Disclaimer -I’m not an IT pro so please pardon my ignorance if this is too basic a question or has somehow been answered before. I’ve got a Windows 11 setup, Spectrum cable modem, and Deco TP-Link wifi mesh router. My concern is personal banking info being transferred via the wireless tp-link router if a backdoor does exist on it. I imagine I can just manually disconnect the wifi and hardwire from cable modem straight to PC plus use a VPN anytime I access sensitive info. But I’m looking for a more practical solution where I don’t have to do that every time. I didn’t know if using a VPN would make a difference and/or even a wired firewall switch between the cable modem and the router (or router to PC, through network cable).
Should I just ditch TP-Link and take my chances with a US company like Netgear? I imagine them and any others have their stuff made in a foreign country as well
The difference is apparently TP link is controlled by the CCP. So it’s like having a Chinese government device in your home, tracking everything you do. Whether they do or not, is up for grabs. But it seems based on how bi partisan congress became after the classified briefing. I’m inclined to lean towards they likely are. But really have no idea.
I personally like Unifi, given today’s geopolitical climate, I’d be concerned going with any brand that was not U.S owned.
if you can’t trust the road, it doesn’t matter what you use to drive on it.
if the router is compromised and someone is watching your network traffic, using Ethernet instead of WiFi isn’t going to help you. The router sees everything going into and coming out of your network, regardless of whether it’s wired or wireless.
as long as a compromised router is in your network path, adding more firewalls along the way isn’t going to help unless you’re encrypting that traffic BEFORE it reaches the compromised device. if the encryption happens at a firewall on the Internet side of your tplink router, your network traffic is passing through unencrypted. no bueno.
Every time I say “Friends don’t let friends run factory firmware on routers” I get downvoted.
People should be running OpenWrt on their router (or another router OS like OPNSense, IPFire, etc). Either by installing on a consumer router, or by installing directly onto a mini pc or a VM running on a mini pc.
It’s fine to run your access points on Omada or whatever, access points can only be compromised by a guy in a van outside your house, particularly if you turn the power down as you should. This is not in the threat model of most people. Just set a quality password on your access points (say 14 character randomly chosen password from keepassxc)
your banking wont work with most vpn’s anyway, plus that will do nothing to stop a hacker from getting your PII
netgear is NOT an american company, and even if it was, if using hardware made from chinese parts worries you, good luck finding any networking equipment for consumers that isnt made in the land of rice
Your best bet is to roll your own with a solution like pfSense.
It’s really pretty easy and there is stellar community support as well.
It 's built on FreeBSD, one of the most secure operating systems available, and also open source, so if there were China hackers lurking in the source code, it’d be found extremely quickly.
Any old PC and a 2-port network card is all you need. It can be very low spec. Like literally something 15 years old collecting dust in a closet will do it just fine.
If you’re worried about someone snooping, the first and most important thing is to not install software from them. Once they have software on your PC, they can probably[1] add a keylogger and get all your info regardless of any other defense.
Other than software running on your computer, I strongly recommend that everybody assumes all networks are adversarial. If you’re dealing with a bank that doesn’t properly secure communications, it’s just a matter of time before someone exploits that via some form of man in the middle.
If you have something sensitive that absolutely must run without encryption (no, you don’t), the VPN in this case would need to run on your computer or on a VPN appliance connected directly to your computer. If you don’t trust your APs, installing a hardware VPN in any way that the AP comes between your computer and the VPN is pretty much useless.
[1] I’m not sure if any keyloggers are readily available that don’t require admin access, but if you’re really fighting against the CCP, I assume they will work around limitations like that.
It’s doubtful anything will come of this, even if it did it wouldn’t do a thing to prevent currently in-use hardware or equipment currently on store shelves.
It’s not a “thing” until it becomes something, so I’d be extremely careful before going full-chicken little on this.
In all honesty… What IS safe these days. Every morning I get up and hear about this data breach and that data breach. If it’s not a major bank it’s the social security offices or the utilities… I think of the cartoons of people burying their money in mason jars in the back yard or grandma’s bible overstuffed with $100 bills… People are stealing checks out of post office boxes, washing them and remaking them. I’ve even heard recently of a credit monitoring service being hacked. What do you do when the people that are supposed to be monitoring your credit due to a hack gets hacked?? I’m going to have to say if you feel you are THAT important or have that much money we’ll then maybe you are AT RISK… However I’d just keep an eye on your funds I have it set up that my phone dings anytime I have to make any sort of payment. I have to AGREE to that transaction taking place. Now I’m sure there’s ways around that too… Remember the days before the Internet?? You needed a ski mask and a paper bag… Now it’s all IP based thieves…
There is really no evidence that TP-Link devices are compromised other than “the government said so.” Yes, their routers have had security vulnerabilities, but so does every other brand. Furthermore, the vast majority of web traffic is encrypted, and there isn’t much your router can see other than which domains you are accessing. The chances of your banking info being compromised by a router are almost non-existent.
To answer your question, consider whether or not you’d trust your network after discovery of a malware infected computer. In most cases, firewalls in home and small business networks are configured to keep bad people out, but allow all outbound traffic, virtually without exception.
In short, no. Don’t trust your compromised network.
If a WiFi router with only one LAN port will work for you, then I suggest that the UniFi Express from Ubiquiti will fill your need. It’s on sale right now for $109.
Your banking site uses https and creates its own secure channel between the website and your browser. The information is encrypted before it goes out of your computer and the server so by the them time the router sees it, it’s unreadable.
I’ve had terrible experiences with TP-Link. Called their support one time and they told me I needed to buy a new router because mine had “bugs” in it. In actuality it was their shitty firmware. Never again. Save yourself the hassle and buy something like Ubiquiti.