Hello there,
during black friday i’ve bought a tenda 2,5G switch on Amazon for a good price to replace my old 1Gbit one.
TEM2010F 8-Port 2.5G Ethernet Switch-Tenda-All For Better NetWorking (tendacn.com)
THe performance between my proxmox-nodes increased from 114 MB/s to 270MB/s.
But seeing that Tenda is a chinese manufacturer i’ve doubts about the security.
This switch is the central point in the network. And i dont want some malware or data sniffing device in such a central position.
I’m a newbie in this subject, so i’m, asking you experts.
How can a switch be a security issue?
This switch is unmanaged and has no IP. It isnt listed in my router (to block any internet access)
Can it send data without knowledge and how can a newbie like me check it?
Thanks
Theoretically, a simple switch could be more complex than it appears, and therefore theoretically it could have security issues.
For example, my completely wild guess would be that there’s probably an arm or a mips CPU and some ram inside that doesn’t really do much… this is because smart switches would often use the same switch chip, for Ethernet, but with additional flash chip actually populated on the same PCB causing some software to run in the thing allowing you to configure the device and giving the forwarding logic additional behavior.
Practically its extremely highly unlikely, that someone could exploit a dumb switch to run arbitrary code, regardless of the brand label on it and country of origin.
Enjoy the new switch!
Yes, it is a potential renegade device on your network, similar to IoT devices or a computer of unknown origin. Modern SoCs are computationally capable, cheap, and would easily fit inside a commodity consumer switch.
I stick to well known name brands. And in any case, it remains critical to robustly secure all your devices even if they are on your “secure” LAN.
Theoretically, there could be hardware/software running on the device that learns the source/destination IP addresses of frames passing through it and then assigns itself a suitable static IP so you wouldn’t see it in your router’s DHCP table and then phones home that way…
Theoretically. You could try to just plug a single computer into it and run wireshark and see if you see anything. Theoretically its possible for it to not broadcast or send its own traffic until a gateway IP is identified and learned but this would be highly theoretical stuff.
I think all in all the effort to create a compromised stealth switch like this would GREATLY outweigh the effort required to create a working switch with a trusted brand name in a crowded market segment. But hey anything’s possible when you wear tinfoil on your head.