# New Router Woes & Spy Connections



## Tom Sunday (Feb 22, 2021)

On the market to buying a new router. The choices are many but cutting through the manufacturers marketing hype and setup requirements is daunting to the say the least. Security and most important in 2021 router privacy concerns bother me and as they shine through the small print. Amazon just acquired router manufacturer EERO and I am trying to understand what this means for ordinary privacy-minded people like us. Not many to date had much love for Amazon on the privacy front. The issue: "Should Amazon have access and unlimited rights to all internet traffic.” It’s bad enough that Amazon wants to put a listening speaker in every corner of our home! Someone recently remarked: "This is terrible privacy invasion news. I don’t let Alexa in my house for those reasons and now I am being back doored." 

Unless its just me, I believe if there is one piece of equipment that you DO NOT want to share with the outside world it us your router. Many of the major router manufacturers with their newer WIFI products are now forcing the user to remotely manage their network on a cloud. It may sound convenient but through your router someone can potentially gain access to your personal information. Of course my ISP has done the snooping for years.

As of now (China based) TPLINK with their newer router models the 'QoS and Parental Controls' cannot be managed using their firmware. To do so you need to download their phone app. You also have to create a TP-Link HomeCare account powered by TrendMicro (located in Japan) to fully manage your network. Well,  MTU packet sizes are not something I want to change remotely and thus practically surrender the tracking of my network access (which sites I visit) or much worse. Besides I already have a subscription Anti-virus program. Why do I need a second one forced on me?

So where am I going with this? Looks like everybody now wants another piece my  privacy and all I want is in buying a simple router, pushing a few buttons and I am safe and protected from the world. Having said all of the above: "Is my dreaming of continued well done firmware, their periodic updates and my assured router privacy over and done with?"


----------



## Athlonite (Feb 22, 2021)

Tom Sunday said:


> On the market to buying a new router. The choices are many but cutting through the manufacturers marketing hype and setup requirements is daunting to the say the least. Security and most important in 2021 router privacy concerns bother me and as they shine through the small print. Amazon just acquired router manufacturer EERO and I am trying to understand what this means for ordinary privacy-minded people like us. Not many to date had much love for Amazon on the privacy front. The issue: "Should Amazon have access to all internet traffic.” It’s bad enough that Amazon wants to put a listening speaker in every corner of our home! Someone recently remarked: "This is terrible privacy invasion news. I don’t let Alexa in my house for those reasons and now I am being back doored."
> 
> Unless its just me, I believe if there is one piece of equipment that you DO NOT want to share with the outside world it us your router. Many of the major router manufacturers with their new WIFI products are now forcing the user to remotely manage their network on a cloud. It may sound convenient but through your router someone can potentially gain access to your personal information. Of course my ISP has done the snooping for years.
> 
> ...


maybe buy an older modem/router like a Fritzbox 7490 then


----------



## Solaris17 (Feb 22, 2021)

Tom Sunday said:


> Am I dreaming?


Man, First I feel bad I don't have enough time to address this with the attention I think it needs, but thank you for being so neutral in your concern. Its refreshing to have a broader want for privacy than simply hating a company. Which is unfortunately a lot of what we deal with here and many of tech forums that are not security orientated. It seems like and maybe even im just off base, the tone of your post seems to understand this is simply the flow of technological progress stemming from the "ease of use" everyone wants when consuming electronics, than any actual hate for the companies themselves. This makes the conversation MUCH easier.

With that said, it will unfortunately start to "seperate the men from the boys" which is a SUPER poor attempt to say what I simply don't have time to explain. consumers want technology to be easy and it sells. As such this "moves" the skill gap or "barrier of entry" up when it comes to certain fields of technology. In the case of security, the barrier of entry gets higher and higher in consumer electronics, which means if you REALLY want it you will need to work HARDER to obtain it.

The answer to your question fundamentally comes down to "how much time are you willing to put in?" You can't have:



Tom Sunday said:


> pushing a few buttons and I am safe and protected from the world.



and:



Tom Sunday said:


> my privacy



They are mutually exclusive. At a point in time, you could go to the electronics section of a big box store grab the mid to high end linksys off the shelf and go home to our home spend 23min on the setup and press 8 buttons and have wifi. Within a few hours configure some more advanced firewall rules.

This is not the case anymore and to be fair is not just the fault of manufacturers. This is the threat landscape. As the threat landscape grew with the technology boom of the last few years security no longer "cost" $147 from your local bestbuy. Protection now requires more skilled labor and larger teams of people commanding a higher price. Security is no longer ad-block and a definition based AV.

Security is botnets and AI attacks and polymorphic ransomware. These are things that are not as simple as "a few buttons" anymore. So they are more quickly being phased out of walmart and target shelves as they are priced and scaled our of the scope of "joe consumer".

A lot more revolves around this than the average battlefield player understands, they just want open-NAT rules so they can call someone a bitch. 

I feel its important to know how murky this all is now so that you can make a more informed decision. Not because I'm trying to educate some member. Something I DO want to to try and get out of your head is "TPLink" and "China" that was about the only eyeroll part of what you said.

China does not care about you. Or your $80 consumer router. They are also not the only ppl doing dumb shit or spying on you. If your a state sponsored attacker you go after multi $x0K routers and switches by:

Cisco
Juniper
Fortigate
Palo-Alto









						Cisco's warning: Patch now, critical SSH flaw affects Nexus 9000 fabric switches
					

Cisco alerts customers to a 9.8/10 flaw among a number of security bugs affecting Nexus 9000 fabric switches.




					www.zdnet.com
				




They all hardcode passwords and they get exposed. If you want to terrify yourself go take a look at shodan.io.


ANYWAY:

Do you need wifi? You might be better off buying something that is supported by an aftermarket firmware and flashing it yourself with a little elbow grease. OpenWRT has a good list IIRC on their site of routers and revisions that will work before you spend any $$.

You could also go the hybrid route. Build or buy your own then buy an access point. I personally prefer the latter. But depending on your skill level or simply time commitment (I know I try to get OT whenever possible) it can just be harder and thats a fact.

In any case, I agree. I dont like wifi mesh, and generally anything that REQUIRES (not to be confused with "also offers*") a web control panel I generally do not reccomend, for privacy and usability, privacy aside, flatly speaking when the config process breaks it can be time consuming to get the equipment back into a state to start over. 

I gotta go start dinner.


----------



## Tom Sunday (Feb 22, 2021)

Athlonite said:


> maybe buy an older modem/router like a Fritzbox 7490 then



Ohh I Iove the name Fritzbox! Thanks. Its just that I feel its always for us poor consumers having to protect ourselves. Looking over our shoulders. Feeling that we are the product. TPLINK in turn  stated: "Its all for your protection."



Solaris17 said:


> In the case of security, the barrier of entry gets higher and higher in consumer electronics, which means if you REALLY want it you will need to work HARDER to obtain it.
> 
> The answer to your question fundamentally comes down to "how much time are you willing to put in?
> 
> ...



In the first place thank you for your very informative and kind reply to my earlier post and my unfortunate TPLink indiscretion. I do not get timely replies and or comments like yours delivered very often and will thus require a few more 'read-throughts' to fully appreciate the depths and details. I am in my mid 70's, retired, living in a gated golf community and how one looks at the world from here has surely changed. But overall life remains  good.

I most likely will be requiring a new  router sooner than later and probably try Amazon in times like these. When I push the 'buy button' it will however be a bit harder to press thinking of your message, but at the same time there will be a smile of due thanks on my face. All the best to you!


----------



## newtekie1 (Feb 22, 2021)

Tom Sunday said:


> So where am I going with this? Looks like everybody now wants another piece my privacy and all I want is in buying a simple router, pushing a few buttons and I am safe and protected from the world. Having said all of the above: "Is my dreaming of continued well done firmware, their periodic updates and my assured router privacy over and done with?"


Go with a pFsense build with a Ubiquiti access point.


----------



## Bill_Bright (Feb 22, 2021)

Tom Sunday said:


> Many of the major router manufacturers with their newer WIFI products are now forcing the user to remotely manage their network on a cloud.


Huh? Pretty sure that is not true. Certainly you can enable "Remote Management" but you are not forced to use it. After all, many organizations use a "closed" network or In*tra*net and don't support In*ter*net access at all. If the router could only be managed via the Internet, those companies would not buy it - and the router makers would lose the sale. 

Just looking at TP-Links new Archer AX11000 V1, they certainly allow for Remote Management, but they also allow Local Management too. If you look at section 13.6 in the manual, it explains how to "Forbid all devices to manage the router remotely". 

After all the router is on your side of the gateway device - typically the modem. It only makes sense it can be managed locally. I have never seen a SOHO type router you cannot log into locally. You typically just enter 192.168.1.1 or 192.168.0.1 (which is used with that AX11000) into your browser, then the user name (typically "admin") then the password. 

One last thing - lets not forget there is a HUGE difference between "privacy" and "security". Even if you use remote management via TP-Links website, they have no clue your real name, your exact home address, your billing information, tax/social security/insurance number or anything else like that. But your ISP sure does. And so does your cell phone carrier. But worse than that, your cell phone carrier also knows who you called and texted, where you have been, where you are standing now (to within a few yards/meters), including the aisle of the store you are standing in. And they know the direction you are heading and how fast you are traveling. 

If you are worried about privacy, destroy your cell phone and stay off the Internet. Don't use Google and especially don't use Facebook.


----------



## Tom Sunday (Feb 22, 2021)

Bill_Bright said:


> If you are worried about privacy, destroy your cell phone and stay off the Internet. Don't use Google and especially don't use Facebook.


Thanks Bill for your note of further insight. As to privacy and data collection, you are 'spot-on' with Google, Facebook and ones ISP. Being fully retired my 'pay as you go' cell phone is turned off 95% of the time and dedicated only to hospital, medical emergencies and a walk in the woods. So some of these few so called data collectors are reasonably held in check.

About my particular router concerns and given the ongoing direction of such equipment development, I am overall seeing the line considerably blurring between remote and local management. Now everybody appears wanting a piece of the router-pie including Amazon. Imagining me buying a certain Archer Router, it would be like 'turning off' all of the Microsoft data collection in WIN 10, and yet continuing in living with the ongoing suspicion that just a few (OS management) mouse-clicks will simply not deprive Microsoft to get what they want? Why would they make this so easy?

Having gotten this off my chest, I venture to say that times have passed this old fellow by like a freight train in the night. As such and like many thousands of others not riding on the train, we might as well accept the inevitable and the plain fact that we are the product or even much less. Thoughts?


----------



## Bill_Bright (Feb 22, 2021)

Tom Sunday said:


> I am overall seeing the line considerably blurring between remote and local management.


The line is still there - just that the defaults are set for convenience and the check boxes to change those default settings tend to be buried way way down the page. But they are there. 

I find it a bit disappointing you decided to take an opportunistic bash at Microsoft here - because they have absolutely nothing to do with these routers and how they can be managed remotely over the Internet.

Contrary to what many want us to believe, Microsoft is actually a minor player in the intrusions into our privacy wars. For example, Microsoft is NOT trying to learn our real names, our phone numbers, street addresses, passwords or bank accounts. They are NOT trying to learn who our contacts are, who we are texting or emailing. Nor are they trying to find our physical location. In fact, if you connect via Ethernet, the closest Microsoft knows of our physical locations is our PoP - point of presence - the physical location where our ISP connects us to the Internet backbone. In my case, that is clear across town, about 8 miles away. 

Now if you connect to your network via wireless, you router's wireless access point will gladly report your physical location to within a few 100 yards. But again, that is not Microsoft. 

Now when it comes to protecting us from bad guys trying to get all that personal information about us, Microsoft is actually doing a great job at that. When it comes to Windows and my personal security, I would much rather have W10 on all my systems than any previous version of Windows. And so I do. 

There's no denying Microsoft used to be intent on ruling the world - the epitome of "corporate greed". But 3 major events happened over the years to finally (it took too long, but finally) change that. (1) Congress and the EU threatened to break them up Ma Bell style if they didn't change their monopolistic ways. (2) The total fiasco, misguided, poorly managed, complete marketing blunder known as Windows 8 and its horrible UI they attempted (and failed miserably) to force down users throats and (3) the uproar and constant condemnation by us consumers, and the bad publicity it brought with W8 and when W10 first came out with its default privacy settings that could not be changed. 

Is Microsoft now an angel, the perfect saint? Of course not! But they sure aren't the evil big brother devil many believe and want everyone else to believe they are. This is even more apparent today (for those willing to actually look) with the latest version of W10 compared to when it first came out almost 6 years ago. Microsoft has made their privacy and data collection policies very transparent and even given users much much greater control over what data is collected. 

Does Microsoft still have a ways to go? Absolutely! But "we" need to stop using Microsoft as our default scapegoat when it comes to privacy for that takes away focus from where it truly belongs. That is, on the true "bad guys" - spammers and hackers, con artists, and crooks who really are trying to steal our money. Russia, China, N. Korea, Iran and other "state-sanctioned" players who really are trying to disrupt our elections, poison our water supplies, and disrupt our lives. And Facebook, Google, our ISPs, cell carriers who really are trying to collect our personal data so they can use it and sell it for their own financial gains. 

And lets not forget the greatest threat to our computer and personal privacy - poor user training and discipline!  That is, users who tend to be "click-happy" on unsolicited links, downloads, attachments and popups that then open the door, letting the bad guy in.


----------



## TheLostSwede (Feb 22, 2021)

Netgear R7800/X4S with Voxel's firmware.


----------



## Tom Sunday (Feb 22, 2021)

Bill_Bright said:


> The line is still there - just that the defaults are set for convenience and the check boxes to change those default settings tend to be buried way way down the page. But they are there.
> 
> I find it a bit disappointing you decided to take an opportunistic bash at Microsoft here - because they have absolutely nothing to do with these routers and how they can be managed remotely over the Internet.
> 
> ...


Thanks again Bill for your response in kind. My take was not exactly driven against Microsoft specifically, but simply to addressing any method by any equipment or providers offering default, remote and or self- managed data transmission choices. All primarily having to be revolving around privacy and it's posible resale for profits.

Just the plain idea that some router companies are now being instrumental in suggesting and or proffering to having their users to engage remotely serviced data (cloud) options is a bash for me. Then Amazon acquiring (through their secretive Lab126) router manufacturer EERO bashed me a bit further. What exactly has Amazon to gain with a router company purchase? A husband for Alexa? Then there also comes the point of what and who to believe anymore?

In closing, to be sure all of your talking points here all are well taken, and to me it clearly shows that there are always two sides to any coin. Except for me and as privacy and it's subsequent control is continued to be manipulated and or eroded, the blurring of the fine line remains deeply challenged. Possible sometime in the future to a point of no return?


----------



## ThrashZone (Feb 22, 2021)

Hi,
Yeah I was looking at new tech router/ wifi and dang prices are insane.
Cheapest was 150.us plus a wifi another 60.us and this was a cheaper 600mbps lol


----------



## Bill_Bright (Feb 22, 2021)

Tom Sunday said:


> Just the plain idea that some router companies are now being instrumental in suggesting and or promoting to having their users to engage remotely serviced data (cloud) options is a bash for me.


Well, because the "potential" for abuse is there, I understand where you are coming from. But it is not fair to assume, because the potential for abuse is there, that these companies are abusing it! 

That is, just because a router company is providing a method to manage our routers through the cloud, that in no way means they are stealing our personal data, tracking us, and using our that information as a means of revenue through targeted ads or whatever. 

Frankly, my worry is not TP-Link et al abusing this. I believe the legitimate companies (and I believe most are legit) really are just trying to provide us consumers a good, enjoyable, beneficial service. My worry is bad guys hacking the TP-Link network. And sadly, just like the Equifax hack, the bad guys, in most cases, will be able to hack those networks because the administrators (and the execs above them) will fail to do their jobs properly     and will be negligent in administrating and securing those networks.  By far, most successful network hacks are due to the failure of network admins applying available patches in a timely manner, or simply being negligent in how they secure those networks, or by users on those networks being "click-happy" and letting the bad guys in.

Using the Equifax as an example, the patch to block the vulnerability used by the bad guys was made available for several months, months!!! But the system admins failed to apply it and the senior execs did not have policies in place that would have ensured timely patching. But beyond that, users highly sensitive credit information was stored in the clear!!! Not encrypted! How stupid and negligent is that? Heads should roll and people should be in jail for criminal negligence. But that likely will never happen. 

The universe is moving to the IoT. Everything is, or will be "connected". In many cases, that is a good thing. For example, soon all our cars will be connected. What it will (or should) mean is when a drunk is about to run a red light, your car will "see" him coming before you do, and turn your light red, or stop your car.


----------



## newtekie1 (Feb 22, 2021)

Bill_Bright said:


> Well, because the "potential" for abuse is there, I understand where you are coming from. But it is not fair to assume, because the potential for abuse is there, that these companies are abusing it!



Here is my take on this. The potential for abuse is there if you are using the cloud or not. I mean, does anyone remember when it was discovered that the WebUI of a crap ton of consumer routers were all vulnerable to remote access thanks to a "bug" in the webserver running on those routers? The "bug" affected pretty much every major brand and had existed for over a decade because they were all using the same core codebase to work with the Broadcom processors in the routers. There are still theories that it wasn't a bug, but a purposely included backdoor.  So something doesn't have to be in the cloud to open you up to vulnerability.

Like you said, moving to the cloud isn't some sinister scheme to spy on everyone just because the potential is there.  I genuinely believe the companies are trying to provide a better user experience.  I these days people want simple. They actually want to be able to just open their phone and change their WiFi password, or setup time limits for their kid's devices, or even easily connected a device using WPS all through an easy to use app on their phone.  Does it actually make them less secure? Maybe. Do most people care? Well the fact that Linksys finally had to start using randomized passwords for the default Wifi because too many people would just leave the default kind of answers that. Most people are lazy, and if it makes it easier for them to set up their router with proper passwords, it might just actually make most people's networks more secure.

It is also why I always prefer to use an open source based router, because people can look over the code, it's much harder to hide things like backdoors in something like pFsense or opnsense.


----------



## TheLostSwede (Feb 23, 2021)

Also, anything supported by Merlin, I guess.





						Home | Asuswrt-Merlin
					






					www.asuswrt-merlin.net
				




You could also get anything that's supported by DD-WRT or OpenWRT, but it's not a nice user experience in comparison.


----------



## _JP_ (Feb 23, 2021)

I haven't really got anything to add to the discussion on the security/privacy aspect, since you're all pretty much on the ball here and this was a delight to read, for such as civilized discussion about it, it was.



newtekie1 said:


> Go with a pFsense build with a Ubiquiti access point.


This is what I would recommend as the best of all worlds for a "you-sure-have-to-know-what's-goin'-on" solution. And that pFsense box can be one cheap mini-desktop, the likes of the HP/DELL/Lenovo SFF factor (MFF is a factor I've not tested, as they have only one Ethernet port and more can only be had with adapters). Packs enough processing and capacity for a home, some still with room for upgrade, and cheap as enterprise hand-me-downs. So, as a plus, you're recycling/reusing equipment destined to the trash.


TheLostSwede said:


> Netgear R7800/X4S with Voxel's firmware.


These, as much as I like to recommend for a "still-hassle-free" setup, the X4S is getting increasingly hard to find here, so I stopped doing it (I wanted one myself), but definitely yes if you can find one.


TheLostSwede said:


> Also, anything supported by Merlin, I guess.
> 
> 
> 
> ...


Did not know Merlin was still around, as I had thought that had peaked around the RT-AC68U days.  Definitely agree that DD-WRT and OpenWRT are great, but the latter not user-friendly for the most part, especially for those not used to do half/most/all their work through CLI (even though there is LuCI now for devices with more than 4MB of Flash).


----------



## Caring1 (Feb 23, 2021)

Bill_Bright said:


> The universe is moving to the IoT. Everything is, or will be "connected". In many cases, that is a good thing. For example, soon all our cars will be connected. What it will (or should) mean is when a drunk is about to run a red light, your car will "see" him coming before you do, and turn your light red, or stop your car.


