back to article D-Link, Comba network gear leave passwords open for potentially whole world to see

DSL modems and Wi-Fi routers from D-Link and Comba have been found to be leaving owners' passwords out in the open. Simon Kenin, a security researcher with Trustwave SpiderLabs, took credit for the discovery of five bugs that leave user credentials accessible to attackers. For D-Link gear, two bugs were discovered in the …

  1. Pascal Monett Silver badge
    FAIL

    "they eventually simply stopped responding entirely"

    That is not an acceptable behavior. You do not simply shrug off security issues.

    Surely there must be someone at D-Link who is aware that they now have an impending PR scandal coming their way ?

    Well, if that's what it takes to make them wake up, then so be it.

    1. Fred Dibnah Silver badge

      Re: "they eventually simply stopped responding entirely"

      It's not their first PR scandal. This is from 2006:

      https://www.theregister.co.uk/2006/04/13/d-link_time_row_escelates/

      I've warned people off D-Link ever since.

      1. Evil Harry

        Re: "they eventually simply stopped responding entirely"

        Agreed. I personally put DLink in the same category as routers that are given away by ISP's and should be replaced sooner rather than later.

    2. Anonymous Coward
      Anonymous Coward

      I personally put ALL consumer routers in that category

      And run DD-WRT my wireless router, and while I can't use third party firmware on my DSL modem it is in bridge mode.

      I don't trust Netgear or Asus or any of the rest of them any more than I trust Dlink. They've all had too many of these simple "hardcoded password" type flaws to be trusted. At least if DD-WRT (or OpenWRT, if you prefer it) don't have these elementary mistakes, and when something more basic (like an SSH exploit is discovered which affects it) they are quick to respond or you can mitigate it in other ways since you have much more control over it - even to the point you could compile your own binary and replace the running SSH daemon with it if you had no other choice.

    3. sanmigueelbeer Silver badge
      FAIL

      Re: "they eventually simply stopped responding entirely"

      Surely there must be someone at D-Link who is aware that they now have an impending PR scandal coming their way

      I'm sure everyone in software engineering knows but they need to balance this with "how much will it cost to fix". This sort of behaviour is the new "norm". And it will continue to be unpatched until some big ISP announces a boycott.

      Take the example of Boeing 737 MAX and the FAA: FAA dragged their feet and refuses to issue a critical advisory. It took China's aviation regulatory agency decision to ground the class (of aircraft) before FAA, reluctantly, followed suit. And the rest, as they all say, is history.

  2. adam payne Silver badge

    "The path to the file is https://[router ip address]/romfile.cfg and the password is stored in clear text there."

    Seriously?!?!? Why on earth would you even do this?

    the source code for the router log-in page (again, accessible to anyone that can reach its built-in web UI server) contains the ISP username and password of the user in plain text.

    A glaring security oversight this isn't, it's just plain stupidity and laziness.

    #captainpicarddoublefacepalm

    1. Anonymous Coward
      Anonymous Coward

      @adam payne - I would say it's plain stupidity

      backed by a solid dose of incompetence

  3. sitta_europea

    You can buy good kit from crap suppliers.

    You can even buy crap kit from good suppliers.

    But do not buy crap kit from crap suppliers.

  4. Report Abuse
    Megaphone

    Router security is in your hands alone.

    No matter the brand, if your router is not running a custom open source firmware of some variety make haste to remedy the situation, by replacing the device if necessary. A router with proprietary firmware is a liability to you and the rest of the Internet.

    Be mindful, these are not the words of some FOSS fanatic, but a person who observed the state of networking hardware security for several decades.

    1. IGotOut Silver badge
      FAIL

      Re: Router security is in your hands alone.

      And in the real world, the manufactures should be taking responsibilty.

    2. Anonymous Coward
      Anonymous Coward

      Re: Router security is in your hands alone.

      Turn off the remote admin console and get a sonic.

      Finis.

  5. bigtreeman

    random coding

    It's a systemic problem at D-Link. I have reported issues with the DVA-2800 and nothing was done. The problem is too big.

    Their developers don't do unix mindset, they cobble together bits of code and script in a seemingly random fashion.

    Just ssh into one of their boxes (probably any) and look around. I got some features running that didn't run because of typos in scripts, remounted the root partition rw and made some changes to the firmware,

  6. A random security guy Bronze badge

    DLink agreed to make security enhancements with the FTC

    https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation

    All our agreements, enforcements, and settlements are a joke.

    The very fact that they were unreachable for security issues means that they have already flouted the FTC agreement:

    Smart home products manufacturer D-Link Systems, Inc., has agreed to implement a comprehensive software security program in order to settle Federal Trade Commission allegations over misrepresentations that the company took reasonable steps to secure its wireless routers and Internet-connected cameras.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2020