Worrying Issue with Security on Archer VR2600 ADSL/VDSL Modem Router
Model : Archer VR2600
Hardware Version : Not Clear
Firmware Version : 1.5.0 0.8.0 v0050.0 Build 160831 Rel.57961n
ISP : Telstra, Optus - doesn't matter[/COLOR]
I just purchased a VR2600 to replace a VR600 (was trying to get better WiFi range which in reality turned out to be nearly similar to the VR600 which was half the price). Some observations as follows
1) The VR2600 has no username to log in - just a password
2) Telnet is enabled by default on the router (clear-text password) and from what tech support are telling me, cannot be turned off
3) Whilst there is a 600 second timeout after five failed attempts, there is no logging of telnet access attempts, either successful or failed.
The combination of the three concern me greatly, but TP-Link Tech Support refuse to acknowledge that this is a security concern in any way (my support ticket 316373 with TP-Link)
In addition to the above, when I have the VR2600 configured for IPSec site-to-site VPN, a telnet port is opened on the WAN IP address of the local VR2600 router to any device from or behind the remote site VPN peer public IP address (meaning anything within the remote site and anything successfully purporting to be the remote site WAN IP). There is no way to turn telnet off on the WAN IP unless you also turn off the VPN (admittedly, it is only available to devices sourced from or behind peer site public IP). The VPN tunnel does not have to be up, and the remote site does not need to have any VPN configured - the issue presents as long as the local site has a VPN configured.
Anyone else also consider this a security issue? I wouldn't put it at the top of the critical list, but it seems to me that it is undesirable.
Tags for this Thread