D-Link Home Routers Open To Remote Takeover Will Remain Unpatched

D-Link won't patch a critical unauthenticated command-injection vulnerability in its routers that could allow an attacker to remotely take over the devices and execute code. Threatpost reports: The vulnerability (CVE-2019-16920) exists in the latest firmware for the DIR-655, DIR-866L, DIR-652 and DHP-1565 products, which are Wi-Fi routers for the home market. D-Link last week told Fortinet's FortiGuard Labs, which first discovered the issue in September, that all four of them are end-of-life and no longer sold or supported by the vendor (however, the models are still available as new via third-party sellers). The root cause of the vulnerability, according to Fortinet, is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function. Fortinet describes this as a "typical security pitfall suffered by many firmware manufacturers." With no patch available, affected users should upgrade their devices as soon as possible.

Good argument for the right to repair

[Crashmarik]

n/t

Re:

[GrandCow]

What does hardware repair have to do with this software issue?

Re:

[AmiMoJo]

You need to be able to reflash the firmware (no hardware DRM/lockouts) and you need enough documentation about the hardware to know how to build your own firmware when they abandon it.

Re:

[account_deleted]

Comment removed based on user account deletion

Re: Good argument for the right to repair

[bill_mcgonigle]

> This is a great reason, though, not to ever buy anything D-Link makes again.

There was a similar story here c. 2006 with a similar issue with older D-Link gear. Some people learn but the market doesn't favor information conveyance at the Point of Sale.

Fortunately by 2004 I had thrown a huge stack of D-Link wireless repeaters in the trash because they just sucked and replaced them all with 54G's running dd-wrt. Those fixed every problem everywhere and updates were good for quite a while.

Continuing to sell an item with a known defect?

[mysidia]

however, the models are still available as new via third-party sellers

These 3rd party sellers ought to be ashamed of themselves...

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Continuing to sell an item with a known defect?

[DickBreath]

Maybe the 3rd party sellers are stuck with the inventory. They acquired it before the problem was known, or that it was known the manufacturer would not fix. They are stuck with it if they cannot sell it to someone stupid enough to buy it.

I have some sympathy for the third party sellers.

I have no sympathy for the manufacturer who could fix it, especially since it is a defect that never should have been.

If manufacturers had perpetual liability for unfixed IoT crap, then the world would be a lot more secure place. They would plan their development better, knowing they might need to produce patches for a long time. They would plan their design to be more secure in the first place. And maybe, just maybe, they might all get together and work together on a common Linux for router type products that shares a lot of the security work, and its cost among all of the participants.

Re:Continuing to sell an item with a known defect?

[Anne Thwacks]

The directors of D-Link should be jointly and severally liable for all losses, real or imaginary, incurred as a result of this lack of response, to (and possibly beyond) the fullest extent permitted by any law whether relevant or not.

Perhaps including cruel and inhuman punishment.

On no account should any of them be employed in the management, or any other capacity, in any company, anywhere, except perhaps where hard unpaid hard labour is involved.

Re:

[Xenx]

We're talking about consumer devices that are 5-10 years old here. They're meant to be cheap devices that work for the average person. A lot of people already complain about having to spend $50 on a wifi router. I think it's part of the disposables world we live in. People want to pay less for things, either ignoring or even knowing, that it means it'll need to be replaced sooner. Spend $50 every few years on a cheap router, or spend more on a router that'll see a longer support term. There is also the fact

Re:Continuing to sell an item with a known defect?

[sjames]

D-Link are still touting it on their website and it's still on sale new in the box from Target, Walmart, Newegg, and Amazon. Apparently, right up until they realized they might have to actually do something with the firmware, it was the latest and greatest and absolutely the perfect solution for your home network needs (complete with cutting edge cloud features). Now, it suddenly became EOL. So quickly they forgot to mention that on their website.

My point is, as far as at least some of the owners know, it's not even 24 hours old.

If I buy an old home/SOHO router, even new in the box from the flea market, AS-IS, yeah, I can't reasonably expect much in the way of support but that's not what's happening here.

Re:

[AmiMoJo]

What consumer rights to buyers have in your area?

In Europe if you bought one of these in the last couple of years you can return it to the seller for a warranty repair. Since they won't be able too fix it the only choice for them is a refund. They might deduct a portion of the sale price since you may have had up to 2 years use out of it, but no more than maybe 1/3rd.

