[Cerowrt-devel] arstechnica confirms tp-link router lockdown

Fri Mar 11 14:07:44 EST 2016

> On 11 Mar, 2016, at 20:22, Luis E. Garcia <luis at bitamins.net> wrote:
> 
> Time to start building our own.

A big project in itself - but perhaps a worthwhile one.  We wouldn’t be able to compete on price against the Taiwanese horde, but price is not the only market force on the table.  Firmware quality is a bit abstract and nebulous to sell to ordinary consumers, but there is one thing that might just get their attention.

Making the damned thing easier to configure.

Almost every router now on the market is a blank box with some ports on the back, some antennas on top and some lights on the front.  If you’re lucky, there’ll be a button for WPS (which most consumers would still need to read the manual to figure out how to use, and most tinkerers would turn right off) and maybe one or two “feature switches”; my Buffalo device has one which does “something” to the QoS setup in the stock firmware, and nothing at all in OpenWRT.

The lights only tell you that “something is happening” and occasionally “something is wrong”, and are invariably cryptic.  For example, a green flashing light can mean “it’s setting up but not working yet” or “it’s working and passing traffic right now”, often on the same light!  A critical error, such as a cable not plugged in, is often signified only by the *absence* of one of the several normal lights, which is invisible to the untrained eye.

To actually configure it, you must first connect a computer to it and point a Web browser at the right (usually numeric) URL.  This URL varies between vendors and models, and sometimes even between firmware revisions; the only infallible way to determine it is to delve into the configuration that DHCP handed out.

You and I can cope with that, but we want something better, and less-technical people *need* something better if they are to trust their equipment enough to start actually learning about it.

As a starting point, suppose we build a small display into the case, and invite the user to temporarily plug a keyboard, console controller or even a mouse directly into the USB port (which most routers now have) to do the setup?  No Web browser required, and no potentially-vulnerable web server on the device either.

When not in config mode, the input device can be disconnected and returned to its primary role, and the display can offer status information in a human-readable format; an RGB-controlled backlight would be sufficient for at-a-glance is-everything-okay checks (which is all Apple gives you without firing up their proprietary config software on a connected computer).  Some high-end router models provide just this, without leveraging the possibility of easier setup.

 - Jonathan Morton