pfSense Support Subscription

Author Topic: TP-Link Easy Smart Switch security question  (Read 8268 times)

0 Members and 2 Guests are viewing this topic.

Offline VAMike

  • Sr. Member
  • ****
  • Posts: 386
  • Karma: +64/-11
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #60 on: August 16, 2017, 06:28:58 am »
It is there via https - just BAD

The certificate is only valid for the following names: *.akamaized.net, *.akamaihd-staging.net, *.akamaized-staging.net, *.akamaihd.net, a248.e.akamai.net

Agree yet another example of not really getting it ;)
Those are always there when a site is hosted on akamai but not using https.

Offline warheat1990

  • Jr. Member
  • **
  • Posts: 26
  • Karma: +0/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #61 on: August 24, 2017, 10:20:11 pm »
TP-Link released beta firmware on July 2017 for both SG105E and SG108E, anyone care to try?

Link:
http://static.tp-link.com/TL-SG105E(UN)_V3_170717_Beta.rar
http://static.tp-link.com/TL-SG108E(UN)_V3_170717_Beta.rar

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14293
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #62 on: August 25, 2017, 05:04:24 am »
did they release for v2?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Online stephenw10

  • Administrator
  • Hero Member
  • *****
  • Posts: 11882
  • Karma: +461/-15
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #63 on: August 27, 2017, 12:35:08 pm »
Mmm, did they release for anything else? Is there an announcement anywhere?

Steve

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14293
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #64 on: August 28, 2017, 03:11:48 pm »
Not that I could find.. Typical it seems for this company..
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline thuety

  • Newbie
  • *
  • Posts: 12
  • Karma: +0/-0
    • View Profile
    • cellarcinama
Re: TP-Link Easy Smart Switch security question
« Reply #65 on: August 29, 2017, 08:38:36 am »
So my sg108e is directly connected to my cable modem with untagged VLAN x and PVID x.
How worried should I be about the VLAN 1 membership?
Wouldn't an attacker need to be in my cable/wan subnet?
« Last Edit: August 29, 2017, 10:41:15 am by thuety »

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9088
  • Karma: +1037/-306
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #66 on: August 29, 2017, 10:29:41 am »
I would not use that switch on WAN. It's a sketchy enough proposition with a good switch with a proper management VLAN.
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline belt9

  • Full Member
  • ***
  • Posts: 233
  • Karma: +24/-6
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #67 on: August 29, 2017, 10:51:12 am »
Security wise for a switch on WAN how about a RADIUS server?

Doesn't pfSense even have a package for that?

Never used it before so might not work at all?

Offline Derelict

  • Global Moderator
  • Hero Member
  • *****
  • Posts: 9088
  • Karma: +1037/-306
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #68 on: August 29, 2017, 10:58:51 am »
What?
Las Vegas, Nevada, USA
Use this diagram to describe your issue.
The pfSense Book is now available for just $24.70!
Do Not PM For Help! NO_WAN_EGRESSTM

Offline lexxai

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-1
    • View Profile
    • We have what we have. Everything that happens - for the better. [lexxai]
Re: TP-Link Easy Smart Switch security question
« Reply #69 on: September 07, 2017, 06:32:08 pm »
Will add about security of this devices...
TL-SG1016DE security of changes value without any authentication.
It from testing of my device... VLAN1 is problem.
Now SG1016DE used only internally.

Offline tpham3783

  • Newbie
  • *
  • Posts: 6
  • Karma: +5/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #70 on: November 09, 2017, 11:36:58 am »

Hi guys,

Since TP-Link refused to give me the source code so I decided to take on this issue myself.

Here is how you can hack ( un-member ports on vlan1).  I have already tested on the SG108PE (hw version 3) switch and it worked.


 1.  Setup your vlan configuration as usual
 2.  Save the config (config.cfg)
 3.  Open it up with a Hex-editor.  Right after the text "Default_VLAN" you will see FF (that's basically means all 8 ports are member of untagged vlan1).  Change it to 00 if you want to un-member all ports from vlan1.  As shown in the attached picture, I changed it to 80 because I still wanted port 8 to be a member of vlan1 so that I can manage the switch from web-gui.
 4.  Save the file, restore the modified config in system:system_tools:restore_config
 5.  Wait for the switch to reboot, goto vlan config, notice that ports belonging to vlan1 are changed.

Cheers!  I still hope for tp-link to fix this VLAN1 bug one day!  This is just a work-around.








Offline JKnott

  • Hero Member
  • *****
  • Posts: 903
  • Karma: +29/-4
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #71 on: November 09, 2017, 12:43:01 pm »
I'll have to give that a try with my 5 port switch.  I don't suppose you'd have a fix for their TL-WA901N access point.   ;)
It has the same problem where data from the native LAN leaks into the VLAN & 2nd SSID.

I think those TP Link engineers need a lesson or 2 on VLANs.

Offline JKnott

  • Hero Member
  • *****
  • Posts: 903
  • Karma: +29/-4
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #72 on: November 09, 2017, 01:04:58 pm »
That fix doesn't seem to apply to the TL-SG105E switch.

Offline tpham3783

  • Newbie
  • *
  • Posts: 6
  • Karma: +5/-0
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #73 on: November 09, 2017, 09:57:34 pm »
That fix doesn't seem to apply to the TL-SG105E switch.


Were you able to see the port assignment changed in step# 5?


by the way, i saw vlan isolation w/ the work-around solution.  The only thing I saw strange was that the switch's IP address is a member of all vlans.  If I were to change my PC's IP address to the same subnet of the switch, I could communicate to it on non-native vlan, which is kinda weird. 

However, the switch is no longer behaving like a dumb switch because ports are removed from vlan1.
« Last Edit: November 09, 2017, 10:06:32 pm by tpham3783 »

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14293
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: TP-Link Easy Smart Switch security question
« Reply #74 on: November 10, 2017, 07:36:25 am »
I will give this a try on 105E v2 tonight when I get home..  Great info.. Thanks.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)