Remember that security defects are warranty issues that the seller has to fix, at least around here.

Re:

[sjames]

Apparently, here in the U.S. consumers have the right to say "Thank you sir, may I have another?"

Re:

[Xenx]

I just want to point out in general, not necessarily for this particular instance, that security defects are not necessarily covered as warranty in the EU. There are exceptions liability and one is "according to the latest scientific and technical standards, no one could have foreseen the defect when you placed the product on the market".

Also, "you did not place the product on the market" is another exception that may have some say in this. I'm not a lawyer, so obviously just speculating. For example, say

Re:

[AmiMoJo]

No one could have foreseen that executing arbitrary commands was a potential security issue?

Re:

[Xenx]

First, the security flaw is the lack of a sanity check. They didn't just up and allow the execution of commands. The lack of a sanity checks is what is enabling them to execute arbitrary commands. Second, I'm not saying they shouldn't have been able to to foresee the flaw. That's why I said my example wasn't necessarily for this particular instance. But, in cases where it can be shown there was no reasonable way to know of a security flaw... it could apply.

Re:

[Xenx]

I didn't look extensively, I checked a number of models against Target, Amazon, Walmart, and Newegg. The ones I checked for either weren't for sale, or were only for sale from a third party and not from them directly. This is old stock that people are selling off. This isn't new stock D-link is sending to retailers, and they have no control over.

And for the record, it's on the consumer to know what they're buying. They don't get excused from due diligence. It isn't hard to do a quick search online to see t

Re:

[Xenx]

And just in case anyone is questioning, my opinion of the brand has nothing to do with whether I think their actions are right or wrong. I think D-Link is a mediocre brand at best. I wouldn't say outright avoid them, but wouldn't recommend them either.

Re:

[AmiMoJo]

D-Link should support products for at least 5 years from the EOL date, and should clearly inform users that the product is EOL. It doesn't say EOL on their web site, and when you log in to the router's config page it checks for firmware updates but doesn't tell you it's EOL or give a cut-off date for support.

We should think about making that mandatory, and also having a mechanism for consumers to be notified of critical security flaws. The router could secure check for messages and display them when one is

Re:

[Xenx]

For the record, D-Link's website does say those routers are EOL. I did some digging and at least two of those models were listed end of support in June and August 2018.

I have mixed feelings about the 5 years after EOL. I definitely agree that it should be more obvious to the user when it's going to go EOL. However, from my years of support experience, users usually never log into their router to do anything. Most don't even set it up themselves. Putting the dates in the router's management UI likely would

Re:

[Anne Thwacks]

Most people see no reason why they should give money to bloodsucking capitalists to replace kit that still works so it can go to land-fill. They paid for it, and while it still works, they expect to continue using it.

It it is an IoT and the inputs are not sanitised, then it is "goods not of merchantable quality" and "unfit for the purpose for which it was sold". It also risks public safety on the Internet*. The manufacturers are liable without time limit in most of the sane world (Your Trump may vary).

Pl

Re:

[DickBreath]

Windows IS a known defect. Yet they continue to produce it.

Re:

[mysidia]

I have some sympathy for the third party sellers.

That sympathy ends when they try to SELL the product anyways.
It is your risk of doing business as a middleman that you owe your customer a duty to ensure the
product you are selling is merchantable; that is it is not defective or subject to recall.

The 3rd party seller should have recourse; however, against the distributor they sourced the product from,
and ultimately it is the manufacturer who needs to take back and refund the unsold goods which the manufact

Of course

[DarkRookie2]

It is a security/maintenance patch. No glamor in those. Lets not waste time on fixing something broke.

Re:

[BringsApples]

Don't look now, but there's an obvious buffer overflow exploit in all models of Atari. Freggin lazy-asses won't fix it though. And if you go to most any Dollar General, you can buy an Atari. What the hell?!?!

Re:

[Smallpond]

I was going to blast you for bringing up a company that's long gone, but turns out that it is not: atari games [atari.com]

Re:

[Dutch Gun]

The original company is indeed long gone. Infogrammes Entertainment just bought the name and IP rights.

Re:

[BringsApples]

Thanks for not blasting me. But, while we're talking about Atari ....if you still feel like blasting something, you could play Blaster [atariage.com].

