TP-Link TL-WA701ND AP and a 'Backdoor'

[German]The TP-Link TL-WA701ND AP creates a WLAN network with a hidden SSID, which acts like a backdoor into a network behind the device. A user came across this backdoor by chance.


Routers and access points from TP-Link do not have a very good reputation. At least I have a gut feeling 'often unpatched and bad support' when I report about weaknesses in TP-Link products. That's why the following tweet immediately caught my eye and I took a closer look.


Security researcher Michael Horowitz has picked up on a discovery by Jon Aubrey, who took a closer look at a TP-Link TL-WA701ND AP and discovered a backdoor. Aubrey has presented his findings in a series of tweets, but has also published an article about it. Aubrey has been using the TP-Link TL-WA701ND AP for several years.

The device (an access point, AP) can be set up in different modes. This includes an Ethernet/Wifi client mode to allow wired devices to access a wireless network. Aubrey used this to connect his gaming machines because he did not want to run Ethernet cables.

One day when Aubrey was looking for WiFi networks in his house, I noticed a high performance WiFi network with a hidden SSID. And the device that spanned this WiFi network was in his office. With a little more research, he found the TP-Link device as the culprit.



The user interface did not provide any indication of what the hidden SSID WiFi network was about. But when opening the device, Aubrey came across an unpopulated connector with debug ports. He then used these to connect his debugger/logic analyzer and was able to find out some details.  Once he had dumped the flash memory and determined the credentials the developer had provided to access a terminal, he was able to access this WiFi network.

In the current case, the hidden network forms a bridge to another network that the user has set up. The clients log on to this WiFi network. In other words, the hidden WiFi network and the bridge function forms a nice backdoor into the user's network. All that is needed is the access data, which can be found out via the Internet. For details see this article by Aubrey.

Cookies helps to fund this blog: Cookie settings

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *