiled only for specific processors. This does not include non-embedded Linux devices such as workstations and servers.[9]

Manufacturer-provided firmware on the following router models is known to be at risk:[10][7]

Asus Devices:

RT-AC66U
RT-N10
RT-N10E
RT-N10U
RT-N56U
RT-N66U

D-Link Devices:

DES-1210-08P
DIR-300
DIR-300A
DSR-250N
DSR-500N
DSR-1000
DSR-1000N

Huawei Devices:

HG8245

Linksys Devices:

E1200
E2500
E3000
E3200
E4200
RV082
WRVS4400N

Mikrotik Devices:

CCR1009
CCR1016
CCR1036
CCR1072
CRS109
CRS112
CRS125
RB411
RB450
RB750
RB911
RB921
RB941
RB951
RB952
RB960
RB962
RB1100
RB1200
RB2011
RB3011
RB Groove
RB Omnitik
STX5
Mikrotik RouterOS versions up to 6.38.5 on current or 6.37.5 on bugfix release chains[11]

Netgear Devices:

DG834
DGN1000
DGN2200
DGN3500
FVS318N
MBRN3000
R6400
R7000
R8000
WNR1000
WNR2000
WNR2200
WNR4000
WNDR3700
WNDR4000
WNDR4300
WNDR4300-TN
UTM50

QNAP Devices:

TS251
TS439 Pro
Other QNAP NAS devices running QTS software

TP-Link Devices:

R600VPN
TL-WR741ND
TL-WR841N

Ubiquiti Devices:

NSM2
PBE M5

Upvel Devices:

Unknown Models [nb 1]

ZTE Devices:

ZXHN H108N

Epidemiology

VPNFilter is described by Cisco Talos as having infected as many as 500,000 devices worldwide,[9] in perhaps 54 different countries, though proportionately the focus has been on Ukraine.
FBI investigation

The FBI has taken a high-profile role in addressing this malware, conducting an investigation that resulted in the seizure of the domain name toknowall.com as ostensibly having been used to redirect queries from stage 1 of the malware, allowing it to locate and install copies of stages 2 and 3.[4] The US Justice Department also compelled the site Photobucket to disable known URLs used to distribute malware Stage 2.[6][12]
FBI Recommendation on Removing the Infection

On 25 May 2018, the FBI recommended that users reboot their at-risk devices.[13] This would temporarily remove the stages 2 and 3 of the malware. Stage 1 would remain, leading the router to try re-downloading the payload and infecting the router again. However, prior to the recommendation the US Justice Department seized web endpoints the malware uses for Stage 2 installation.

Without these URLs, the malware must rely on the fallback socket listener for Stage 2 installation. This method requires threat actor command and control systems to contact each system to install Stage 2, increasing the threat actor's risk of being identified.[6] The FBI further recommended users disable remote management on their devices and update the firmware. A firmware update removes all stages of the malware, though it is possible the device could be reinfected.[13]

The FBI said that this would help them to find the servers distributing the payload.[14][15][3]
Notes

Malware targeting Upvel as a vendor has been discovered, but we[who?] are unable to determine which specific device it is targeting.

References

"VPNFilter Update and Our First Summit Recap". Talos. 2018-06-21. Retrieved 2018-06-26.
"VPNFilter state-affiliated malware pose lethal threat to routers". SlashGear. 2018-05-24. Retrieved 2018-05-31.
Kevin Poulsen (23 May 2018). "Exclusive: FBI Seizes Control of Russian Botnet". Daily Beast.
FBI to all router users: Reboot now to neuter Russia's VPNFilter malware
VPNFilter: New Router Malware with Destructive Capabilities
"VPNFilter, the Unfiltered Story". Talos. 2018-05-29. Retrieved 2018-06-26.
William Largent (6 June 2018). "VPNFilter Update - VPNFilter exploits endpoints, targets new devices".
"Security Advisory for VPNFilter Malware on Some NETGEAR Devices". Netgear. 2018-06-06. Retrieved 2018-06-26.
"Hackers infect 500,000 consumer routers all over the world with malware". Ars Technica. Retrieved 2018-05-31.
"VPNFilter: New Router Malware with Destructive Capabilities". Retrieved 2018-05-31.
"VPNfilter official statement - MikroTik". forum.mikrotik.com. Retrieved 2018-05-31.
"AFFIDAVIT IN SUPPORT OF AN APPLICATION FOR A SEIZURE WARRANT". 22 May 2018.
"FOREIGN CYBER ACTORS TARGET HOME AND OFFICE ROUTERS AND NETWORKED DEVICES WORLDWIDE". 25 May 2018.
Dan Goodin (25 May 2018). "FBI tells router users to reboot now to kill malware infecting 500k devices". Ars Technica.
Dan Goodin (24 May 2018). "Hackers infect 500,000 consumer routers all over the world with malware". Ars Technica.
Cheap junk wastes resources and fills up landfills.
Deal Guru
User avatar
Jun 27, 2004
10573 posts
747 upvotes
Vancouver.bc.ca
rabbit wrote:
Jul 11th, 2018 2:43 am
Fake news?
krs wrote:
Jul 11th, 2018 7:35 am
Not if dozens of reputable news organiions carry this story -
Sorry, I meant BB pulling TP-Link from shelves might be fake news.
Deal Addict
User avatar
Jul 11, 2006
1510 posts
264 upvotes
Toronto
I just gotta say TP Link wifi light switches are awesome. I bought a bunch so that i can control and schedule all my outdoor lights from my phone.

Top