Re:

[BringsApples]

Actually, you can play "Bogey Blaster" online here [free80sarcade.com].

Really?

[JustAnotherOldGuy]

"The root cause of the vulnerability, according to Fortinet, is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function."

What kind of a dumbfuck coder doesn't do sanity checks for any input that could be abused?

This kind of exploit always fuckin' kills me- it's laziness or stupidity or both.

I'm not hot-shot code jockey but everything I write code has rigorous checking on all inputs, and it always astounds me when professional coders skip this step.

Finally, how does code without any sanity checking or screening ever get through a code review?

Re:Really?

[Narcocide]

What kind of a dumbfuck coder doesn't do sanity checks for any input that could be abused?

The very cheapest kind to hire.

Re:

[suutar]

which also describes the code reviewer, probably.

Re:

[Narcocide]

Hah! No, they don't have code reviewers at places like that.

Re:

[gweihir]

Very likely they do not.

Re:

[AmiMoJo]

Maybe not. Often contractors will do that kind of thing, and they are often quite expensive. They write to the exact spec they are given, and if they spec doesn't say "don't execute arbitrary commands" then it will execute arbitrary commands if that's the fastest way to fulfil their contract.

Re:

[gweihir]

The thing with contractors is that high price does not ensure quality. But low price does ensure absence of quality. And these days, many that use contractors do not have the knowledge themselves anymore to judge contractor quality.

Re:

[ZombieCatInABox]

The kind of dumbfuck trying to cram the most amount of code in the least amount of memory.

These kind of cheap-ass consumer routers have so little memomy that sanity-check code is a luxury they simply can't aford.

Re:

[gweihir]

No. There is more than enough space for that.

Re:

[ToasterMonkey]

"The root cause of the vulnerability, according to Fortinet, is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function."

What kind of a dumbfuck coder doesn't do sanity checks for any input that could be abused?

This kind of exploit always fuckin' kills me- it's laziness or stupidity or both.

I'm not hot-shot code jockey but everything I write code has rigorous checking on all inputs, and it always astounds me when professional coders skip this step.

Finally, how does code without any sanity checking or screening ever get through a code review?

Why is a function that calls execve("/bin/sh", 0, {"-c", yourshit}); even a thing.

Re:

[gweihir]

Why is a function that calls execve("/bin/sh", 0, {"-c", yourshit}); even a thing.

Because it is easy to use. It is very hard to use competently (but has valid applications), but that does not deter the incompetent.

Re:Really?

[Zedrick]

> What kind of a dumbfuck coder doesn't do sanity checks for any input that could be abused?

Yeah... I worked for D-Link support about 15 years ago. Stopped being surprised after they released an ADSL routermodem that accepted telnet connections from WAN with default login (root/root or something like that). Oh, it also used busybox and D-Link refused to acknowledge it, much less provide the source.

Re:

[gweihir]

What kind of a dumbfuck coder doesn't do sanity checks for any input that could be abused?

Indeed. Unfortunately, the answer is that these are regular coders, not even especially stupid or incompetent ones. The problem is that most coding is engineering and quite a bit is advanced engineering. Yet it is very often done by amateurs, technicians and people from other fields.

Yes, fixing this will mean that a lot of coders will loose their jobs and the remaining ones will get a lot more expensive. But overall, it will be vastly cheaper than the mess we currently have were anybody and everybody is all

Same who create default passwords

[ripvlan]

I used to have a router that was crap. A few updates in the year I bought it then went dormant. But they continued to push out new devices. I called support when I needed help and they said "buy a new device" because mine was EOL. After a friggen year! And get this -- I had enabled the secure Wifi feature (PKTIP or whatever) when they released the firmware for it. The router would run for 15 minutes and then get slower and slower until becoming unresponsive. I figured there was a bug fix for it.

Consumer-level trash be trash...

[raydobbs]

D-Link has the problem (like Cisco, Belkin, Linksys and others) that they seem to EoL a lot of things right after they come to market. Saves on support when you tell people they are on their own with something they just buy. I saved myself the headache a long time ago by moving to more business-focused vendors, like Ubiquiti or Cisco's business end gear. Much better support offerings and less engrish translated firmware problems (I'm looking at you TP-Link..) not to mention that they tend to be a bit more robust. Worth the extra money - at least in my case.

