To the reader: if this is your first exposure to finding things that aren't supposed to be exposed to the internet and you're finding it interesting enough to want to learn more, there's a tool commonly used among security practitioners called Shodan that enables a much more tunable search for exposed assets.
It's also a super basic intro to proper google-fu (which you can google to find others' takes on how to become somewhat effective at, erm, googling). Back when I used to blog on Microsoft-related topics, it was common to construct extremely narrow queries to find exposed confidential documents in Skydrive accounts which we could then sift through to find bloggable material.
e.g site:[skydrive domain] filetype:.pptx "Microsoft Confidential" etc.
And we don't concentrate on a single type of device/ service (the article mentions SCADA). We identify everything from industrial control systems (1) to Minecraft servers (2). The news coverage makes it sound like we're skewed towards ICS, webcams or vulnerabilities but our focus is on providing a comprehensive view of what's connected to the Internet.
If you want to quickly check if your IP is exposing anything unexpected to the Internet simply visit:
Not that I didn't know about its existence, but I just entered the IP of my VPS and noticed that Portainer was bound to 0.0.0.0... I thought I had it bound to the docker bridge so now I've got to put in some time to see if all is ok.
Step 2 of first time setup forces a default password change. There is no way around this step.
The defaults for the router also do not allow router access from the WAN port.
This means:
1) These routers all have secured passwords that are non-default.
2) These routers were deliberately placed on the internet by people that knew enough about them to do so.
Just because it's not how you would configure your router doesn't make it wrong. There are legit reasons to place a router on the internet, so long as it's secured properly... how else would you remotely manage a router at a different physical location, for instance.
__Lastly__ click "Next Page" on the OP search results. The estimated 7,000+ results becomes 21. Many of which are HN aggregators reporting on this thread here.
So... out of the possible millions of routers TP-Link has sold in this model line, less than 21 are on the public internet - many of which no longer load via IP address (indicating they are no longer publicly accessible), and the rest have professional CNAME's attached, indicating professional management.
> Folks - these routers are secure. There is nothing to see here, move along.
If experience is any guide, they are not.
Consumer routers have horrible track of embarrassing, easily exploitable vulnerabilities. That are not patched for a long time or ever.
And exposing your router to public like that suggests the owner knows very little about security. This typically goes in hand with other neglect. Tell me, how many home users that are not security conscious keep their routers regularly patched and will replace the router when the manufacturer stops supporting them?
Owner of a C7 v4 here. There has not been a firmware update from TP-Link since December 2019 (note that v4 is the second-most recent HW revision). No way these are not affected by at least some CVE somewhere in their stack. Calling them secure is a leap of faith that TP-Link does not deserve.
I recently flashed openwrt exactly to be able to be on a more recent stack.
I would never dream exposing that UI to the Internet as-is. They don't even have any form of brute forcing protection. If they really needed access to the router remotely, it would be much saner to expose an SSH server with pubkey-only access or VPN, both with brute forcing protection, and allow tunnelling to the router UI only from the LAN side.
Either who set those up really has nothing to lose if they get owned, or they do not know what they are doing. In both cases, it does not qualify as being a secure setup. (Sure, they may also be honeypots - in which case your argument was incorrect anyway, as they are secure, but they are not routers)
Exposing your router's admin page to the internet is not good security practice. These routers are protected by nothing but a password, and I couldn't see anything in the manual that enforces password length/complexity. So while the password might be non-default, it could still be incredibly insecure.
Also, to expose these routers to the internet, all it takes is a single checkbox to enable "Remote management". So your assumption that these have all been deliberately placed on the internet also doesn't hold up because I can definitely see a curious home user playing with these settings without realising the impact of this. There have been tons of similar reports in the past where home users have exposed things to the internet without realising the impact.
> The estimated 7,000+ results becomes 21. Many of which are HN aggregators reporting on this thread here.
Nope, Google is just collapsing them because they are all identical copies of the same "page", being the same login screen. Most of them look like routers, you can ask Google to "include" them all and see for yourself. https://www.google.com/search?q=%22Please+log+in+with+router...
> 1) These routers all have secured passwords that are non-default.
Who said secure password? Yes, they are not the default, but people are terrible at choosing password, most will choose weak password that are easy to exploit with a dictionary attack.
> 2) These routers were deliberately placed on the internet by people that knew enough about them to do so.
A people that know what it's doing would never expose a router web interface on the internet. Most people doesn't know how to configure his router, and let the ISP technician configure it, and they probably expose the router interface so they can access it remotely for maintenance, but it's not a great idea...
> There are legit reasons to place a router on the internet, so long as it's secured properly...
