back to article Last year, D-Link flubbed a router bug-fix, so it's back with total pwnage

Eight D-Link router variants are vulnerable to complete pwnage via a combination of security screwups, and only two are going to get patched. Błażej Adamczyk of the Silesian University of Technology in Poland posted this month to Full Disclosure that he discovered the bugs in May of this year and notified D-Link. Despite …

  1. Anonymous Coward
    Anonymous Coward

    And I thought Netgear were bad. Good job I didn't switch to D-Link.

  2. Norman Nescio Silver badge

    Some unpatched models have OpenWrt available

    For some of the affected devices, he wrote, there won't be patches. The vulnerable units are all in D-Link's DWR range: the DWR-116, DWR-140, DWR-512, DWR-640, DWR-712, DWR-912, DWR-921, and DWR-111. Most of these, Adamczyk claimed, will be left unpatched because D-Link told him they're end-of-life; only the DWR-116 and 111 would be fixed.

    A couple of of the above models without patches have OpenWrt images available for them.

    DWR-512 hardware version B -

    DWR-921 hardware version C1& C3 -

    and for completeness, one of the to be patched models does too

    DWR-116 hardware versions A1 & A2 -

    As ever, OpenWrt might not be appropriate for your needs, but it might get you out of a hole.

    1. LeoP

      Re: Some unpatched models have OpenWrt available

      > As ever, OpenWrt might not be appropriate for your needs

      I can't imagine a scenario, where it is less appropriate than a D-Link vondor image.

      1. Norman Nescio Silver badge

        Re: Some unpatched models have OpenWrt available

        >> As ever, OpenWrt might not be appropriate for your needs

        >I can't imagine a scenario, where it is less appropriate than a D-Link vondor image.

        There can be circumstances where the vendor image is 'better'.

        Sometimes OpenWrt only works on specific hardware revisions of the routers, as vendors sometimes change the chips used without changing the model name, and if OpenWrt doesn't have drivers for the new chipset, it won't work. In addition, there are bits of hardware that might not be supported even if the rest of the router works - for example (V)DSL modems or mobile network modems, as again, OpenWRT doesn't have the drivers. Finally, vendors might make use of capabilities that OpenWrt can't (yet) such as hardware offloading for NAT. In the last case, this means a vendor image might have a substantially higher throughput than an OpenWrt image.

        This might seem like I have a downer on OpenWrt. I don't, and use it extensively myself on a small flock of carefully chosen routers. But it is as well to be aware of the understandable limitations, as many vendors either won't, or can't (for legal reasons) provide the necessary documentation or drivers to the OpenWrt project for the project to use. A lot of work has to be done by patient reverse-engineering, and I take my hat of to those who do this work. I have nothing but praise for the (mostly) volunteers who do the hard work to provide the OpenWrt images for everyone else to benefit from.

        In short, OpenWrt is not a magic panacea for SOHO router woe, but if you know what you are doing, and the limitations are acceptable for your use, it is a very useful tool to have.

  3. Anonymous Coward
    Anonymous Coward

    It's time to force them to release updates if they want their model approved

    AFAIK, all these devices need some form of approval to be used in a given country - it's time to make part of the approval process not only being compatible with relevant standards, but also ensuring updates are released for the useful live of the device - that could be longer than its marketing life.

    A company that didn't abide to the rule for older models, should not see any new approval released until it complies - plus fines.

  4. redpawn

    But free market

    It must be that users don't value security. Users do extensive research before purchasing critical home networking kit. They also have their food tested for unwanted pesticides before eating it.

  5. Anonymous Coward
    Anonymous Coward

    Which fits better?

    D-Stink or DeLink?

  6. bigtreeman

    crap scripting

    in the OpenWRT boxen, it's not just security, some other parts just don't work properly.

    check all levels of logging, emergency down to debug, you'll find various hiccups

    ssh admin@your.local.d-link.router

    There's big typos in the scripting running these boxes, written by a junior janitor when not emptying garbage bins.

    admin shouldn't be 0:0:root (one user only apart from nobody)

    remount / rw

    change whatever you want

    remount / ro

    yeah, I've complained to them about the plain text passwords,

    mentioned various fixes

    it's just a mess

    I'll never buy a d-link again

  7. sitta_europea Silver badge

    I'd use OpenWRT if it didn't hang the wireless connection on my six (ahem) WRT54GS2 routers when you try to use more than about 1Mbit/s. After it hangs, the only way to get a service back is to reboot the router. That can be a bit inconvenient if it's on the other side of the industrial estate. Tomato doesn't do it. The OpenWRT authors know of the problem but refuse to do anything about it, claiming that it's a hardware bug. Sure, it might be, but there are several software workarounds and they're not interested. The correspondence is all published in the mailing list.

    IMHO OpenWRT sucks.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like