I just returned a wireless HP printer for that very reason, to connect wirelessly to my PC i had to use their APP and be online.
I swapped for a reliable Canon printer that connects wirelessly direct to my PC, without the bullshit.


----------



## TheLostSwede (Feb 23, 2021)

_JP_ said:


> These, as much as I like to recommend for a "still-hassle-free" setup, the X4S is getting increasingly hard to find here, so I stopped doing it (I wanted one myself), but definitely yes if you can find one.
> 
> Did not know Merlin was still around, as I had thought that had peaked around the RT-AC68U days.  Definitely agree that DD-WRT and OpenWRT are great, but not user-friendly for the most part, especially for those not used to do half/most/all their work through CLI.


Yeah, it's a shame the R7800 seems to be an outgoing model, as I have never had a better or more stable router. Voxel's firmware is just the icing on the cake, as it means there will be support long after Netgear stops issuing updates.

Merlin never went away, sadly he only supports Broadcom based models, so a lot of Asus routers aren't support. 
Then again, Voxel only supports three routers, so 



Caring1 said:


> I just returned a wireless HP printer for that very reason, to connect wirelessly to my PC i had to use their APP and be online.
> I swapped for a reliable Canon printer that connects wirelessly direct to my PC, without the bullshit.


I have a now "old" Samsung colour laser printer, but as HP took over their printer business, I wouldn't want to replace it with an HP printer.
HP used to make the best printers, but these days it seems almost all of them make the same kind of crap.
Why you would have to go via the internet to print on your own printer in your home doesn't make any sense at all.


----------



## Bill_Bright (Feb 23, 2021)

Caring1 said:


> I just returned a wireless HP printer for that very reason, to connect wirelessly to my PC i had to use their APP and be online.


Really? That's disappointing. Got a model number - so I can avoid it on my next purchase?

And when you say "online", do you mean connected to the Int*er*net? Because again, there are many large and small "Int*ra*nets" - closed networks that don't have Int*er*net access that need wireless networked printing. When connected to those networks, you are still "online", just not connected to the Int*er*net. To require Int*er*net access would mean they lose a sale. That does not seem to be in HP's best interest. 

My wireless HP device, of course, wants me to use their app (Web Services), but it is not required. I can just enter the IP address in my browser and access the device's embedded Web server (EWS). From there, I can check printer status and ink levels, scan or even fax. The device is "online", that is connected to my network. But Int*er*net access is blocked in my router.


----------



## Caring1 (Feb 24, 2021)

Bill_Bright said:


> Really? That's disappointing. Got a model number - so I can avoid it on my next purchase?
> 
> And when you say "online", do you mean connected to the Int*er*net? Because again, there are many large and small "Int*ra*nets" - closed networks that don't have Int*er*net access that need wireless networked printing. When connected to those networks, you are still "online", just not connected to the Int*er*net. To require Int*er*net access would mean they lose a sale. That does not seem to be in HP's best interest.
> 
> My wireless HP device, of course, wants me to use their app (Web Services), but it is not required. I can just enter the IP address in my browser and access the device's embedded Web server (EWS). From there, I can check printer status and ink levels, scan or even fax. The device is "online", that is connected to my network. But Int*er*net access is blocked in my router.


It was a basic HP Envy wireless model, I didn't take note of the model number, and yes, it said I had to have an account and be online to use it.


----------



## Bill_Bright (Feb 24, 2021)

Caring1 said:


> I didn't take note of the model number


Too bad. I've3 set up a lot of HP printing devices and never was forced to have Internet or a HP account to use the device - unless I wanted to use their ePrint services where the user can print from any device anywhere in the world. That would be a nice convenience - for those who want it, or need it. 

Oh well. Will just have to do my homework before buying.


----------



## Makaveli (Feb 26, 2021)

I also recommend a Merlin supported model.

AX86U is good if in your budget.

I'm running an AX88U and its been great. Asus and Merlin update the firmware on a regular basis for CVE exploits so security is better than most other consumer routers.


----------

