[Cerowrt-devel] arstechnica confirms tp-link router lockdown

[Alan Jenkins]

On 11/03/2016, Jonathan Morton <chromatix99 at gmail.com> wrote:
>
>> On 11 Mar, 2016, at 20:22, Luis E. Garcia <luis at bitamins.net> wrote:
>>
>> Time to start building our own.
>
> A big project in itself - but perhaps a worthwhile one.  We wouldn’t be able
> to compete on price against the Taiwanese horde, but price is not the only
> market force on the table.  Firmware quality is a bit abstract and nebulous
> to sell to ordinary consumers, but there is one thing that might just get
> their attention.
>
> Making the damned thing easier to configure.
>
> Almost every router now on the market is a blank box with some ports on the
> back, some antennas on top and some lights on the front.  If you’re lucky,
> there’ll be a button for WPS (which most consumers would still need to read
> the manual to figure out how to use, and most tinkerers would turn right
> off) and maybe one or two “feature switches”; my Buffalo device has one
> which does “something” to the QoS setup in the stock firmware, and nothing
> at all in OpenWRT.
>
> The lights only tell you that “something is happening” and occasionally
> “something is wrong”, and are invariably cryptic.  For example, a green
> flashing light can mean “it’s setting up but not working yet” or “it’s
> working and passing traffic right now”, often on the same light!  A critical
> error, such as a cable not plugged in, is often signified only by the
> *absence* of one of the several normal lights, which is invisible to the
> untrained eye.
>
> To actually configure it, you must first connect a computer to it and point
> a Web browser at the right (usually numeric) URL.  This URL varies between
> vendors and models, and sometimes even between firmware revisions; the only
> infallible way to determine it is to delve into the configuration that DHCP
> handed out.

Actually, devices show up in Windows "network neighborhood".  Routers
show up because of uPnP (IGD specifically), which of course everyone
implements out of the box.  Clicking the router opens a web interface.
I don't know if that's hard-coded as http://ipv4-address:80 or what,
but even that's really hard to criticize.

Equally I don't know that people know to click "Network" in their file
browser, or that it's reliable enough that that's what you put in the
manual.  But it's the sort of thing a journalist who's reviewed a few
different routers is likely to be aware of.

I like the idea behind WPS, holey as that is.  You've got a point
about people having to use the manual anyway, but it's got to be a big
step up from keying passwords into your phone etc.

I know, in practice and implementation it gets cringeworthy.

But the biggest barrier is probably that the web interface is
cluttered with features you don't need, so there's a setup wizard you
go through once, and you don't touch that even if you're curious
because you're at risk of resetting it.

The BT Hub interface is locked down and very simplified; I expect if
you disconnect it you get a nice  prominent error with the obvious
advice.

Equally you can get quite friendly LEDs.  The classic Netgear DG834
gets a nice red light if it can't connect.  Maybe another shade during
connection, and otherwise the only lights are green.  If it's red,
check the cables, then try logging in to see what's gone wrong.  If
logging on doesn't show an obviously dead router, call ISP support to
see if they're having problems in your area.

Just because they screwed up the WNDR3800 with too many different
coloured lights, it doesn't invalidate the principle.

WiFi makes for annoyingly more failure modes.  USB ethernet adaptors
are cheap and standard - certain types of router actually have them
built in for you.

Grandpa and his iPad are more challenging.  But he probably needs to
stick to the ISP-provided router and rely on their helpline.  If you
want to choose your router, needing ethernet or usb A isn't going to
be any barrier to you.

> You and I can cope with that, but we want something better, and
> less-technical people *need* something better if they are to trust their
> equipment enough to start actually learning about it.
>
> As a starting point, suppose we build a small display into the case, and
> invite the user to temporarily plug a keyboard, console controller or even a
> mouse directly into the USB port (which most routers now have) to do the
> setup?  No Web browser required, and no potentially-vulnerable web server on
> the device either.

IOW I'm not convinced by that particular suggestion :).

At the point when I'm trying to troubleshoot it, I want dead trees and
my own computer.  No squinting etc.

> When not in config mode, the input device can be disconnected and returned
> to its primary role, and the display can offer status information in a
> human-readable format; an RGB-controlled backlight would be sufficient for
> at-a-glance is-everything-okay checks (which is all Apple gives you without
> firing up their proprietary config software on a connected computer).  Some
> high-end router models provide just this, without leveraging the possibility
> of easier setup.
>
>  - Jonathan Morton

IMO they already glow quite enough.  Better to invest in the software :P.

Alan