The IT Nerd

D-Link joins Netgear in being in my bad books because of this story from Bleeping Computer that details six security vulnerabilities in the DIR-865L wireless router. However, D-Link has only decided to patch three of those vulnerabilities:

D-Link has released a firmware update to fix three out of six security vulnerabilities reported for the DIR-865L wireless router model for consumers. One flaw is rated critical, others are high-severity.

Attackers can use the bugs to execute arbitrary commands, steal sensitive information, upload malware, or delete data.

Clearly these are not trivial vulnerabilities. And D-Link’s response is really bad. Here’s what they said:

“For US consumers, D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it” 

Seeing as this router was released in 2012, you can see why they have taken that stance. However since a lot of consumers simply install these routers and then forget about them, I believe that D-Link really needs to better support their customers. Or if you take D-Link at their word, this would be how I would deal with this situation. The second any D-Link router router goes end of life, replace it with a router from a vendor other than D-Link. Why? We’ve been here before with D-Link products. And they were slapped by the FTC for making insecure gear. Two big hints that you shouldn’t be buying their products.

If you have any of the following DLink routers, you may want to replace them with something else:

• DIR-655
• DIR-866L
• DIR-652
• DHP-1565

The reason being is that according to Threatpost, these routers have a vulnerability in their latest firmware that leaves them wide open to being pwned remotely. And then there’s this:

 D-Link last week told Fortinet’s FortiGuard Labs, which first discovered the issue in September, that all four of them are end-of-life and no longer sold or supported by the vendor (however, the models are still available as new via third-party sellers). The root cause of the vulnerability, according to Fortinet, is a lack of a sanity check for arbitrary commands that are executed by the native command-execution function. Fortinet describes this as a “typical security pitfall suffered by many firmware manufacturers.” With no patch available, affected users should upgrade their devices as soon as possible.

While I get that it’s not DLink’s fault that a vendor was sitting on some gear in a warehouse someplace for a long time and is selling months or years after it was discontinued, it doesn’t take away the fact that DLink needs to step up here. The fact is they are not fixing this issue because they don’t feel that they have any responsibility to. Clearly the fact that they got slapped by the FTC and are under 20 years of oversight means nothing to them.

In the absence of the FTC exercising their oversight powers, there’s one way to send a message to DLink that this behavior is not acceptable. Don’t buy their products. EVER. If they see their sales drop, maybe they will change their tune and act in a responsible manner.

It was a while ago that the news broke about the FTC taking DLink to court because the company made gear that was insecure. Fast forward to the present and a settlement order on the US antitrust body’s website which you can find here [Warning:PDF] details the fact that DLink has agreed to settle said lawsuit and they have pledged to maintain a “comprehensive software security program” for the next 20 years which designed to make its IP cameras and routers safe for consumers. On top of that DLink has to submit to a decade of product security audits by an agency appointed by the FTC to make sure that they are doing what they say they will do in terms of making their products secure.

Interestingly, DLink won’t have to admit to any wrongdoing. Which is interesting because by the time you agree to what I have written above, you’ve likely screwed up in some way. But I suppose that this is better than the alternative which is getting pummeled by the feds. And I suppose that this will not only make DLink gear safer, but it will send a message to gear makers everywhere that if you don’t make you gear safe, the feds will be on your doorstep. Thus in theory consumers are the big winners. Right?