back to article D-Link router riddled with 0-day flaws

A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first. Security researcher Pierre Kim went public on a series of flaws in D‑Link DIR 850L wireless AC1200 dual-band gigabit cloud routers without …

  1. W4YBO

    Holy cow! People buy D-Link gear?

    1. Anonymous Coward
      Anonymous Coward

      and put openwrt on them, I hope...

      1. ldir

        I'd put on LEDE, the much more up to data openwrt fork.

        1. Hans 1

          ldir

          LEDE and OpenWRT merged back again ... Feynman!

          Source: https://www.theregister.co.uk/2017/05/10/openwrt_and_lede_peace_plan/

          Yes, el'Reg

          1. ldir

            Re: ldir

            You might want to check your facts. The re-merge has *STILL* not yet *actually* happened.

            Take a look at the git histories if you like.

    2. Voland's right hand Silver badge

      Some people by based on price only

      There is plenty of idiots who will buy based solely on a price tag + claim to support a given feature. D-link always ticks both boxes.

      It is cheap as manure and it claims to support all sort of kewl features. How well... that is a different story.

    3. bombastic bob Silver badge
      Unhappy

      some people DO buy D-link gear

      yes, it was really cheap a few years ago when I got an inexpensive 'pre-N' wifi router. It's got some quirks, for sure, but didn't think it could be THAT insecure.

      fortunately, not one of its ports touch the intarweb. Not only is it behind a proper firewall, its IPv6 addresses are statically assigned and all incoming IPv6 traffic is BLOCKED from it's IP ranges.

      I've been considering getting a new one, though, and running something I can configure myself, turn off IPv6 routing on the LAN side, etc. [because I manage that with OTHER things]. I actually have to plug the WAN port into the LAN port and monkey with it a bit to keep it from trying to take over all IPv6 routing on the network. Fortunately THAT workaround "works" but yeah. flaky. However, in its current state, I don't need to buy another one (yet) and wifi works throughout the house [router on one side, client on opposite side of the house >50 feet away and through several walls].

      So as far as wifi operations go, it's not bad.

      I also disable things like UPnP, wifi admin, and other security CRATERS that are typically "left on" by average users. But having a possible LAN back door and some pre-defined admin keys is potentially really bad...

      1. FlamingDeath Silver badge
        Megaphone

        Re: some people DO buy D-link gear

        "all incoming IPv6 traffic is BLOCKED from it's IP ranges."

        I trust you have tested this for yourself, and not just relied on the say-so of a button you pushed / option selected. There are such things as "fake buttons". Those pesky programmers...

        Nullius in verba

  2. Anonymous Coward
    Anonymous Coward

    "flaws in the custom mydlink cloud protocol"

    Anyone who considers protocol unimportant has never dealt with a cat - Robert A. Heinlein

    1. Prst. V.Jeltz Silver badge

      more!

      http://www.azquotes.com/author/6509-Robert_A_Heinlein/tag/cat

  3. Flakk

    Let me recap this to make sure I haven't gone astray:

    Researcher has a beef with a manufacturer, so he chooses to not follow responsible disclosure protocols. Since the vulnerable products have already been sold by said manufacturer, it is in fact the consumers that will likely bear the immediate consequences of the researcher's ire. The disclosed vulnerabilities will likely be snapped up by cybercrims, who will surely be eager to have another platform upon which to build a botnet. Once the DDoSes start, then it's not just the consumers suffering the consequences of the researcher's ire, but also the Internet-at-large.

    Because a researcher has a beef with a manufacturer.

    Did I get that right?

    1. dan_in _ohio

      Let me recap this to make sure I haven't gone astray:

      Sounds to me like you've got it right. (BTW, if you're thinking what I am, I'm right there with you. Self-righteousness must be a really nice place to be).

    2. Gene Cash Silver badge

      > Because a researcher has a beef with a manufacturer.

      I think it's more "Because the manufacturer is a complete and utter dick, and has been so to the researcher in the past."

      In this instance, I see no problem with the reveal. You reap what you sow.

    3. Ken Hagan Gold badge

      "Did I get that right?"

      No, I think you missed the bit where he gave them six months to pull their fingers out on eight other vulnerabilities but they just sat there hoping he would go away.

      1. Adam 1

        > No, I think you missed the bit where he gave them six months to pull their fingers out on eight other vulnerabilities but they just sat there hoping he would go away.

        Firstly, dlink are being dicks by not patching security vulnerabilities in a timely fashion. Nothing I say below detracts from that.

        On those 8 vulnerabilities, as long as he warned them that the vulnerabilities would be publicly disclosed (not clear from my reading of TFA), he has done exactly the right thing.

