back to article D-Link router riddled with 0-day flaws

A security researcher has shamed D‑Link by publicly disclosing 10 serious, as-yet unpatched vulnerabilities in a line of consumer-grade routers without notifying the vendor first. Security researcher Pierre Kim went public on a series of flaws in D‑Link DIR 850L wireless AC1200 dual-band gigabit cloud routers without …

  1. W4YBO

    Holy cow! People buy D-Link gear?

    1. Anonymous Coward
      Anonymous Coward

      and put openwrt on them, I hope...

      1. ldir

        I'd put on LEDE, the much more up to data openwrt fork.

        1. Hans 1


          LEDE and OpenWRT merged back again ... Feynman!


          Yes, el'Reg

          1. ldir

            Re: ldir

            You might want to check your facts. The re-merge has *STILL* not yet *actually* happened.

            Take a look at the git histories if you like.

    2. Voland's right hand Silver badge

      Some people by based on price only

      There is plenty of idiots who will buy based solely on a price tag + claim to support a given feature. D-link always ticks both boxes.

      It is cheap as manure and it claims to support all sort of kewl features. How well... that is a different story.

    3. bombastic bob Silver badge

      some people DO buy D-link gear

      yes, it was really cheap a few years ago when I got an inexpensive 'pre-N' wifi router. It's got some quirks, for sure, but didn't think it could be THAT insecure.

      fortunately, not one of its ports touch the intarweb. Not only is it behind a proper firewall, its IPv6 addresses are statically assigned and all incoming IPv6 traffic is BLOCKED from it's IP ranges.

      I've been considering getting a new one, though, and running something I can configure myself, turn off IPv6 routing on the LAN side, etc. [because I manage that with OTHER things]. I actually have to plug the WAN port into the LAN port and monkey with it a bit to keep it from trying to take over all IPv6 routing on the network. Fortunately THAT workaround "works" but yeah. flaky. However, in its current state, I don't need to buy another one (yet) and wifi works throughout the house [router on one side, client on opposite side of the house >50 feet away and through several walls].

      So as far as wifi operations go, it's not bad.

      I also disable things like UPnP, wifi admin, and other security CRATERS that are typically "left on" by average users. But having a possible LAN back door and some pre-defined admin keys is potentially really bad...

      1. FlamingDeath Silver badge

        Re: some people DO buy D-link gear

        "all incoming IPv6 traffic is BLOCKED from it's IP ranges."

        I trust you have tested this for yourself, and not just relied on the say-so of a button you pushed / option selected. There are such things as "fake buttons". Those pesky programmers...

        Nullius in verba

  2. Anonymous Coward
    Anonymous Coward

    "flaws in the custom mydlink cloud protocol"

    Anyone who considers protocol unimportant has never dealt with a cat - Robert A. Heinlein

    1. Prst. V.Jeltz Silver badge


  3. Flakk

    Let me recap this to make sure I haven't gone astray:

    Researcher has a beef with a manufacturer, so he chooses to not follow responsible disclosure protocols. Since the vulnerable products have already been sold by said manufacturer, it is in fact the consumers that will likely bear the immediate consequences of the researcher's ire. The disclosed vulnerabilities will likely be snapped up by cybercrims, who will surely be eager to have another platform upon which to build a botnet. Once the DDoSes start, then it's not just the consumers suffering the consequences of the researcher's ire, but also the Internet-at-large.

    Because a researcher has a beef with a manufacturer.

    Did I get that right?

    1. dan_in _ohio

      Let me recap this to make sure I haven't gone astray:

      Sounds to me like you've got it right. (BTW, if you're thinking what I am, I'm right there with you. Self-righteousness must be a really nice place to be).

    2. Gene Cash Silver badge

      > Because a researcher has a beef with a manufacturer.

      I think it's more "Because the manufacturer is a complete and utter dick, and has been so to the researcher in the past."

      In this instance, I see no problem with the reveal. You reap what you sow.

    3. Ken Hagan Gold badge

      "Did I get that right?"

      No, I think you missed the bit where he gave them six months to pull their fingers out on eight other vulnerabilities but they just sat there hoping he would go away.

      1. Adam 1

        > No, I think you missed the bit where he gave them six months to pull their fingers out on eight other vulnerabilities but they just sat there hoping he would go away.

        Firstly, dlink are being dicks by not patching security vulnerabilities in a timely fashion. Nothing I say below detracts from that.

