D-Link Warns of Vulnerable Routers 133
wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.
Wouldn't the responsible thing be... (Score:4, Insightful)
Bad vendors (Score:1, Insightful)
I don't blame them. Finding security contacts for consumer hardware companies is next to impossible.
Whether it is D-Link, Belkin, Netgear - I don't believe any of them have a public security page similar to any major software vendors.
Re:Wouldn't the responsible thing be... (Score:4, Insightful)
hahahaha
dlink wouldve done jack shit like every other company without being publicly humiliated.
Re:Wouldn't the responsible thing be... (Score:3, Insightful)
All that would have earned them is a lawsuit. Plus Dlink would never have fixed it.
Re:Wouldn't the responsible thing be... (Score:2, Insightful)
Re:Wouldn't the responsible thing be... (Score:4, Insightful)
Re:Wouldn't the responsible thing be... (Score:2, Insightful)
So, is it irony that their site links to "Ethical Hacker Network"?
Problem Is More Widespread Than Reported! (Score:1, Insightful)
This is nothing new. In fact, review the many easy hacks against several router manufacturers and you'll discover a lot of them (many exploiting uPnP) have FAILED to patch these issues for many YEARS. A good many of these routers are wired routers with the public being told to buy a wireless router instead (many of which remain unpatched to several malicious exploits!) when all they really want is wired. Many wise individuals do not want to go wi-fi nor should they be forced to do so.
Search for some of the exploits yourself, many of them uPnP, visit the router manufacturer's webpages listings for each of their routers, check their latest firmware update release and discover for yourself just how many routers haven't received any updates for years. What's even more shocking is many of these routers CONTINUE to be sold IN STORES and online, often the boxes still claiming how much security they offer when no firmware updates are available for many of them! Many old firmware patches resolve some issues with uPnP but do not offer protection against newer uPnP (and other) attacks!
This is clearly insane!
Router manufacturers should continue to patch old routers, especially those products of theirs still being sold in brick and mortar retail outlets!
This is obviously being swept under the rug, as many individuals who have been screaming on manufacturer's forums, mailing lists, e-mails, even via snail mail are being disregarded, posts/threads being shuffled off quietly, people being told to buy a newer router than the one at the store which claimed to offer a good degree of security, only to find their newer router purchased often with old firmware and no modern firmware available!
Governments and people need to hold these manufacturers accountable!
Re:Wouldn't the responsible thing be... (Score:3, Insightful)
dlink wouldve done jack shit like every other company without being publicly humiliated.
Yes, but it would have been even more humiliating to say "We provided them with an exploit 4 weeks ago and they still haven't done shit, so now we are going public". That has the added advantage of giving them the chance to do the right thing, even if they don't take it and makes them look like douches instead of the security company.
Re:Wouldn't the responsible thing be... (Score:5, Insightful)
The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.
While that seems reasonable if the vendor either doesn't care or is dragging along on a fix, in this case they didn't even tell the vendor in the first place. Perhaps it's unlikely that DLINK would have responded to the security company but it seems they deserved a chance to do the right thing. It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long). Plus, think about how much worse it sounds:
"Here's a huge vulnerability that we discovered but didn't tell anyone until now. Surprise!"
versus
"Here's a huge vulnerability that we discovered. We went to D-Link 3-4 weeks ago and they wouldn't give us the time of day. Finally, we go through to someone that assigned it a low-priority and has been promising a fix but not delivering. At this point, we are tired of hearing their excuses and we don't think they are interested in fixing it so we are disclosing it."
TL;DR version: Public disclosure is the last resort, not the first. Carrot first, stick second.