There aren't. Also you can choose a secure password, but these router interfaces are full of bugs, and highly exploitable. Add to this the fact that the manufacturer rarely updates the firmware of these devices...
> how else would you remotely manage a router at a different physical location, for instance.
With a VPN? By creating an SSH tunnel to one machine inside the local network? By connecting remotely (via RDP, VNC, TeamViewr, whatever) to one PC inside the local network? There are a ton of better solutions.
Also if you don't have a static public IP address, as it's in most situations nowadays, how do you access it remotely anyway? With dynamic DNS but it's not reliable. The best solution to me is using a VPN (I can connect to my home network from anywhere in the world and access all the hosts, including router and other networking equipment of course).
I just checked if my router's admin was open to public access by connecting with my public IP. It connected! Oh no! That's embarrassing, I thought. Turns out it was just NAT hairpinning. I can't connect from my mobile network.
Some of these routers can be crazy insecure. Just some fun from my own experience: before I got mine switched into bridge mode by my ISP I managed to disable the wifi on it despite the ISP blocking that functionality. How? By removing the disabled attribute from the select element via the devtools. I also know a friend who found his password in plaintext in a script tag in his router’s login page. I understand that nothing is absolutely secure but this is just tempting fate.
There are thousands of TP-LINK routers whose WAN port 80/443 is exposed to the Internet, allowing access to their administration interface if you know the password (or a vulnerability is present).
It's a demonstration of google dorking. Construct a google search term that returns attackable hosts.
Skip past the first few results, then you'll see a list of likely easily-hackable home routers. If you were to try user/pass combos like "admin"/"admin" on these results I bet you'd have successful logins on several of them.
Don't actually do this (seriously, the penalties aren't light), the demonstration of the search results is enough to make the point.
Welcome to your Password Manager. Manage your saved passwords in Android or Chrome. They're securely stored in your Google Account and available across all website .
I've done something similar once to find Dell iDRAC [0] and Exchange Outlook Web App [1] instances open to the internet. Just goes to show how forgetting a simple robots.txt (if it's even an option) can expose something you don't want, even if it's password protected.
On a side not, it's super annoying when you want to log in into your router, and google chrome auto completes / suggests it with 192.168.l.l, or ends up doing a google search for 192.168.0.1.
I suggest anyone wanting to see the pages in the search result to click on the google cache version instead of clicking on the link itself exposing your IP address.
I am quite sure there are enough preload/prefetch links in the Google results pages to make this irrelevant (and crash the poor routers' owners' downstream links).
One way I suppose is this: there are indexed sites on Google that just basically list all known IP addresses (eg. ip to location services) in hope of SEO juice. If those IPs are linked to by said websites then the Google spider will follow and index them.
Click "Next Page" folks - estimated 7,000+ results turns into 21 results - many of which are dead, many others are HN aggregators, leaving the total amount of these model routers on the public internet to be a small handful - all of which appear to be professionally managed with CNAMEs, etc.
>In order to show you the most relevant results, we have omitted some entries very similar to the 22 already displayed.
If you like, you can repeat the search with the omitted results included.
True claim: When I click on "next page" I get "Page 2 of about 7,520 results" BUT when I click on "next page" again I do get "Page 3 of about 21 results".
iirc, there's a certain query that's similar to this one which you could type into Google and control various security cameras around the world which are all on the WAN. Not only can you view the picture being recorded by the cameras, but you could rotate the cameras right from the web interface too.
I (un)fortunately can't remember the certain query needed, but it's not too hard to find it — I'm sure it's been mentioned on various news articles or YouTube videos. If I remember, it relied on the cameras all sharing the same filename for the PHP page to access the interface.
[+] [-] eganist|4 years ago|reply
https://en.wikipedia.org/wiki/Shodan_(website) - deeper reading. I'm not affiliated.
---
It's also a super basic intro to proper google-fu (which you can google to find others' takes on how to become somewhat effective at, erm, googling). Back when I used to blog on Microsoft-related topics, it was common to construct extremely narrow queries to find exposed confidential documents in Skydrive accounts which we could then sift through to find bloggable material.
e.g site:[skydrive domain] filetype:.pptx "Microsoft Confidential" etc.
Or one which still works:
https://www.google.com/search?q="Microsoft+Confidential"+sit...
lmao I'm going to have some fun tonight.
[+] [-] achillean|4 years ago|reply
https://www.shodan.io/search/facet?query=net%3A0%2F0&facet=p...
And we don't concentrate on a single type of device/ service (the article mentions SCADA). We identify everything from industrial control systems (1) to Minecraft servers (2). The news coverage makes it sound like we're skewed towards ICS, webcams or vulnerabilities but our focus is on providing a comprehensive view of what's connected to the Internet.