        On those 8 vulnerabilities, as long as he warned them that the vulnerabilities would be publicly disclosed (not clear from my reading of TFA), he has done exactly the right thing.

        On the latest one (with no vendor notice), I'm afraid to say he is being a dick. Even though past experience it would seem unlikely to receive a prompt patch, you just allow the vendor to argue that irresponsible disclosure put customers at risk, side stepping their responsibility to have a secure product and promptly patch security flaws.

        1. DryBones

          It's time for you to go update the Shame On Me file...

        2. Alan Brown Silver badge

          "On the latest one (with no vendor notice), I'm afraid to say he is being a dick."

          I disagree.

          D-link have a long and documented history of this kind of behaviour - and also of blatant GPL breaches until forced to comply by german courts (Again, where they refused to respond or cooperate until bludgeoned into submission by the threat of a EU-wide sales ban for copyright violations)

          1. Adam 1

            @alan brown

            You are presenting a false choice. The contention being that because dlink were/are dicks that the security researcher isn't acting like one here. My post made it very clear in the very first sentence what my thoughts about dlink's behaviour was.

            If I had criticism of the first 8, it would be that he didn't disclose them for far too long a time. But I stand by my other point on the final zero day issue dump. He has a good argument in claiming that their security patching isn't up to snuff. Dumping 8 vulnerabilities after months of inaction would have made that point very well, but on the last one he had given their or droids an out. You now watch them deflect the legitimate concerns we all have with guff about irresponsible disclosure that anyone could be the victim of.

    4. Jon 37

      Nope. As I understand it, what happened was:

      Multiple vulnerabilities are publicly reported in Quanta routers. Researcher realises the same flaws apply to D-Link routers. Researcher told D-Link privately. D-Link promise to release an update within a month, then stop responding to emails and do nothing for over three months. Researcher publishes vulnerability publicly. D-Link release a fix for some (but not all) of the issues within a few weeks of public disclosure.

      This clearly shows that D-Link doesn't care about patching privately-reported security issues at all, although they do a half-arsed job releasing fixes for publicly-reported security issues.

      Months later, the same researcher discovers more flaws in D-Link routers. Knowing that D-Link isn't going to patch them if they are reported privately, and knowing that cybercriminals might find the same flaws at any time, researcher doesn't waste time telling D-Link privately. Instead researcher goes public to warn customers and to put pressure on D-Link to fix the vulnerabilities. Researcher has to include details of the security vulnerabilities for his message to have any impact.


      Private reporting is a trade off: While you are keeping the vulnerability secret, there is a risk that someone else will find the same vulnerability and use it for evil against users who don't know about the vulnerability so can't protect themselves. If end-users know about the issue they can take mitigating steps, even if that is turning off the power to the device. The best approach is for a vulnerability to be reported privately, then the vendor to create a fix quickly so it can be deployed at the same time the vulnerability is announced - this is referred to as "responsible disclosure". Announcing the vulnerability gives people a reason to install the fix. You shouldn't usually deploy the fix first, as there is a risk of someone reverse-engineering the fix to find the vulnerability.

      Note that the "responsible disclosure" process requires BOTH the reporter and the vendor to cooperate for the good of the end-users. If a vendor chooses not to release fixes, they are not following the process. In that case bug-finders do not feel obliged to follow the process either.

      1. Alan Brown Silver badge

        Crowdfunding returned

        "Note that the "responsible disclosure" process requires BOTH the reporter and the vendor to cooperate for the good of the end-users. "

        Which is something that many vendors and commentators miss when carping on about people giving up on said vendor and just releasing the vulnerabilities.

        Software vendors have been demanding special treatment for decades. The ones that don't do anything with reports for months-to-years(or at all) are bad enough, the ones who litigate to keep vulnerabilities secret (Volkswagon and others) deserve a special place on a roasting spit over a slow fire.

    5. Anonymous Coward
      Anonymous Coward

      Well to be fair, the manufacturer appears to have intentionally made products without consideration for security, so who fucked the consumer first?

    6. Anonymous Coward
      Anonymous Coward

      Wrong wrong wrong wrong

      No, The manufacture does nothing with responsible disclosure, but waste time and delay thus making it pointless.

  4. John Smith 19 Gold badge

    Oh the IoT code monkeys have struck again.

    Networking mfgs.

    Take heed.

    If it's got a processor in it you're responsible for it being secure, or not.

    Take what help you can get, stop telling people to STFU and FO.

