Security experts express concern over the world’s No. 1 router manufacturer losing control over domains used for device configuration

Top router firm TP-Link has lost control of two key domains accessed by millions of consumers and small businesses each month. The domains, which are used to configure the company’s routers, have expired and been resold to domain name brokers who are actively seeking buyers.

Security experts say the domains are at risk of being purchased by criminals that could easily use the domains to take control of millions of routers by redirecting traffic, installing malicious firmware and ultimately attack millions of TP-Link router customers.

China-based TP-Link is the world’s leading Wi-Fi gateway router equipment maker, according to market research firm IDC. The company sold 57.8 million routers in 2015 and regularly outsells rivals Netgear and D-Link, according to IDC data.

The two domains in question are tplinklogin[.]net and tplinkextender[.]net. The tplinklogin[.]net domain was used by TP-Link to make it easy for router owners to access configuration webpages for many of the company’s routers. The domain, tplinklogin[.]net, was displayed on back labels of router hardware and also included on official documentation of the router.

TP-Link declined a request to be interview by Threatpost, but said it stopped using the domain tplinklogin[.]net in 2014. “Any products purchased at that time using the old domain (tplinklogin[.]net ) will be automatically redirected to the internal set-up page, so there will not be any security issues,” the company wrote in a statement to Threatpost.

According to Amitay Dan, CEO at Cybermoon – who initially discovered the vulnerability last week– that still leaves millions at risk. He argues the initial set-up for devices offline using the URL directs to the correct configuration page. But subsequent visits to the URL on systems connected to the internet will direct to the URLs TP-Link is no longer in control of.

“In the wrong hands, either one of these domains would allow a criminal to run incredibly successful watering hole attacks. Any business and consumer would be a sitting duck for attacks,” Dan said to Threatpost.

According to domain monitoring service Alexa, the tplinklogin[.]net domain receives about 4.4 million desktop and mobile sessions per month. When Dan attempted to buy the domain tplinklogin[.]net an anonymous broker asked for $2.5 million.

Less is known about the tplinkextender[.]net domain other than it was used by TP-Link as a shortcut for customers who want to configure their TP-Link WiFi extender. Approximately 810,000 desktop and mobile sessions are initiated with the domain each month according to Alexa.

TP-Link declined to comment on the tplinkextender[.]net domain.

According to Dan, TP-Link for the past several years has refused to buy back the domain and is now using the new domain tplinkwifi.net printed on its routers instead. For example the TP-Link Archer C9 router, on a back label, points to the domain tplinkwifi.net. Also updated have been TP-Link installation guides with the tplinkwifi.net domain.