Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

D-Link Apologizes For Router Security 107

Mark Wilson writes D-Link has issued an apology to its customers for an on-going security issue with many of its routers. A problem with the Home Network Administration Protocol (HNAP) means that it is possible to bypass authorization and run commands with escalated privileges. The list of routers affected by the issue is fairly lengthy, and D-Link has already issued one patch. But rather than fixing the problem, last week's update left routers wide open to exactly the same problem. As it stands at the moment, a firmware patch is still being produced for a total of 17 routers. In the meantime, all D-Link has to offer is an apology. While unhelpful patches have already been issued, D-Link is currently working away on replacement firmware updates. The release dates for these patches is not yet set in stone, but some are due today (20 April), some tomorrow (21 April) and the remainder on 24 April.
This discussion has been archived. No new comments can be posted.

D-Link Apologizes For Router Security

Comments Filter:
  • by TWX ( 665546 ) on Monday April 20, 2015 @10:05AM (#49510859)
    An apology doesn't really mean anything in this case, does it?
    • by gstoddart ( 321705 ) on Monday April 20, 2015 @10:16AM (#49510951) Homepage

      Depends on how we define "mean anything".

      "We're sorry we have sold you shitty products but won't fix it" is just PR.

      "We're sorry we've solve you shitty products but will replace it at our expense" is actually doing something.

      I suspect this is one of those corporate apologies designed to say "fuck you, but thanks for playing, hopefully we've minimized the fallout of writing shitty products by issuing a half-assed apology".

      I'm hoping the absence of my DIR-615 isn't "we're sorry to tell you we made a shitty product and forgot to check if it was vulnerable".

      I keep saying, corporations should have some liability for implementing terrible security. Especially for a product whose job it is to be a firewall.

      • "We're sorry we've solve you shitty products but will replace it at our expense" is actually doing something.

        The ideal response in my mind would be: "We're sorry - so here's how to unlock the boot-loader and here are third-party open source firmware providers that we tested for you."

      • by Anonymous Coward

        I keep saying, corporations should have some liability for implementing terrible security. Especially for a product whose job it is to be a firewall.

        It's not a firewall. It's a router.

        I'm not defending D-Link in any way. But it is extremely important to know the difference. These devices do not offer much in the way of security.. NAT is not a security measure.

        • by epyT-R ( 613989 )

          Well, if it's running linux, it's probably using netfilter so it probably does have a firewall..at least a drop policy with dynamically opened ports for established/related connections. NAT's security is from the fact that the rfc1918 hosts' addresses are not directly routable, but that's about it. It does not replace a firewall.

          • NAT adds security the same way that the two sets of doors into a shopping mall add security -- an extra layer people have to get through while on their way in/out. They both actually stop absolutely nothing, but they provide another point of defense, and a bit more clarity if something odd is going on.

            Of course, that's pretty much meaningless if you don't have a security guard *inside* your NAT. Don't expect some random shopper to report the shoplifter/vandal. And the fact that they're a shoplifter/vanda

      • http://www.devttys0.com/wp-con... [devttys0.com]

        I don't know if that is the same issue or ont.

      • by ruir ( 2709173 )
        Firewall and linksys does not compute.
      • I worked for D-Link for over 7 years. The major issue have always been software, same as most low cost product. The competitors were also plagued with some of these issues because they used the same H/W and software with a different plastic case and different looking web interface. So chances are that not just D-Link has these issues but possibly Retail+, SOHO, and many of the other off brands you see at Wal-Mart, Best Buy and Staples.

        When I worked there, the biggest issue was competitor launching products

    • by Lead Butthead ( 321013 ) on Monday April 20, 2015 @10:19AM (#49510989) Journal

      Keep in mind this is a company that has a history of doing malicious things; willful violation of GPL that was resolved only when they're drag into the court and lost, hard coding default time server IP address in firmware (imagine hundreds of thousands of them all attempting to sync at the same time daily) It demonstrated a culture of (sociopathical) disregard for others, that alone is reason enough to not buy any of their products.

  • by account_deleted ( 4530225 ) on Monday April 20, 2015 @10:08AM (#49510885)
    Comment removed based on user account deletion
  • Good security (Score:5, Interesting)

    by ArhcAngel ( 247594 ) on Monday April 20, 2015 @10:09AM (#49510893)
    I think D-Link has excellent security. The minute you try to use it the hardware dies. I have some of the old metal box Netgear desktop switches that will outlive me. Almost all of my D-Link products have died prematurely.
    • by Anonymous Coward

      This has also been my experience. My internal wireless segment is currently running on an old WAP54G specifically because the D-Link that was purchased to replace it became flaky and fried itself within six months.

    • Ya, I agree! DLink always has been garbage, and always will! I have owned Linksys (aka crappy Cisco) which is moderately better than DLink, but have had better luck with NetGear. That being said, with any home/small office network device, if possible, I always remove the crappy factory firmware and install DDWRT on it.

