There are plenty of security issues with many routers including firmware that is seldom upgraded, opened (telnet) port with the default password, and the list could go on. But Jahed Ahmed recently wrote about an issue I had not heard of before: his TP-Link router shows two hidden networks in 2.4 GHz and 5 GHz bands that he only discovered after running WiFi Analyzer on his phone.
He did not enable those networks, so that was the default configuration from the firmware. That could potentially pose a security risk, contributes to WiFi spam, and Jahed also mentions a waste of energy although the extra power consumption is probably limited, even when scaled to millions of users. So why is TP-Link doing this? Apparently for their OneMesh mesh wireless network system and device including range and powerline extenders that users may want to use.
Other users have been reporting this issue on TP-Link Archer routers at least since 2019. TP-Link has not upgraded all routers, but says there’s nothing to worry about:
Just like the existing Deco mesh package products, the specific hidden network with high-intensity random password can guarantee the security of the network. So no worries.
and still offers a solution for users wanting to disable OneMesh with new firmware adding an option to disable OneMesh, albeit some models, like Archer C6 and A7, only have beta firmware. That’s just another reason to purchase a router that is compatible with OpenWrt, and many of those Archer routers are not…
But why does TP-Link need those hidden networks in the first place? Hacker News’ user m45t3r provides a possible explanation and why it may not be such a big issue:
…this hidden network probably uses another protocol (for the OneMesh). It is the 802.11s, that uses its own encryption method based on Simultaneous Authentication of Equals (SAE) (yeah, that is the same as WPA3, however it came before it). It shows as hidden network on Wi-Fi Analyzer, but the network is not actually hidden in the same sense of a hidden Wi-Fi network: this simple happens because 802.11s has no concept of SSID.
The authentication of new devices happens when you pair a new router using the application available on Android/iOS (it has a web interface too but AFAIK it doesn’t allow adding new mesh routers to the network). So it seems pretty secure for me, at least sans some security bugs that I am sure that the device should have. Doesn’t bother me too much considering that most bugs that I saw on those consumer routers generally comes from the security from things like administration pages and not the Wi-Fi network itself (unless it is something like KRACK that affects all devices implementing the protocol).
Yeah, it is still pretty sh*t that they enable this by default, but if the router from the author of blog post is from one of their lines of mesh routers I do think this is kinda of made by purpose, because using multiple routers devices is kinda of the idea of a mesh network.
It should be noted that 802.11s is older and different from Wi-Fi EasyMesh announced in 2018, even though both target mesh networking. You’ll find a short comparison on Stack Exchange between the two.
Jean-Luc started CNX Software in 2010 as a part-time endeavor, before quitting his job as a software engineering manager, and starting to write daily news, and reviews full time later in 2011.
Support CNX Software! Donate via cryptocurrencies, become a Patron on Patreon, or purchase goods on Amazon or Aliexpress
TP-Link devices, should imho, never be connected to the internet.
They have terrible support and as someone that have bought two of their products, just to get two firmware updates before they moved to a new hardware revision and dropping the older products like a hot potato, I wouldn’t recommend anyone to buy their routers.
My range extender started to play up after a couple of years, as it would randomly power down the WiFi or it would drop the connection to the AP it was connected to.
Both products were given new life with an installation of OpenWRT and are working flawless now. My main router is from Netgear, running Voxel’s firmware, since OpenWRT and DD-WRT aren’t great options on that hardware.
All router manufacturers should have to provide at least, quarterly security updates for every product they’ve sold in the past five years, as there are way too many products out there that get hacked, mostly due to outdated software full of security holes.
A few years ago I bought a TP-Link router to put OpenWRT on.
There was even a backdoor in the original FW (AFAIR).
All router premium device have semi regular(once or twice a year) FW update.
I have the TP Link C5400X Work now, before i have that Xiaomi R1D, and b4 that Belkin AC1200 DB, with a few cheap mixed-brand APs router.
AFAIK, its the same for other manufacturer, only their premium router get regular updates.
Premium HW cost include FW updates.
Cheap ones dont.
Yep. Backdoor is you type a too long password and you’re in.
IMHO, a Merlin supported Asus router might also be a good alternative. Even though Asus have their skeletons too…
Oh for sure, I simply don’t own one, but Merlin is doing a great job.
Simplest solution is to reflash with dd-wrt. I’ve got four TP-Link routers around the house and no hidden netowrks.
so i had ~15 741 series wireless routers from tplink, all firmware with version 7 . after like, 2 years, all stopped functioning – bad/no routing, etc. checked mb capacitors, checked power source… nothing! resetting them was a short-term solution, but problems still appears after few hours. seemed that flash was the culprit, so i binned them at once, also all newer models inside my network,
The Asus routers with Merlin really are a pleasure to use. I don’t own any, but I admin a couple of them for a local business and if I was starting over from scratch I would go that route.
I’ve also heard very good things about Buffalo/Tomato.
I fell out of love with LinkSys when I found LinkSys branded products with Belkin hardware and the Cisco branding on the box as well. WTF… Belkin was junk, LinkSys was premium, Cisco/Juniper was supposed to be the uber-premium, yet that badge was on Belkin POS hardware. Bye-Bye.
After 12 years with LinkSys, I migrated to TP-Link. I’ve had 4 routers and 2 range extenders over the years. TP-Link has been pretty good about providing firmware updates. Most of my products got 5-6 years of updates for their revision. The trick is to buy the new revision – not the one that’s on maximum sale and near deprecation.
The WR700/701N travel range extenders got the least love, but I used them in conjunction with VPN to skirt hotel wifi device limits. Being connected to an insecure network to begin with, I wasn’t so concerned with the security of these devices.
The WA830RE worked really well so long as I didn’t use the subnet feature, which would crash it and the router it connected to, due to lack of STP, which resulted in packet transmission loops and ran them out of memory. Installing DD-WRT fixed that.
The WR740N got many firmware updates over its life and was rock solid, before I installed DD-WRT on it. After settings the CRDA to Canada, I used it at max transmit power and in a couple months the RF output failed.
The Archer C7 V2 stepped in to replace it in 2015. It’s now over 6 years old and still going strong, transmitting at high power with the CRDA domain set to Canada. In 2020 it got a firmware update to fix the gaping wpa_supplicant bug. I’d already migrated to OpenWRT by the time it was released, as I wasn’t prepared to wait even 1 month on a fix for that particular bug, which basically allowed anyone to connect to your WPA2 network with a null PSK.
Would I use a LinkSys router as an AP for a business within range of the general public? Not without a firewall and physically segregated network segments. But that applies to any WIFI router product.
Orbi routers have “hidden” networks as well. This is normal for mesh routers not a conspiracy.
I’m too lazy to check again, but I want to use OpenWRT but few or no reasonable current routers support it.
Merline and ddwrt are not really open source.