If you want to quickly check if your IP is exposing anything unexpected to the Internet simply visit:
https://me.shodan.io
If you see a 404 then nothing public was found. Note that this looks up information in the existing Shodan database - it doesn't launch a scan.
(1) Industrial control systems: https://www.shodan.io/search/report?query=tag%3Aics
(2) Minecraft servers: https://www.shodan.io/search?query=minecraft
[+] [-] walrus01|4 years ago|reply
site:.gov "for official use only" filetype:pptx
site:.gov "for official use only" filetype:pdf
[+] [-] jfrunyon|4 years ago|reply
Edit: I take it back. Looks like the hash is good enough. 47,000 results; the first three that responded are the same kind of routers. https://www.shodan.io/search?query=hash%3A-904286784
[+] [-] grawprog|4 years ago|reply
Too many people leave the default password on internet connected devices.
Seriously, anything is better than the default password.
[+] [-] mr_toad|4 years ago|reply
[+] [-] kryogen1c|4 years ago|reply
https://youtu.be/-T-3buBwMEQ
this video is 9 years old now, but id wager the prevalence of pulbic scada and webcams et al is still pretty high.
[+] [-] girvo|4 years ago|reply
[+] [-] frjalex|4 years ago|reply
[+] [-] qwertox|4 years ago|reply
Thank you!
Narrator: All was ok.
[+] [-] atum47|4 years ago|reply
[+] [-] br2|4 years ago|reply
[+] [-] mattl|4 years ago|reply
[+] [-] syntaxfree|4 years ago|reply
[+] [-] Alupis|4 years ago|reply
Here's the user manual for the TP-Link AC2300 "Archer C7", as found in the google results:
https://static.tp-link.com/2019/201912/20191231/7106508598_A...
Step 2 of first time setup forces a default password change. There is no way around this step.
The defaults for the router also do not allow router access from the WAN port.
This means:
1) These routers all have secured passwords that are non-default.
2) These routers were deliberately placed on the internet by people that knew enough about them to do so.
Just because it's not how you would configure your router doesn't make it wrong. There are legit reasons to place a router on the internet, so long as it's secured properly... how else would you remotely manage a router at a different physical location, for instance.
__Lastly__ click "Next Page" on the OP search results. The estimated 7,000+ results becomes 21. Many of which are HN aggregators reporting on this thread here.
So... out of the possible millions of routers TP-Link has sold in this model line, less than 21 are on the public internet - many of which no longer load via IP address (indicating they are no longer publicly accessible), and the rest have professional CNAME's attached, indicating professional management.
Nothing here...
[+] [-] lmilcin|4 years ago|reply
If experience is any guide, they are not.
Consumer routers have horrible track of embarrassing, easily exploitable vulnerabilities. That are not patched for a long time or ever.
And exposing your router to public like that suggests the owner knows very little about security. This typically goes in hand with other neglect. Tell me, how many home users that are not security conscious keep their routers regularly patched and will replace the router when the manufacturer stops supporting them?
[+] [-] jfrunyon|4 years ago|reply
Make that 47,000 of them on Shodan: https://www.shodan.io/search?query=hash%3A-904286784
> 1) These routers all have secured passwords that are non-default.
You have a very interesting definition of "secured" if you think they are all actually secured.
> 2) These routers were deliberately placed on the internet by people that knew enough about them to do so.
Just because they knew enough to click a checkbox doesn't mean they knew enough to do so. If they knew enough, they wouldn't have done so.
You seem to be under the mistaken impression that embedded devices (like consumer routers) don't usually have glaring security holes. But they do.
[+] [-] cafxx|4 years ago|reply
Owner of a C7 v4 here. There has not been a firmware update from TP-Link since December 2019 (note that v4 is the second-most recent HW revision). No way these are not affected by at least some CVE somewhere in their stack. Calling them secure is a leap of faith that TP-Link does not deserve.
I recently flashed openwrt exactly to be able to be on a more recent stack.
I would never dream exposing that UI to the Internet as-is. They don't even have any form of brute forcing protection. If they really needed access to the router remotely, it would be much saner to expose an SSH server with pubkey-only access or VPN, both with brute forcing protection, and allow tunnelling to the router UI only from the LAN side.
Either who set those up really has nothing to lose if they get owned, or they do not know what they are doing. In both cases, it does not qualify as being a secure setup. (Sure, they may also be honeypots - in which case your argument was incorrect anyway, as they are secure, but they are not routers)
[+] [-] amanzi|4 years ago|reply
Exposing your router's admin page to the internet is not good security practice. These routers are protected by nothing but a password, and I couldn't see anything in the manual that enforces password length/complexity. So while the password might be non-default, it could still be incredibly insecure.