Re:

[Narcocide]

Linksys used to be good though, before Cisco bought them.

Re:

[AmiMoJo]

All consumer goods have a warranty though, right? So if it's still in warranty then this kind of massive security flaw is a warranty issue.

TP-Link stuff isn't bad. Lately they started using the same OS on pretty much all their gear, so even the cheap stuff gets decent support (security updates) and has all the high end features available. Also DD-WRT support is very good for them so you always have that option.

If you need a managed gigabit switch for SOHO then TP-Link ones are a decent option, and pretty go

the plan

[dgp]

Linda: [on TV] Unless something is done quickly, the trapped robots will be dead within 300 years. Sir, what rescue operations are planned?
Mine Spokesman: [on TV] The plan is basically to pave over the area and get on with our lives.

https://morbotron.com/meme/S02... [morbotron.com]

Re:

[LowTechSwede]

Of course. Part of the solution is to never buy D-Link again. Wonderful text in the original post by the way. Why call it "upgrade" when it means discard and replace.

DD-WRT

[sew3521]

The good news is that the DIR866L and DHP1565 are both able to have DD-WRT installed on them. That being said, the majority of people will not know there is an issue so they will continue to run code that has a known flaw.

Re: DD-WRT

[fred6666]

Is DD-WRT really better? Last I check, there was never any official release, only custom builds by different forum members. I wouldn't be surprised if they missed most security flaws given what their process looks like.

Re:

[drinkypoo]

Is DD-WRT really better? Last I check, there was never any official release, only custom builds by different forum members. I wouldn't be surprised if they missed most security flaws given what their process looks like.

Modulo malice, the only differences between a custom build and an official one are the kernel version and drivers chosen.

Re:

[AmiMoJo]

The custom builds are to incorporate drivers and whatever boot mechanism is required for that hardware. Stuff like this kind of command execution is part of the core and will be done much better than D-Link ever could.

There is also OpenWRT and maybe Tomato if that is still going.

Best bet really though is buy an x86 box and run pfSense. You can get a pre-assembled box from Amazon (or cheaper from AliExpress).

Re:

[fred6666]

The problem is there is no stable core. I doubt they fix security updates if you can't find the stable core.
Also the development seems opaque. Is the full source code even available?

Re:

[sconeu]

Yes, they can. The 652 and 655 are not compatible, though.

Re:

[Dukenukemx]

Finally, someone that mentions DD-WRT or OpenWRT. Never rely on the firmware supplied by the manufacturer. Support stopped the moment you bought it.

Re:

[johnsie]

Is DD-WRT really secure though? Do you really know who compiles the binaries?

Hardware compatible with u-boot and open

[sleepghost]

We now have, a lot of hardware, for instance based on ARM processors. Running using linux, and easily configurable as wifi spot.

Ca-ching!

[CaptainDork]

With no patch available, affected users should upgrade their devices as soon as possible.

Re:

[Scarletdown]

...to something other than D-Link, I presume?

OpenWRT

[fred6666]

And this is why all my routers run OpenWRT.

Re:

[anwyn]

This is correct. The probability that the router companies have all been compromised by the intelligence agencies can not be excluded. Too many deliberate back doors have been discovered. There have even been instances where a back doors have been reported to the router company and the response was not to remove the the back door, but to hide it more thoroughly. You can not just buy a router anymore! You must replace the firmware!

Re:

[moofo]

And that's why I run OpnSense on an old Watchguard FW...

Re:

[johnsie]

Who compiled it, and who are the accountable to?

Re:

[fred6666]

you can compile it yourself if you don't trust the official builds

Because there's likely millions of them out there

[ZorinLynx]

Routers are the sort of tech that, if it's doing its job well, will never get replaced and just sit there working happily for many years.

It's a good idea to look for vulnerabilities and let people know so that they can replace them if necessary.

That said, it's irresponsible for D-Link to not at least patch a major security hole like this. Apple, for example, has discontinued their line of routers but still releases security updates for major flaws.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[sexconker]

It doesn't matter what consumer router you buy. They're all fucking shit that are EOLd the instant they hit the shelves.

You'll get an occasional firmware update in the 2 or 3 months following release to fix the problems, then you'll get a link to a beta firmware on the company's FTP site, then you'll get nothing. The firmware updates won't fix the problems. The problems will be: Router dropping connections frequently, router rebooting itself or needing to be rebooted manually, router performance droppin

Re: What do you expect?