    1. Anonymous Coward
      Anonymous Coward

      Re: Oh the IoT code monkeys have struck again.

      It's not just D-Link and mydlink. Take a look at Linksys EA7500 and the Linksys cloud service. With Linksys the ONLY easy way to configure the router is through an account in the Linksys cloud. Allegedly this allows the user to configure the router "from anywhere on the planet". It also provides for:

      - hackers to get control of your LAN from anywhere on the planet

      - Linksys to know everything about your LAN


      Who needs any of this? Even before we find out about vulnerabilities!

  5. Anonymous Coward
    Anonymous Coward

    If you pesky hackers wouldn't keep breaking and entering into other people's private property everything would be fine. When houses come with unbreakable windows, unpickable locks and barbed wire fences as standard then we'll fix our damn routers...

    1. John Brown (no body) Silver badge

      It looks like understanding of sarcasm is as scant around these parts as the understanding of irony.

      14 downvotes so far and no upvotes. Have one on me.

  6. Random Q Hacker

    Who needs in-house security coders?

    ... When I can just wait for researchers to advise me privately and for free! D-Link had a sweet deal, if they'd have patched those flaws they would still be receiving free security advice without losing face. Maybe this will push them to invest more in security. (But probably not, unless retail boxes start listing government mandated vulnerability statistics.)

    1. Kevin McMurtrie Silver badge

      Re: Who needs in-house security coders?

      Does D-Link have coders? Cheap hardware usually goes like this: 1) No-name company takes a hardware reference design and strips away costs until it's marginally functional. It has serious defects but software can usually correct for them. Firmware is built using their collection of stolen firmware from other devices, some OSS, and random crap found on the internet. Workarounds are added for hardware bugs. 2) Bargain branding company buys product from No-name company and contracts a team to copy the UI from their previous device to the new device. Marketing department applies secret turd polishing compound. 3) Consumer is thrown into tech support tarpit to reduce product returns. "An update is coming soon!"

  7. Anonymous Coward
    Anonymous Coward

    Are any routers any good?

    Or are they all lashed-together hack-fests?

    Please feel free to list any decent ones below. Thanks...

    1. Dwarf Silver badge

      Re: Are any routers any good?

      Look on the open source router sites and get a list - dd-wrt, openwrt / lede, they all list their supported routers and the hardware specs for each model

      The difference is that the better ones will cost more than £30 / $40 / are not given away free by your ISP. Asus and Netgear are worth a look.

      1. DropBear

        Re: Are any routers any good?

        ...with the observation that you probably don't want the cheapest model there is (it might be missing some essential or at least very desirable stuff chief among which would be memory - you want to be able to fit the next LEDE version too...) but once you get out of Cheapville Bottom there might be little reason to go much higher - really soon you start paying for the branding / design / glossy plastic / fat CEO bonuses and whatnot instead of actual technology...

    2. fobobob

      Re: Are any routers any good?

      My Sandy Bridge era HP Elite 8200 SFF (can be had on eBay for not a whole lot) with a second NIC + pfSense is a pretty decent router... if a bit power hungry. Also no WiFi, but it's for what I'm doing with it.

    3. Edwin

      Re: Are any routers any good?

      Always been a big fan of AVM, but considering inserting a Ubiquiti USG between it and the LAN. Just to be safe.

  8. foo_bar_baz

    And if updates were published?

    Do users update network gear, even when patches are available? I despair.

  9. cincop8

    The bar-none biggest problem in "IT Security" is everyone blames the hackers instead of the people responsible. Cowardly devs and incompetent managers.

    If every researcher began publishing findings without prior notification, perhaps these douchebags would start taking their responsibility seriously and take steps to actually reduce vulnerabilities. As it is, this faux consideration and artifice of "responsible" research leads inexorably to persistent do nothingness. I have zero sympathy.

    Again, the problem ain't the hackers.

    1. herman Silver badge

      No, they don't blame the hackers. IT usually blame the users for everything that goes wrong. "Don't click links" with your web browser is a prime example.

  10. Version 1.0 Silver badge

    Some thoughts

    I consider all routers to be insecure so I don't connect them to the WAN side at all and inside the firewall I turn off all their "features" - obviously there are still some risks but most of the time it's the "features" that have issues.

    So why didn't the manufacturer fix the problems? I'd guess because they out-sourced, or bought in the original code, and so when a bugs were found they had no easy way to fix them. A lot of the time "manufacturers" are just vendors these days, selling a conglomeration of kit, glued together with a pretty GUI.

