D-Link does not support open-firmware which voids any warranty
But we already know that there is no warranty to void - other than that the SW is bad.
Owners of older models of D-Link VPN routers are being told to retire and replace their devices following the disclosure of a serious remote code execution (RCE) vulnerability. Most of the details about the bug are being kept under wraps given the potential for wide exploitation. The vendor hasn't assigned it a CVE identifier …
Please buy our new products !
Yeah right... pull the other one...
Also :
"Given that all the affected devices went end of life (EOL) and/or end of support (EOS) at various times – most in May 2024"
How convenient that this particular bug has been discovered so soon...
Will planned insecurity be the new planned obsolence?
In the past, manufacturers had to tinker with the placement of temperature-sensitive components to ensure that the device dies its intended death after its intended lifetime.
Nowadays, they can just discover a 11 out of 10 CVE, which - very unfortunately - can not be patched.
Several thoughts...
1) If they can run OpenWRT, and that mitigates the defect, then the company could update the devices successfully.
2) If they can run OpenWRT, and that does NOT mitigate the defect, then we are dealing with a new type of vulnerability problem, possibly at the chip or hardware level. Hopefully more industry research will be forthcoming as other devices using the same hardware could be impacted.
3) If they cannot run OpenWRT, then perhaps these devices were hard coded in such a way to prevent reflashing with 3rd party code....and that hardcoding is also preventing D-Link from updating them. "We are tired of you geeks replacing our wonderful software with better stuff, we will fix you for good!!" And then getting bit by their own device lockout.
It does not appear any of the DSR- series is supported by OpenWRT. Though several other D-Link devices are:
https://openwrt.org/toh/views/toh_available_16128
That's the #1 thing I check on before buying, so that I don't ever have to throw out working hardware.
If enough people did the same, there's be significant extra value for the manufacturers to make sure they can offer that "feature" (which costs them practically nothing) when the device is new. At EOL, it's too late to get the manufacturer to do anything to help.
I would imagine the vast majority of consumer-level users have never upgraded firmware in their routers/switches or similar devices. Most will be running whatever version was installed during manufacture unless the device is configured to auto-update or an upgrade was pushed by their ISP.
Be honest: most people will only ever change the batteries in a smoke alarm because the damn thing beeps. What chance having the same people routinely check their router's firmware?
"routinely check their router's firmware"
It's not out of the realms of possibility to have the router check for itself.
That being said, a self-checking router is a hell of a lot more likely than there being any new firmware to install.
I have plenty of devices around with firmware in flash and claims that it can update itself. Well, the first step is to find some of these things even mentioned on the company's website. The second is to have anything that even remotely resembles firmware.
I think far too often, and maybe for routers too, companies buy in stuff from a Chinese manufacturer and slap their own logo and branding into the thing. They don't care about the firmware as, asides from some simple customisations, that's all they ever did. The manufacturer doesn't care as they've already offloaded the devices to some sucker, and, well, everybody is too busy promoting the latest bit of techno-tat to want to have anything to do with what's already been sold.
D-Link sold a product that was defective on the day it was made. The fact that the defect has taken years to find does not change that. There is this successfully-promoted idea that software "rots", and so there is no more liability for old software failing than there is for a mechanical product wearing out.
Never mind "discounts". The default position should be "refund" or "exchange".
over here in the UK we have the "Sale of goods act" for non-commercial sales. If the product was defective then it falls/fails under the category of "not fit for purpose". Anybody who bought one can (or should) return it to the retailer and ask for their money back. Probably have to accept a reduction due to fair wear-and-tear but it's then up to Amazon / ebuyer / $retailer to release the hounds on D-Link. And maybe if this actually happened then tech companies would get their shit into gear and not hide behind the "but this is soooo complicated" excuse. Software companies too....
</rant>
No, you don’t get six or five years. You get a “reasonable time” from the date of sales until the defect is found. The repair can take a bit longer. And a device less durable then it should be is defective from day one. But six years is when statute of limitations runs out.
True, but they do the bare minimum because most consumers (not people who are reading here) want to spend the bare minimum. It's why printers are cheap and ink is expensive. It's why, on the last flight I took, it was more expensive to put a bag in the hold of an aircraft than it was to put a passenger in a seat.
This doesn't make much sense. There is OpenWRT out there, which they could slap on a router and leave the updates to the community if they want. Which some already do partially, like Xiaomi, with streamlining of the UI for noobs. No, they want to spend money developing proprietary and janky firmware even for the cheapest consumer routers. My Netgear router came with a bloated UI that took ten seconds to load and had a huge permanent ad for their app, while subsequently LuCI (OpenWRT) loads in milliseconds on the same device.
OpenWRT does not work on Broadcom Routers, but DD-WRT does, because DD-WRT has certain agreemenst with broadcom that OpenWRT does not.
https://openwrt.org/meta/infobox/broadcom_wifi
Similarly, there are routers that OpenWRT supports that DD-WRT does not (Like my own TP-Link PoS). And then, there is the Tomato Family. The open router firmware is an iceberg, that many a HW vendor does not want to navigate...
Also, there are routers with propiertary firmware, based on things like Windriver OS and other RTOSs that require SIGNIFICANTLY less HW grunt to run.
In the elden times, and more so with the 4/32 warning (https://openwrt.org/supported_devices/432_warning), many an old router will not be supported by Open FW going forward.
Finally, many of these vendors will use the Toolkit provided by the SoC provider (redundancy intended) for their propiertary OS. This allows them to esaily deploy a propiertary/"diferentiated" solution, with "knowledgeable" support from the SoC provider. And if there is a security vuln, we the users rip the HW vendor to shreds, but behind the scenes, the HW maker rips the SoC vendor to shreds, and if push comes to shove, sometimes is the SoC vendor will bear part or all the £€¢¥$ cost of the security vuln.