    • While I cannot speak to D-Link product longevity every single Netgear Gbit switch -- yes the "pro" metal box ones -- I've ever owned has died after a few years of use. I had great luck with the 10/100 units though, which is why I made the mistake of buying their Gbit models. This last time I bought Cisco and couldn't be happier. Yes more expensive but now that I've had experience with it I believe it to be a very fair price for the quality of design. I'm not even interested in taking Netgear up on their
      • by ruir ( 2709173 )
        Good for you. The Cisco home business line is rebranded linked sys material. The Enterprise Cisco active equipment, now, we are talking about top tier material.
        • The small business stuff isn't that bad actually, once you get past the infant mortality issues in the hardware.. I'd not recommend putting them into a large enterprise network, but for small businesses and home use they are fine. I have 4 of these switches which have been working fine for 10 years now and let me do basic Layer 2 switching, VLAN's and fully functional spanning tree for redundancy. It's a pain to keep the right version of IE laying around so you can manage them, but I just keep an old Wind
  • It appears that as a countermeasure to getting hacked, all netgear routers freeze up constantly, have the internet connection cut in and out, reset settings for no reason, and fail to load their config pages. Very clever. Maybe they should apologize for the quality of their routers too.
  • by ITRambo ( 1467509 ) on Monday April 20, 2015 @10:23AM (#49511031)
    The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.
    • Re: (Score:2, Insightful)

      by Anonymous Coward

      The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.

      Yes, this is absolutely true.

      But, more importantly, consumers SHOULDN'T HAVE TO patch the firmware in their routers. No software is perfect, but this is just getting ridiculous. It's not just D-Link, even though they may be among the worst of the worst, there is now a complete disregard, industry wide, for even the most basic standards of quality.

      • My experience with firmware updates on most devices of the same caliber is that they often reset your configuration which means an auto update would not be advisable. As the devices receive more memory more update options will become available. We probably aren't too far from seeing these types of devices auto update.

    • by Anonymous Coward

      Their letters will also likely be rejected as junk mail.

      I've done that with more than a few "legal notifications" that I've gotten.

      Some of them were, others were perhaps conceivably legitimate.

    • The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.

      Yes, this is absolutely true.

      But, more importantly, consumers SHOULDN'T HAVE TO patch the firmware in their routers. No software is perfect, but this is just getting ridiculous. It's not just D-Link, even though they may be among the worst of the worst, there is now a complete disregard, industry wide, for even the most basic standards of quality.

      And yet one quality standard of mine is the old mantra that if it is not broken, don't fix it, which runs in direct conflict against the idea of vendors pushing automated updates, especially to devices that can and will destroy the LAN and WAN connections.

      I'm wondering where this conversation would be if TFA was titled "D-Link new automated update service pushes out patch, bricks 100,000 routers at once."

      Basic standards of quality would be assuming the vendor is more than willing to support that 2-year old

  • >> The release dates for these patches is not yet set in stone, but some are due today (20 April), some tomorrow (21 April) and the remainder on 24 April.

    Da qwality goes in befo da name goes on, right?

  • by Anonymous Coward

    I'm surprised no one has mentioned alternative firmwares... D-Link should issue a patch that upgrades their routers to openwrt.
    Problem solved.

    • This. D-Link, and other manufacturers, can't be trusted to develop, and especially maintain, router firmwares.
  • I have a DIR-868L, it was cheap(-ish) and reviews suggested it had good (unobstructed) wireless speeds. That may well be the case, but unfortunately it has a more serious flaw, only being able to handle about 350 Mbps of my gigabit connection. I'm pretty sure the hardware is capable, but the firmware is crippled. I've already RMA'd one and got another back with the same symptoms. Apparently D-link engineers are trying to reproduce this issue, but I don't really expect them to do anything about it.

    So, I'm lo

    • Get an EdgeRouter Lite and a gig switch. I'm finding that the EdgeRouter is very powerful, very fast and being a Linux based appliance is extremely powerful. If you want you could also get one of the EdgeRouter's with more ports and skip the switch, but for me I went with a Lite and a NetGear M4100 12 port switch.
    • by Greyfox ( 87712 )
      I just picked up municipal fiber in Longmont, Colorado. The company has a page [longmontcolorado.gov] that lists a number of options you could use with their service. I went with the NetGear Nighthawk and am quite pleased with it. Most of the devices in my house are wireless, but I do have a couple of machines plugged into its wired ports and do get ludicrous speed with it. It's a pretty consistent 600 mbps up and down according to speedtest.net, and my one-to-two gigabyte skydiving videos upload to youtube faster than I can type
      • by PRMan ( 959735 )
        I used to get 100 Mbps on SpeedTest.net, but the most I've ever seen in the real world is 40 Mbps. I've never seen more from anyone, no matter what. So I recently reduced my internet speed to 50 Mbps and saved $30/month. Why pay for "ludicrous speed" when no company can actually give it to you?
        • by Greyfox ( 87712 )
          Ah well as I said, my upload speeds to Youtube are ridiculous. I generate two or three skydiving videos a week and it used to take a couple hours to upload them all to youtube. I'll have to make a video of me uploading a video to Youtube, I guess...