  11. Anonymous Coward
    Anonymous Coward

    Most consumers would appreciate the early disclosure of vulnerabilities, that aren't expected to be patched by the manufacturer.

    Responsible consumers do research before buying or ask a "techy friend" all these people are now greatful they didn't buy crap that now needs to be replaced.

    Shame the manufacturers = I approve

  12. Anonymous Coward
    Anonymous Coward

    I once contacted DLink about a security concern I had with one of their IPCameras.

    The response I received from support was that "the best they could do was to pass along my concerns". I have never heard back from Dlink after that.

    DLink are high volume, "cost effective" consumer products, lacking the processes you'd find for business or enterprise products. Action at Dlink will only be taken if reputation and sales are at risk.

    Telling DLink support about a security flaw is like telling a supermarket checkout employee that your bag of potato chips contained a burned chip - and that you expect remediation.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • This startup says it can glue all your networks together in the cloud
    Or some approximation of that

    Multi-cloud networking startup Alkira has decided it wants to be a network-as-a-service (NaaS) provider with the launch of its cloud area networking platform this week.

    The upstart, founded in 2018, claims this platform lets customers automatically stitch together multiple on-prem datacenters, branches, and cloud workloads at the press of a button.

    The subscription is the latest evolution of Alkira’s multi-cloud platform introduced back in 2020. The service integrates with all major public cloud providers – Amazon Web Services, Google Cloud, Microsoft Azure, and Oracle Cloud – and automates the provisioning and management of their network services.

    Continue reading
  • Alcatel-Lucent Enterprise adds Wi-Fi 6E to 'premium' access points
    Company claims standard will improve performance in dense environments

    Alcatel-Lucent Enterprise is the latest networking outfit to add Wi-Fi 6E capability to its hardware, opening up access to the less congested 6GHz spectrum for business users.

    The France-based company just revealed the OmniAccess Stellar 14xx series of wireless access points, which are set for availability from this September. Alcatel-Lucent Enterprise said its first Wi-Fi 6E device will be a high-end "premium" Access Point and will be followed by a mid-range product by the end of the year.

    Wi-Fi 6E is compatible with the Wi-Fi 6 standard, but adds the ability to use channels in the 6GHz portion of the spectrum, a feature that will be built into the upcoming Wi-Fi 7 standard from the start. This enables users to reduce network contention, or so the argument goes, as the 6GHz portion of the spectrum is less congested with other traffic than the existing 2.4GHz and 5GHz frequencies used for Wi-Fi access.

    Continue reading
  • Cisco execs pledge simpler, more integrated networks
    Is this the end of Switchzilla's dashboard creep?

    Cisco Live In his first in-person Cisco Live keynote in two years, CEO Chuck Robbins didn't make any lofty claims about how AI is taking over the network or how the company's latest products would turn networking on its head. Instead, the presentation was all about working with customers to make their lives easier.

    "We need to simplify the things that we do with you. If I think back to eight or ten years ago, I think we've made progress, but we still have more to do," he said, promising to address customers' biggest complaints with the networking giant's various platforms.

    "Everything we find that is inhibiting your experience from being the best that it can be, we're going to tackle," he declared, appealing to customers to share their pain points at the show.

    Continue reading
  • Cloudflare explains how it managed to break the internet
    'Network engineers walked over each other's changes'

    A large chunk of the web (including your own Vulture Central) fell off the internet this morning as content delivery network Cloudflare suffered a self-inflicted outage.

    The incident began at 0627 UTC (2327 Pacific Time) and it took until 0742 UTC (0042 Pacific) before the company managed to bring all its datacenters back online and verify they were working correctly. During this time a variety of sites and services relying on Cloudflare went dark while engineers frantically worked to undo the damage they had wrought short hours previously.

    "The outage," explained Cloudflare, "was caused by a change that was part of a long-running project to increase resilience in our busiest locations."

    Continue reading
  • PCIe 7.0 pegged to arrive in 2025 with speeds of 512 GBps
    Although PCIe 5.0 is just coming to market, here's what we can expect in the years ahead

    Early details of the specifications for PCIe 7.0 are out, and it's expected to deliver data rates of up to 512 GBps bi-directionally for data-intensive applications such as 800G Ethernet.

    The announcement from the The Peripheral Component Interconnect Special Interest Group (PCI SIG) was made to coincide with its Developers Conference 2022, held at the Santa Clara Convention Center in California this week. It also marks the 30th anniversary of the PCI-SIG itself.