Another scumbag company to avoid.
"D-Link US is prohibited to provide support for these EOL/EOS products, "
What complete and utter crap. I've never heard such horseshit spew from a marketing droids mouth.
Shiw me ONE law that says it's illegal to patch end of life product. No? Thought jot
Many other vendors (including MS) have done it in the past for high vulnerability exploits
Just another example of all that's fucked up in tech these days
Only excuse I can think of is that "D-Link US" might be legally and operationally a semi-separate entity which has some contractual arrangement with the main D-Link company that prohibits them from doing do?
Or then again they might just be a regular subsidiary, and simply using that as an excuse to diffuse the blame for a course of action that doesn't suit D-Link. Or it might be poor wording. Or it might well be bullshit after all.
Not prohibited by law, prohibited by D-Link Inc. Meaning if you call support they will tell you to sod off!
No different than any other companies EOL products!
BUT! A lot of "decent" companies would issue an emergency patch for an EOL product if it has a flaw so vulnerable it put a large % of their customer base at risk and distribute it with a prodding to upgrade as soon as possible.
I mean, my guess is that there could actually be a law that says that Dlink US must do what the mother company tells.
So they might be technically correct that Dlink US is prohibited, but Dlink in general is guaranteed not prohibited from setting their own guidelines.
But I learned 20years ago not to Dlink so..
Me also.
Stopped buying their stuff about 15+ years ago due to it being buggy. You'd turn something like DHCP Server off, add it to LAN as an airpoint and a couple of days later the LAN would break due to DHCP turning back on.
I've had PCMCIA cards, PC cards (ISA or PCI?), hubs, switches, routers, modems, maybe even a print server (remote serial/Parallel really) etc. I must clear them all out to the Recycle Centre. I've an HP Serial/Ethernet I can use for the old A3+ Roland plotter, should I want to.
The announcement linked says even the pathetic discount offered is only for US residents, apparently the message to the rest of the world is Fcuk You! Maybe adopting the foreign affairs approach of the president elect?
It's also very unclear about the difference between EOL and EOS (end of service) and when they stop support, surely they can't stop security patch support right after they stop selling them? That should be illegal.
I've never used the ISP supplied router as they're always built to a cost. I've also moved away from using an appliance as my router as if it dies (and that has happened before) I'm stuffed. I've now retired the little Fortigate in favour of a small PC with pfSense. Neither of these are for non-technical people but like many people who comment here, I'm not non-technical.
The Fortigate was great but unfortunately, there is zero support for the second user market either in firmware or feature licences. I know many would say it's overkill for a domestic set up and they might be right but the more robust my security, the more attractive the low-hanging fruit is. Of course if you really want overkill, try out Mikrotik.
I've not used pfsense, but it's derivative, opnsense is pretty good for free too.
It's still nothing compared to Checkpoint or Palo Alto, but then I don't want to pay £10K + permanent subscription at home....
It's not the easiest to configure some of the more complicated settings, but the GUI is nice, and after a drive (or openbsd upgrade, not sure which) failure, the config restore process worked perfectly.
I did actually pay for a year of support at the beginningt, which is reasonably priced.
No surprise that they couldn't care less. Consumer hardware is garbage and should be avoided. Unfortunately, most don't know and/or don't care. Hopefully, anyone affected by this does a little searching and realizes that with a little time and hardware they can run so many different UTM OS'es. OPNsense ftw.
I'm sure there's a lot of things D-Link could have done better, like using toolchains and languages that are safe against buffer overflows and other common attack vectors.
This only makes it a bit better, it is still a small cheap processor facing the whole internet, where bad actors have immense resources, and indefinite time, to construct an attack.
Using open-source software is almost certainly a better approach, it does normally ensure that the code gets a lot of expert review, but even then it cannot be guaranteed perfect forever - the "forward security" problem. So, it needs remote re-programmability to install patches, updates etc. - and including these features massively increases the attack surface and the potential consequences of a successful attack - like it can totally reprogram itself with hostile code.
It would seem to be this bit, the over-air-reprogram function, that has the vulnerability in this case, and this code is not reprogrammable, to avoid "bricking" type problems. So, they're stuffed, patches won't work.
The only approach I know of would be to formally verify the router code, using formal methods - and then remove any reprogrammability function.
OK it takes longer, costs more, but you end up with an inviolable product that never needs updates.
It is a big pill to swallow - you can pretty much forget about stack-based languages, unless you can absolutely guarantee stack depth and integrity for all time - to mention just one issue.
Is it any sort of realistic possibility? I know that very complex software for oil refineries, chemical plants, uses these sorts of methods. I'm guessing the hard allocation of memory means you need more.
Is it plausible for $50 routers? The volumes they get made in ought to dilute the SW cost down to nothing. Even if the HW cost more, it's a much better product.
What does the Reg-o-sphere think?
Having a slower CPU should actually be better for security, as it cannot prossess as many malicious requests.
If Dlink was a cool company, with their development process up to snuff, they could just make a patch fixing just this exploit. "Here you go, but we still recommend an update." Then one might actually consider staying with the brand.
But more than likely, THAT piece of firmware is buried in a closet somewhere and the one employee who knew what was the latest version is long gone.
If they are in the business of selling hardware, why don't they just make a platform for OpenWRT and leave it at that. It would be kinda like a Computer vendor selling hardware that runs Linux. D-Link would sell hardware and make the proper amount of $$$ on the hardware, and leave the software to someone else. Of course this would eliminate bunches of useless droids that cobble up D-Link software (might save them some money making them redundant), but would be better for the rest of us.
Probably wishful thinking on my part.