        On the latest one (with no vendor notice), I'm afraid to say he is being a dick. Even though past experience it would seem unlikely to receive a prompt patch, you just allow the vendor to argue that irresponsible disclosure put customers at risk, side stepping their responsibility to have a secure product and promptly patch security flaws.

        1. DryBones
          Trollface

          It's time for you to go update the Shame On Me file...

        2. Alan Brown Silver badge

          "On the latest one (with no vendor notice), I'm afraid to say he is being a dick."

          I disagree.

          D-link have a long and documented history of this kind of behaviour - and also of blatant GPL breaches until forced to comply by german courts (Again, where they refused to respond or cooperate until bludgeoned into submission by the threat of a EU-wide sales ban for copyright violations)

          1. Adam 1

            @alan brown

            You are presenting a false choice. The contention being that because dlink were/are dicks that the security researcher isn't acting like one here. My post made it very clear in the very first sentence what my thoughts about dlink's behaviour was.

            If I had criticism of the first 8, it would be that he didn't disclose them for far too long a time. But I stand by my other point on the final zero day issue dump. He has a good argument in claiming that their security patching isn't up to snuff. Dumping 8 vulnerabilities after months of inaction would have made that point very well, but on the last one he had given their or droids an out. You now watch them deflect the legitimate concerns we all have with guff about irresponsible disclosure that anyone could be the victim of.

    4. Jon 37

      Nope. As I understand it, what happened was:

      Multiple vulnerabilities are publicly reported in Quanta routers. Researcher realises the same flaws apply to D-Link routers. Researcher told D-Link privately. D-Link promise to release an update within a month, then stop responding to emails and do nothing for over three months. Researcher publishes vulnerability publicly. D-Link release a fix for some (but not all) of the issues within a few weeks of public disclosure.

      This clearly shows that D-Link doesn't care about patching privately-reported security issues at all, although they do a half-arsed job releasing fixes for publicly-reported security issues.

      Months later, the same researcher discovers more flaws in D-Link routers. Knowing that D-Link isn't going to patch them if they are reported privately, and knowing that cybercriminals might find the same flaws at any time, researcher doesn't waste time telling D-Link privately. Instead researcher goes public to warn customers and to put pressure on D-Link to fix the vulnerabilities. Researcher has to include details of the security vulnerabilities for his message to have any impact.

      --

      Private reporting is a trade off: While you are keeping the vulnerability secret, there is a risk that someone else will find the same vulnerability and use it for evil against users who don't know about the vulnerability so can't protect themselves. If end-users know about the issue they can take mitigating steps, even if that is turning off the power to the device. The best approach is for a vulnerability to be reported privately, then the vendor to create a fix quickly so it can be deployed at the same time the vulnerability is announced - this is referred to as "responsible disclosure". Announcing the vulnerability gives people a reason to install the fix. You shouldn't usually deploy the fix first, as there is a risk of someone reverse-engineering the fix to find the vulnerability.

      Note that the "responsible disclosure" process requires BOTH the reporter and the vendor to cooperate for the good of the end-users. If a vendor chooses not to release fixes, they are not following the process. In that case bug-finders do not feel obliged to follow the process either.

      1. Alan Brown Silver badge

        Crowdfunding returned

        "Note that the "responsible disclosure" process requires BOTH the reporter and the vendor to cooperate for the good of the end-users. "

        Which is something that many vendors and commentators miss when carping on about people giving up on said vendor and just releasing the vulnerabilities.

        Software vendors have been demanding special treatment for decades. The ones that don't do anything with reports for months-to-years(or at all) are bad enough, the ones who litigate to keep vulnerabilities secret (Volkswagon and others) deserve a special place on a roasting spit over a slow fire.

    5. Anonymous Coward
      Anonymous Coward

      Well to be fair, the manufacturer appears to have intentionally made products without consideration for security, so who fucked the consumer first?

    6. Anonymous Coward
      Anonymous Coward

      Wrong wrong wrong wrong

      No, The manufacture does nothing with responsible disclosure, but waste time and delay thus making it pointless.

  4. John Smith 19 Gold badge
    FAIL

    Oh the IoT code monkeys have struck again.

    Networking mfgs.

    Take heed.

    If it's got a processor in it you're responsible for it being secure, or not.

    Take what help you can get, stop telling people to STFU and FO.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh the IoT code monkeys have struck again.

      It's not just D-Link and mydlink. Take a look at Linksys EA7500 and the Linksys cloud service. With Linksys the ONLY easy way to configure the router is through an account in the Linksys cloud. Allegedly this allows the user to configure the router "from anywhere on the planet". It also provides for:

      - hackers to get control of your LAN from anywhere on the planet

      - Linksys to know everything about your LAN

      *

      Who needs any of this? Even before we find out about vulnerabilities!