          I also had a problem, while on Comcast, where my computer waking up from hibernation would not be able to resolve DNS for several minutes. I'd be able to ping numeric IP addresses including Google's DNS servers, which I'd set the machine to use. But it would be

      • Ironically, the 868L is listed as having the second-highest throughput on the page you linked. It's very strange that mine isn't working correctly. Maybe alternate firmware will help things. The desktop and the ISP-supplied Actiontec get 890 Mbps on speedtest.net, and it's not like PPPoE is computationally expensive. Thanks for the link, it was informative, depressing, and hope-inspiring all at the same time.

  • ... It didn't. It installed sort of but it didn't work. The firmware was all screwed up and half the features had to be manually tweaked by modifying files using the terminal. Seriously pissed because the only reason I bought the damn thing was because they said it was DD-WRT compatible. Fuckers.

    I'm burned on D-link for a good long time because of that.

  • OpenWRT (Score:5, Informative)

    by Shadow IT Ninja ( 3891909 ) on Monday April 20, 2015 @11:20AM (#49511559)
    I'm glad I did my recent router shopping by starting with the list of OpenWRT supported devices. OpenWRT is a community supported router firmware. There is more active scrutiny of OpenWRT than proprietary manufacturer firmwares. They support hardware more actively and longer than the manufacturers, themselves, do because they use a common source with many hardware models. There is less likelihood of backdoors being introduced or going unnoticed if they are introduced. I'm talking about backdoors like the famous port 32764 back door which was found and patched but then the patch was reverse engineered and found to just hide the back door better.

    Now this story highlights another issue which is that the manufacturers are trying to add features to their routers. This is antithetical to security. The best thing for security is to keep it simple. HNAP, the basis of the vulnerability in this story, is just such a feature which I don't need or want. I think this all adds up to a situation where you want to avoid manufacturer supplied firmware if at all possible.
  • No apologise for D-link router hardware quality.

  • Speaking as one who is tired of sorting through consumer grade routers every few years, I'd love it if 90% of these "smart router" crapware products just went away. Someone said that the best technology is that which disappears from the user's consciousness, but somehow router manufacturers think that their best play is to worm their way into your attention like an insecure child "Hey, look what I can do! Look at me me me!

    Yeah, I'm DLink and look what I can do. Real smooth.

    Do I need to access an app st

  • Although they could be unsecure for all I know...
    • Don't buy hardware unless you can load your own firmware on it. OpenWRT or DDWRT are both great options. Personally, I have two Netgear routers. One that runs OpenWRT that is my internet facing router and it is rock stable as long as my ISP doesn't do something stupid (like they did last week when they changed me from PPPoE to DHCP access w/o telling me in advance). The router my ISP provided would reset multiple times a day (got to love that actiontech junk) and the stock firmware on the Netgear would
      • That's only good for a small percentage of the population. I'm highly technical and I wouldn't bother with doing my own custom firmware installation unless it's straight forward. To me a router is like a hard drive. I just want to put it in and have it do what is expected of it. Doing updates is obviously a non issue.

        FYI, there are a lot of custom firmware available for D-Link products so it's not just Netgear. Also, note that many of the low cost brands you see out there are spin offs from D-Link or Netgea

        • OpenWRT is pretty much brain dead simple with the default load if you have reasonable hardware and use LuCi. Usually the load of the firmware is exactly like what the factory firmware does. Yea, LuCi is a bit more compex than your average home router product, but it's still easy enough that I was able to figure it out with very little help. Armed with the FAQ and or WiKi it's really easy and takes you about 3 steps.. 1. set the root password, 2. configure your internet connection and 3. turn on the wireles

          • You do understand that most users don't even have the guts to upgrade the firmware on a extremely simple device let alone replace the firmware on an existing router.

            There's a reason Apple was the king of smart phones early on. They provided a turn key solution that required little to no knowledge of IT to use.

    • by PRMan ( 959735 )
      I had no issues with Asus except my hard drive (which I was using for file sharing and UPnP) dying. Also, all access to that USB-attached drive was slow and would slow down the router, meaning that any attempt to access a large number of files (such as an in-place backup) would slow everything to a crawl. I recently moved my drive to use an old netbook as a server (14W) and it's much better now.
      • by PRMan ( 959735 )
        And again, turn off any feature that you don't need. Especially things like public FTP, configuration from the internet, VPN, WPS setup, etc.
    • ASUS is in the same boat. Their motherboard often come with very broken software that requires updates. I've purchased over 60 motherboards from Asus and of that probably 7 different models total. Even their latest Z97 required a BIOS update due to critical issues found in the 3rd version released. I'm not very familiar with the quality of software of Asus network products but like most network products, security issues aren't noticeable until you get broken into or someone tells you about it.

      I'm not critic

  • I can't believe they haven't fixed it yet... I've been seeing these in my logs for years.

    [Mon Apr 13 14:44:22 2015] [error] [client 104.abc.def.18] File does not exist: /var/www/mywebsite.com/HNAP1

Sendmail may be safely run set-user-id to root. -- Eric Allman, "Sendmail Installation Guide"

Working...