    While the completed specifications for PCIe 6.0 were only released this January, PCIe 7.0 looks to double the bandwidth of the high-speed interconnect yet again from a raw bit rate of 64 GTps to 128 GTps, and bi-directional speeds of up to 512 GBps in a x16 configuration.

    Continue reading
  • AWS buys before it tries with quantum networking center
    Fundamental problems of qubit physics aside, the cloud giant thinks it can help

    Nothing in the quantum hardware world is fully cooked yet, but quantum computing is quite a bit further along than quantum networking – an esoteric but potentially significant technology area, particularly for ultra-secure transactions. Amazon Web Services is among those working to bring quantum connectivity from the lab to the real world. 

    Short of developing its own quantum processors, AWS has created an ecosystem around existing quantum devices and tools via its Braket (no, that's not a typo) service. While these bits and pieces focus on compute, the tech giant has turned its gaze to quantum networking.

    Alongside its Center for Quantum Computing, which it launched in late 2021, AWS has announced the launch of its Center for Quantum Networking. The latter is grandly working to solve "fundamental scientific and engineering challenges and to develop new hardware, software, and applications for quantum networks," the internet souk declared.

    Continue reading
  • UK police to spend tens of millions on legacy comms network kit
    More evidence of where that half-a-billion-a-year cost of Emergency Services Network delay is going

    The UK's police service is set to spend up to £50 million ($62.7 million) buying hardware and software for a legacy communication network that was planned to become obsolete in 2019.

    The Home Office had planned to replace the Airwave secure emergency communication system, which launched in 2000, with a more advanced Emergency Services Network by the close of the decade. However, the legacy network has seen its life extended as its replacement was beset with delays. The ESN is expected to go live in 2026.

    In a procurement notice, the Police Digital Service (PDS) said it was looking for up to three suppliers of Terrestrial Trunked Radio (TETRA) Encryption Algorithm 2 (TEA2) compatible radio devices – including handheld, desktop, and mobile terminals – as well as software, accessories, services, and maintenance for use on the UK Airwave system.

    Continue reading
  • Wireless kit hit by supply chain woes in Q1, China lockdowns blamed
    Backlogs reportedly 10 to 15 times greater than they were pre-pandemic

    The Wireless LAN market was battered by a choppy supply chain in the first quarter of 2022 and lockdowns in China are compounding the problem, according to analysis by Dell'Oro Group.

    Many organizations have scheduled network upgrades, but supply is not able to keep pace with demand and backlogs are reportedly 10 to 15 times greater than they were pre-pandemic.

    Several manufacturers have cited components from second and third-tier suppliers as the cause of the bottleneck, Dell'Oro said, which means that the problem may not be a shortage of Wi-Fi silicon, but rather of secondary components that are nevertheless necessary to make a complete product.

    Continue reading
  • IT downtime not itself going down, power failures most common cause
    2022 in a nutshell: Missing SLAs, failing to meet customer expectations

    Infrastructure operators are struggling to reduce the rate of IT outages despite improving technology and strong investment in this area.

    The Uptime Institute's 2022 Outage Analysis Report says that progress toward reducing downtime has been mixed. Investment in cloud technologies and distributed resiliency has helped to reduce the impact of site-level failures, for example, but has also added complexity. A growing number of incidents are being attributed to network, software or systems issues because of this intricacy.

    The authors make it clear that critical IT systems are far more reliable than they once were, thanks to many decades of improvement. However, data covering 2021 and 2022 indicates that unscheduled downtime is continuing at a rate that is not significantly reduced from previous years.

    Continue reading
  • Cable cut blamed for global four-hour internet disruption
    Google Cloud, OVHcloud say everything's getting back to normal, which is a shame

    Google Cloud and other internet service providers are recovering from network issues attributed to a network cable cut that began in the Middle East and Asia just before 0700 PDT (1400 UTC).

    The cable, Asia-Africa-Europe-1 (AAE-1), is a 25,000km submarine cable operated by a telecom consortium. It connects South East Asia to Europe by way of Egypt.

    According to Doug Madory, director of internet analysis at network monitoring biz Kentik, problems with AAE-1 affected internet connectivity in various countries in East Africa, Middle East and South Asia, including Pakistan, Somalia, Djibouti, and Saudi Arabia.

    Continue reading

Biting the hand that feeds IT © 1998–2022