[fred6666]

I checked the 866L. It was probably an upper mid range or even high end device when it came out.
How much is a home router supposed to cost?

Why does software always get a pass?

[WaffleMonster]

This is bullshit. A few year old router has a critical security vuln and the manufacturer has no liability at all to even address critical security defects of their own making? Fuck D-Link.

Re:

[EvilSS]

A few years? These routers were released between 2012 and 2014. The newest one is over 5 years old.

Re: Why does software always get a pass?

[fred6666]

5 years when it came out. It was sold for a long time after that. Are you supposed to change your router every 5 years anyways?

Re:

[EvilSS]

Being sold after the device is end of life is on the third party sellers. And yes, you probably should be replacing your router if it's out of support. If you don't like the support policies of a company, don't buy their stuff next time.

Re:

[fred6666]

The device was probably supported for at least 2 years after it came out. So it means a device actively sold by the manufacturer only 3 years ago is no longer supported and that sucks.
I know their support sucks and as I said in another post, that's why I use OpenWRT on my routers (and don't buy incompatible routers).

You shouldn't expect the average joe to replace his router every 3 to 5 years. D-Link's poor support is to blame here.

Re:

[WaffleMonster]

A few years? These routers were released between 2012 and 2014. The newest one is over 5 years old.

So?

Re:

[EvilSS]

So 5, 6, 7, or 8 != 3

Re:

[drinkypoo]

Fuck D-Link.

If you've ever owned a D-Link product before, then you've no doubt already been saying this for years.

This should not affect many Slashdotters, because none of us should be dumb enough to buy a router unsupported by openwrt and/or dd-wrt, right? Especially not a D-Link.

ha ha gottcha

[AndyKron]

My router is so old nobody cares

Thoughts

[Artem S. Tashkinov]

At least the DHP-1565 is supported by OpenWRT, so this model could be used further.

I personally only buy the routers which are known to be supported by OpenWRT - that pretty much guarantees near infinite support vs. OEMs which are not really interested in supporting their hardware past its warranty.

D-Link and FTC Settlement

[Bill Parker]

https://www.ftc.gov/news-event... [ftc.gov] As part of the proposed settlement, D-Link is required to implement a comprehensive software security program, including specific steps to ensure that its Internet-connected cameras and routers are secure. This includes implementing security planning, threat modeling, testing for vulnerabilities before releasing products, ongoing monitoring to address security flaws, and automatic firmware updates, as well as accepting vulnerability reports from security researchers. In a

Re:

[Canberra1]

Thanks for that. In UK and NZ they may be forced to announce a product recall, or end users able to return the product for a full refund. Or compulsory consumer notification. Hopefully Europe gets tired of electronic 'waste' and slaps a new tariff on ureliable brand names - or even bans their importation full stop. The big winner will be Huawei, if they dare to promise 'support' better than dud brands with a lousy track record.

Feature

[Gabest]

How else would you install OpenWRT on any router if they were not hackable? Routers should be exploitable.

Shame them

[tiananmen tank man]

Someone should create a website d-link-routers-to-not-buy.com and list them there. Make it known people should double check that site before buying D-Link.

Almost planned obsolesence

[fintux]

At least one of the models, DIR-866L has been apparently released as late as August 2014, and it has released end of support in August 2018. It probably has been selling for at least a couple of years, so basically D-Link has cut off the support just two years after stopping selling the product (https://support.dlink.com/ProductInfo.aspx?m=DIR-866L -> the manual version 1.00 is dated on Aug/2014 and the end of support date is specifically stated there).

This makes the products pretty much disposable. Well

Re:

[fintux]

It's not Amazon selling these directly, though, see https://www.amazon.com/gp/offe... [amazon.com]. But still, it's pretty widely available even after the end-of-support, and I think it has a lot to do with the fact that their support period for the product was so stupidly short. Even if you bought the device immediately, it would have had support only for 4 years, which is much less than I would expect a decent device to last.

They did this 20 years ago.

[Agripa]

How is this new behavior from D-link? They were selling WiFi routers almost 20 years ago with a promised upgrade to the latest standard and of course the updated firmware was never released. I have stayed away from their trash since then.