Holy cow! People buy D-Link gear?
D-Link router riddled with 0-day flaws
A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first. Security researcher Pierre Kim went public on a series of flaws in D‑Link DIR 850L wireless AC1200 dual-band gigabit cloud routers without …
COMMENTS
-
-
Tuesday 12th September 2017 21:32 GMT bombastic bob
some people DO buy D-link gear
yes, it was really cheap a few years ago when I got an inexpensive 'pre-N' wifi router. It's got some quirks, for sure, but didn't think it could be THAT insecure.
fortunately, not one of its ports touch the intarweb. Not only is it behind a proper firewall, its IPv6 addresses are statically assigned and all incoming IPv6 traffic is BLOCKED from it's IP ranges.
I've been considering getting a new one, though, and running something I can configure myself, turn off IPv6 routing on the LAN side, etc. [because I manage that with OTHER things]. I actually have to plug the WAN port into the LAN port and monkey with it a bit to keep it from trying to take over all IPv6 routing on the network. Fortunately THAT workaround "works" but yeah. flaky. However, in its current state, I don't need to buy another one (yet) and wifi works throughout the house [router on one side, client on opposite side of the house >50 feet away and through several walls].
So as far as wifi operations go, it's not bad.
I also disable things like UPnP, wifi admin, and other security CRATERS that are typically "left on" by average users. But having a possible LAN back door and some pre-defined admin keys is potentially really bad...
-
Wednesday 13th September 2017 05:52 GMT FlamingDeath
Re: some people DO buy D-link gear
"all incoming IPv6 traffic is BLOCKED from it's IP ranges."
I trust you have tested this for yourself, and not just relied on the say-so of a button you pushed / option selected. There are such things as "fake buttons". Those pesky programmers...
Nullius in verba
-
-
Tuesday 12th September 2017 20:43 GMT Flakk
Let me recap this to make sure I haven't gone astray:
Researcher has a beef with a manufacturer, so he chooses to not follow responsible disclosure protocols. Since the vulnerable products have already been sold by said manufacturer, it is in fact the consumers that will likely bear the immediate consequences of the researcher's ire. The disclosed vulnerabilities will likely be snapped up by cybercrims, who will surely be eager to have another platform upon which to build a botnet. Once the DDoSes start, then it's not just the consumers suffering the consequences of the researcher's ire, but also the Internet-at-large.
Because a researcher has a beef with a manufacturer.
Did I get that right?
-
-
Tuesday 12th September 2017 23:02 GMT Adam 1
> No, I think you missed the bit where he gave them six months to pull their fingers out on eight other vulnerabilities but they just sat there hoping he would go away.
Firstly, dlink are being dicks by not patching security vulnerabilities in a timely fashion. Nothing I say below detracts from that.
On those 8 vulnerabilities, as long as he warned them that the vulnerabilities would be publicly disclosed (not clear from my reading of TFA), he has done exactly the right thing.
On the latest one (with no vendor notice), I'm afraid to say he is being a dick. Even though past experience it would seem unlikely to receive a prompt patch, you just allow the vendor to argue that irresponsible disclosure put customers at risk, side stepping their responsibility to have a secure product and promptly patch security flaws.
-
Wednesday 13th September 2017 08:32 GMT Alan Brown
"On the latest one (with no vendor notice), I'm afraid to say he is being a dick."
I disagree.
D-link have a long and documented history of this kind of behaviour - and also of blatant GPL breaches until forced to comply by german courts (Again, where they refused to respond or cooperate until bludgeoned into submission by the threat of a EU-wide sales ban for copyright violations)
-
Wednesday 13th September 2017 09:51 GMT Adam 1
@alan brown
You are presenting a false choice. The contention being that because dlink were/are dicks that the security researcher isn't acting like one here. My post made it very clear in the very first sentence what my thoughts about dlink's behaviour was.
If I had criticism of the first 8, it would be that he didn't disclose them for far too long a time. But I stand by my other point on the final zero day issue dump. He has a good argument in claiming that their security patching isn't up to snuff. Dumping 8 vulnerabilities after months of inaction would have made that point very well, but on the last one he had given their or droids an out. You now watch them deflect the legitimate concerns we all have with guff about irresponsible disclosure that anyone could be the victim of.
-
-
-
Tuesday 12th September 2017 21:30 GMT Jon 37
Nope. As I understand it, what happened was:
Multiple vulnerabilities are publicly reported in Quanta routers. Researcher realises the same flaws apply to D-Link routers. Researcher told D-Link privately. D-Link promise to release an update within a month, then stop responding to emails and do nothing for over three months. Researcher publishes vulnerability publicly. D-Link release a fix for some (but not all) of the issues within a few weeks of public disclosure.
This clearly shows that D-Link doesn't care about patching privately-reported security issues at all, although they do a half-arsed job releasing fixes for publicly-reported security issues.
Months later, the same researcher discovers more flaws in D-Link routers. Knowing that D-Link isn't going to patch them if they are reported privately, and knowing that cybercriminals might find the same flaws at any time, researcher doesn't waste time telling D-Link privately. Instead researcher goes public to warn customers and to put pressure on D-Link to fix the vulnerabilities. Researcher has to include details of the security vulnerabilities for his message to have any impact.
