←back to thread

Wanted to spy on my dog, ended up spying on TP-Link

(kennedn.com)
462 points kennedn | 1 comments | 15 Sep 25 16:28 UTC | HN request time: 0.234s | source
Show context
selinkocalar ◴[15 Sep 25 22:43 UTC] No.45255874[source]
IoT security is generally terrible, but the fact that consumer routers are essentially unaudited black boxes processing all your network traffic is genuinely concerning. Most people have no idea their router firmware hasn't been updated in years and is probably running known CVEs. The supply chain trust model for networking hardware is broken.
replies(9): >>45255922 #>>45256174 #>>45256498 #>>45256518 #>>45256767 #>>45257622 #>>45258241 #>>45258326 #>>45258348 #
Gigachad ◴[16 Sep 25 00:54 UTC] No.45256767[source]
There are countless routers in between you and your destination which you can't audit anyway. End devices long since consider the routers to be compromised and have everything verified and encrypted in transit. So unless your router is participating in a DDoS or mining bitcoins it doesn't really matter how secure it is.
replies(1): >>45257765 #
johncolanduoni ◴[16 Sep 25 03:35 UTC] No.45257765[source]
Many IoT devices (or Windows when the LAN network location is set to “Private”) expose a wider surface area to local network addresses. Having a competent firewall on your residential router is still useful, especially for those that have no idea how to configure their endpoints securely.

Comparing a residential router to a network operator’s router is spurious: those routers don’t perform any sort of filtering for the public internet traffic flowing through them.

replies(1): >>45259858 #
1. dracotomes ◴[16 Sep 25 09:08 UTC] No.45259858[source]
Is there any residential router that exposes internal endpoints be default? I've yet to come across one that does not have a deny-any policy on it's WAN interface and has incoming destination NATs setup up.

What use is reducing the attack surface of a device which only ever initiates connections?

Edit: also there are network operators that block customer traffic on certain ports liike NetBIOS, SMB or SMTP to name a few.