Also, to expose these routers to the internet, all it takes is a single checkbox to enable "Remote management". So your assumption that these have all been deliberately placed on the internet also doesn't hold up because I can definitely see a curious home user playing with these settings without realising the impact of this. There have been tons of similar reports in the past where home users have exposed things to the internet without realising the impact.
[+] [-] jrochkind1|4 years ago|reply
> The estimated 7,000+ results becomes 21. Many of which are HN aggregators reporting on this thread here.
Nope, Google is just collapsing them because they are all identical copies of the same "page", being the same login screen. Most of them look like routers, you can ask Google to "include" them all and see for yourself. https://www.google.com/search?q=%22Please+log+in+with+router...
[+] [-] mullingitover|4 years ago|reply
> 2) These routers were deliberately placed on the internet by people that knew enough about them to do so.
That's making some very generous assumptions.
[+] [-] alerighi|4 years ago|reply
Who said secure password? Yes, they are not the default, but people are terrible at choosing password, most will choose weak password that are easy to exploit with a dictionary attack.
> 2) These routers were deliberately placed on the internet by people that knew enough about them to do so.
A people that know what it's doing would never expose a router web interface on the internet. Most people doesn't know how to configure his router, and let the ISP technician configure it, and they probably expose the router interface so they can access it remotely for maintenance, but it's not a great idea...
> There are legit reasons to place a router on the internet, so long as it's secured properly...
There aren't. Also you can choose a secure password, but these router interfaces are full of bugs, and highly exploitable. Add to this the fact that the manufacturer rarely updates the firmware of these devices...
> how else would you remotely manage a router at a different physical location, for instance.
With a VPN? By creating an SSH tunnel to one machine inside the local network? By connecting remotely (via RDP, VNC, TeamViewr, whatever) to one PC inside the local network? There are a ton of better solutions.
Also if you don't have a static public IP address, as it's in most situations nowadays, how do you access it remotely anyway? With dynamic DNS but it's not reliable. The best solution to me is using a VPN (I can connect to my home network from anywhere in the world and access all the hosts, including router and other networking equipment of course).
[+] [-] tjxp|4 years ago|reply
[+] [-] paxys|4 years ago|reply
[+] [-] nicce|4 years ago|reply
Edit: Yes, it was not.
[+] [-] NikolaNovak|4 years ago|reply
[+] [-] z80x86|4 years ago|reply
[+] [-] beezischillin|4 years ago|reply
[+] [-] gennarro|4 years ago|reply
[+] [-] core-e|4 years ago|reply
[+] [-] angott|4 years ago|reply
[+] [-] syncsynchalt|4 years ago|reply
Skip past the first few results, then you'll see a list of likely easily-hackable home routers. If you were to try user/pass combos like "admin"/"admin" on these results I bet you'd have successful logins on several of them.
Don't actually do this (seriously, the penalties aren't light), the demonstration of the search results is enough to make the point.
[+] [-] fungiblecog|4 years ago|reply
[+] [-] ThePowerOfFuet|4 years ago|reply
https://duckduckgo.com/?q=%22Please+log+in+with+router%27s+p...
[+] [-] hamidchowdhury|4 years ago|reply
[+] [-] soheil|4 years ago|reply
[+] [-] kivlad|4 years ago|reply
[0] https://www.google.com/search?q=%22Type+in+Username+and+Pass...
[1] https://www.google.com/search?q=intitle%3A%22Outlook+web+app...
[+] [-] TchoBeer|4 years ago|reply
[+] [-] soheil|4 years ago|reply
[+] [-] bhaavan|4 years ago|reply
[+] [-] soheil|4 years ago|reply
[+] [-] AshamedCaptain|4 years ago|reply
[+] [-] nashashmi|4 years ago|reply
[+] [-] soheil|4 years ago|reply
[+] [-] mrkramer|4 years ago|reply
[+] [-] Alupis|4 years ago|reply
All the outrage in this thread over nothing...
[+] [-] calibas|4 years ago|reply
>In order to show you the most relevant results, we have omitted some entries very similar to the 22 already displayed. If you like, you can repeat the search with the omitted results included.
[+] [-] ElijahLynn|4 years ago|reply
[+] [-] mr_sturd|4 years ago|reply
They could all be receiving hugs of death from the HN traffic.
[+] [-] James-Livesey|4 years ago|reply
I (un)fortunately can't remember the certain query needed, but it's not too hard to find it — I'm sure it's been mentioned on various news articles or YouTube videos. If I remember, it relied on the cameras all sharing the same filename for the PHP page to access the interface.