--
Private reporting is a trade off: While you are keeping the vulnerability secret, there is a risk that someone else will find the same vulnerability and use it for evil against users who don't know about the vulnerability so can't protect themselves. If end-users know about the issue they can take mitigating steps, even if that is turning off the power to the device. The best approach is for a vulnerability to be reported privately, then the vendor to create a fix quickly so it can be deployed at the same time the vulnerability is announced - this is referred to as "responsible disclosure". Announcing the vulnerability gives people a reason to install the fix. You shouldn't usually deploy the fix first, as there is a risk of someone reverse-engineering the fix to find the vulnerability.
Note that the "responsible disclosure" process requires BOTH the reporter and the vendor to cooperate for the good of the end-users. If a vendor chooses not to release fixes, they are not following the process. In that case bug-finders do not feel obliged to follow the process either.
-
Wednesday 13th September 2017 08:27 GMT Alan Brown
Crowdfunding returned
"Note that the "responsible disclosure" process requires BOTH the reporter and the vendor to cooperate for the good of the end-users. "
Which is something that many vendors and commentators miss when carping on about people giving up on said vendor and just releasing the vulnerabilities.
Software vendors have been demanding special treatment for decades. The ones that don't do anything with reports for months-to-years(or at all) are bad enough, the ones who litigate to keep vulnerabilities secret (Volkswagon and others) deserve a special place on a roasting spit over a slow fire.
-
-
-
Wednesday 13th September 2017 07:54 GMT Anonymous Coward
Re: Oh the IoT code monkeys have struck again.
It's not just D-Link and mydlink. Take a look at Linksys EA7500 and the Linksys cloud service. With Linksys the ONLY easy way to configure the router is through an account in the Linksys cloud. Allegedly this allows the user to configure the router "from anywhere on the planet". It also provides for:
- hackers to get control of your LAN from anywhere on the planet
- Linksys to know everything about your LAN
*
Who needs any of this? Even before we find out about vulnerabilities!
-
-
Tuesday 12th September 2017 21:54 GMT Random Q Hacker
Who needs in-house security coders?
... When I can just wait for researchers to advise me privately and for free! D-Link had a sweet deal, if they'd have patched those flaws they would still be receiving free security advice without losing face. Maybe this will push them to invest more in security. (But probably not, unless retail boxes start listing government mandated vulnerability statistics.)
-
Tuesday 12th September 2017 22:57 GMT Kevin McMurtrie
Re: Who needs in-house security coders?
Does D-Link have coders? Cheap hardware usually goes like this: 1) No-name company takes a hardware reference design and strips away costs until it's marginally functional. It has serious defects but software can usually correct for them. Firmware is built using their collection of stolen firmware from other devices, some OSS, and random crap found on the internet. Workarounds are added for hardware bugs. 2) Bargain branding company buys product from No-name company and contracts a team to copy the UI from their previous device to the new device. Marketing department applies secret turd polishing compound. 3) Consumer is thrown into tech support tarpit to reduce product returns. "An update is coming soon!"
-
-
-
Wednesday 13th September 2017 05:51 GMT Dwarf
Re: Are any routers any good?
Look on the open source router sites and get a list - dd-wrt, openwrt / lede, they all list their supported routers and the hardware specs for each model
The difference is that the better ones will cost more than £30 / $40 / are not given away free by your ISP. Asus and Netgear are worth a look.
-
Wednesday 13th September 2017 14:32 GMT DropBear
Re: Are any routers any good?
...with the observation that you probably don't want the cheapest model there is (it might be missing some essential or at least very desirable stuff chief among which would be memory - you want to be able to fit the next LEDE version too...) but once you get out of Cheapville Bottom there might be little reason to go much higher - really soon you start paying for the branding / design / glossy plastic / fat CEO bonuses and whatnot instead of actual technology...
-
-
-
Wednesday 13th September 2017 01:00 GMT cincop8
The bar-none biggest problem in "IT Security" is everyone blames the hackers instead of the people responsible. Cowardly devs and incompetent managers.
If every researcher began publishing findings without prior notification, perhaps these douchebags would start taking their responsibility seriously and take steps to actually reduce vulnerabilities. As it is, this faux consideration and artifice of "responsible" research leads inexorably to persistent do nothingness. I have zero sympathy.
Again, the problem ain't the hackers.
-
Wednesday 13th September 2017 12:46 GMT Version 1.0
Some thoughts
I consider all routers to be insecure so I don't connect them to the WAN side at all and inside the firewall I turn off all their "features" - obviously there are still some risks but most of the time it's the "features" that have issues.
So why didn't the manufacturer fix the problems? I'd guess because they out-sourced, or bought in the original code, and so when a bugs were found they had no easy way to fix them. A lot of the time "manufacturers" are just vendors these days, selling a conglomeration of kit, glued together with a pretty GUI.
-
Wednesday 13th September 2017 20:00 GMT Anonymous Coward
Most consumers would appreciate the early disclosure of vulnerabilities, that aren't expected to be patched by the manufacturer.
Responsible consumers do research before buying or ask a "techy friend" all these people are now greatful they didn't buy crap that now needs to be replaced.
Shame the manufacturers = I approve
-
Saturday 11th November 2017 10:34 GMT Anonymous Coward
I once contacted DLink about a security concern I had with one of their IPCameras.
The response I received from support was that "the best they could do was to pass along my concerns". I have never heard back from Dlink after that.
DLink are high volume, "cost effective" consumer products, lacking the processes you'd find for business or enterprise products. Action at Dlink will only be taken if reputation and sales are at risk.
Telling DLink support about a security flaw is like telling a supermarket checkout employee that your bag of potato chips contained a burned chip - and that you expect remediation.