  5. Anonymous Coward
    Anonymous Coward

    If you pesky hackers wouldn't keep breaking and entering into other people's private property everything would be fine. When houses come with unbreakable windows, unpickable locks and barbed wire fences as standard then we'll fix our damn routers...

    1. John Brown (no body) Silver badge

      It looks like understanding of sarcasm is as scant around these parts as the understanding of irony.

      14 downvotes so far and no upvotes. Have one on me.

  6. Random Q Hacker

    Who needs in-house security coders?

    ... When I can just wait for researchers to advise me privately and for free! D-Link had a sweet deal, if they'd have patched those flaws they would still be receiving free security advice without losing face. Maybe this will push them to invest more in security. (But probably not, unless retail boxes start listing government mandated vulnerability statistics.)

    1. Kevin McMurtrie Silver badge

      Re: Who needs in-house security coders?

      Does D-Link have coders? Cheap hardware usually goes like this: 1) No-name company takes a hardware reference design and strips away costs until it's marginally functional. It has serious defects but software can usually correct for them. Firmware is built using their collection of stolen firmware from other devices, some OSS, and random crap found on the internet. Workarounds are added for hardware bugs. 2) Bargain branding company buys product from No-name company and contracts a team to copy the UI from their previous device to the new device. Marketing department applies secret turd polishing compound. 3) Consumer is thrown into tech support tarpit to reduce product returns. "An update is coming soon!"

  7. Anonymous Coward
    Anonymous Coward

    Are any routers any good?

    Or are they all lashed-together hack-fests?

    Please feel free to list any decent ones below. Thanks...

    1. Dwarf

      Re: Are any routers any good?

      Look on the open source router sites and get a list - dd-wrt, openwrt / lede, they all list their supported routers and the hardware specs for each model

      The difference is that the better ones will cost more than £30 / $40 / are not given away free by your ISP. Asus and Netgear are worth a look.

      1. DropBear

        Re: Are any routers any good?

        ...with the observation that you probably don't want the cheapest model there is (it might be missing some essential or at least very desirable stuff chief among which would be memory - you want to be able to fit the next LEDE version too...) but once you get out of Cheapville Bottom there might be little reason to go much higher - really soon you start paying for the branding / design / glossy plastic / fat CEO bonuses and whatnot instead of actual technology...

    2. fobobob

      Re: Are any routers any good?

      My Sandy Bridge era HP Elite 8200 SFF (can be had on eBay for not a whole lot) with a second NIC + pfSense is a pretty decent router... if a bit power hungry. Also no WiFi, but it's for what I'm doing with it.

    3. Edwin

      Re: Are any routers any good?

      Always been a big fan of AVM, but considering inserting a Ubiquiti USG between it and the LAN. Just to be safe.

  8. foo_bar_baz

    And if updates were published?

    Do users update network gear, even when patches are available? I despair.

  9. cincop8

    The bar-none biggest problem in "IT Security" is everyone blames the hackers instead of the people responsible. Cowardly devs and incompetent managers.

    If every researcher began publishing findings without prior notification, perhaps these douchebags would start taking their responsibility seriously and take steps to actually reduce vulnerabilities. As it is, this faux consideration and artifice of "responsible" research leads inexorably to persistent do nothingness. I have zero sympathy.

    Again, the problem ain't the hackers.

    1. herman

      No, they don't blame the hackers. IT usually blame the users for everything that goes wrong. "Don't click links" with your web browser is a prime example.

  10. Version 1.0 Silver badge
    Facepalm

    Some thoughts

    I consider all routers to be insecure so I don't connect them to the WAN side at all and inside the firewall I turn off all their "features" - obviously there are still some risks but most of the time it's the "features" that have issues.

    So why didn't the manufacturer fix the problems? I'd guess because they out-sourced, or bought in the original code, and so when a bugs were found they had no easy way to fix them. A lot of the time "manufacturers" are just vendors these days, selling a conglomeration of kit, glued together with a pretty GUI.

  11. Anonymous Coward
    Anonymous Coward

    Most consumers would appreciate the early disclosure of vulnerabilities, that aren't expected to be patched by the manufacturer.

    Responsible consumers do research before buying or ask a "techy friend" all these people are now greatful they didn't buy crap that now needs to be replaced.

    Shame the manufacturers = I approve

  12. Anonymous Coward
    Anonymous Coward

    I once contacted DLink about a security concern I had with one of their IPCameras.

    The response I received from support was that "the best they could do was to pass along my concerns". I have never heard back from Dlink after that.

    DLink are high volume, "cost effective" consumer products, lacking the processes you'd find for business or enterprise products. Action at Dlink will only be taken if reputation and sales are at risk.

    Telling DLink support about a security flaw is like telling a supermarket checkout employee that your bag of potato chips contained a burned chip - and that you expect remediation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like