Slashdot Mirror
D-Link DIR-655 Firmware 1.21 Hijacks Your Internet Connection
chronopunk writes "Normally when you think of firmware updates for a router you would expect security updates and bug fixes. Would you ever expect the company that makes the product to try and sell you a subscription for security software using its firmware as a salesperson? I recently ran into this myself when trying to troubleshoot my router. I noticed when trying to go to Google that my router was hijacking DNS and sent me to a website trying to sell me a software subscription. After upgrading your D-link DIR-655 router to the latest firmware you'll see that D-link does this, and calls the hijacking a 'feature.'"
You have to manually upgrade the firmware and going back to plan old 1.20 is exactly the same process. It's not exactly hard to "disable". I have this router and also recently updated my firmware but I have not encountered this yet...
I've been using rev1.21 for a few weeks now and I haven't seen this behavior at all.
Wednesday, November 05, 2008 5:51:22 PM
Firmware Version : 1.21, 2008/09/11
*shrug*
If you RTFA, you'll see that you CAN disable it.
Still pretty hinky, though.
Before installing the new firmware, are you asked if this is Okay? If not, do they make it clear how it can be disabled?
I am now reluctant to upgrade my DLink firmware. Is it's easy and clear that one can opt out.
I haven't upgraded to 1.21; however, the reason was when 1.21 first dropped it had SecureSpot. Now I found this out by reading the information on 1.21 so I didn't download and install it. They now (and have for some time) offer 1.21 without SecureSpot; perhaps you should download and install that.
>You can disable this feature by logging into the router and clicking the Advanced Tab and Secure Spot on the left side.
>D-Link Customer Service
Unethical to enable it by default and not tell the customer about it *until* it hijacks the connection (if you ask me) but easily disabled apparently.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Hi Brandon, What you experienced was not an Attempt to "Hijack" your connection. In fact what it is an added feature called "Secure Spot", It is software that is built into the router, which is used to replace or work along with your firewall/Antivirus/Antispam software. It also provides more parental controls. This feature does require a subscription if you want to use it but it is entirely optional. This feature replaces a hardware device that we had that did the same tasks. The DSD-150. You can disable this feature by logging into the router and clicking the Advanced Tab and Secure Spot on the left side. D-Link Customer Service
So, you can turn it off. Not only that, but as of 9/30 there's a separate link at their firmware download page for the DIR-655 that says (in plain view, in a sensible spot): Click here for Firmware 1.21 WITHOUT SecureSpot 2.0
Should they have included that in a readme/changelog for the firmware? Maybe, but since they were all too happy to tell you how to turn it off, this really doesn't seem like a huge offense to me.
Conclusion? Non-story.
Plus, upgrading your firmware "just because". Why?
Replying to myself to add some info. Firmware v1.20 doesn't have the "Advanced -> Secure Spot" page they mention so it really seems to be be new in v1.21. The 1.20 firmware can still be downloaded from here.
My other account has a 3-digit UID.
If you look under the revision history of the 1.21 firmware - there is a link to download the new firmware without Secure Spot 2.0. Just look for: "Click here for Firmware 1.21 WITHOUT SecureSpot 2.0" and click on that...
Back in 2003 Belkin introduced a router that periodically redirected HTTP connections to advertise its own software:
Help! my Belkin router is spamming me
Some commentary:
Ease-of-use or marketing-driven sabotage: Does your hardware's software do only what you expect of it?
Here's an old article about Belkin doing a very similar thing:
Belkin, the consumer networking and connectivity firm, has promised customers a firmware upgrade to disable a controversial 'spamming' feature built into its routers.
As first reported on The Reg last week, the feature hijacks random HTTP requests every eight hours and redirects users to a page advertising Belkin's parental control software. There is an opt-out link but that failed to appease Net users who accused Belkin of creating a new mechanism for spam.
I think we're all agreeing that the submitter is an idiot for not reading before downloading and the editors should not have posted this "story" in the first place.
Thread closed.
Better than that, google "dd-wrt hardware", and look at what hardware is inside your next router purchase. Get one with at least 16M ram and 4M flash, and upgrade to an open firmware. Tomato is my favorite, it has the slickest admin GUI, on top of full Linux flexibility.
Only buy home routers that can run opensource firmwares. I'm quite happy with my WRT54GL, although the hardware is a bit antiquated at this point.
> D-Link is Shit. Buy Linksys.
> > Linksys is even worse shit.
Buy the router/AP that has the features you want AND is supported by Tomato, DD-WRT, et al, and don't look back.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Linksys isn't so bad if you replace the firmware. Try dd-wrt if you want quick and easy, or OpenWRT if you want to customize. I guarantee you'll like 'em. (Get a WRT-54GL to try it on; they're cheap nowadays.)
Its clearly listed on their website.. http://support.dlink.com/products/view.asp?productid=DIR-655
A conservative is a man with two perfectly good legs who, however, has never learned to walk forward. -- FDR
There are routers that run open source firmware. An example of a company that uses open source firmware is Canyon. I've had one for a couple of years now. I got the first hardware revision, so I haven't been able to upgrade my firmware to the latest, but my model is still manufactured, albeit in a later hardware revision and the firmware is open source. Works like a charm.
People are not wearing enough hats.
This is the original poster. I did a firmware upgrade from withing the router setup page not by downloading it from their website.
Better firmware is only part of the problem.
As a member of Melbourne Wireless where we have lots of cheap wireless routers, I can say the best consistent brand of low end routers is ASUS. I expect they are the OEM for many of the early versions of other routers as well based on looking at the insides.
As a tech support worker for a very large ISP I can say that all the end-user brands have shit models, and decent models.
It really is back and forth. Usually one company will have a crap model run or version, or a shitty firmwware.
A few months later the other company does something that blows chunks.
Either way I get a lot of idiots on the phone with router problems, and no one end-user brand is any better than the rest.
I will say, however, the following:
Netgear sucks ass, period. If yours works then congrats.
Linksys is really hit/miss depending on the model and version. Some of them are rock-solid and run cool, others will heat up badly. I think it's a quality control issue, but they do tend to sell more junk hardware to big box stores like WalMart.
It also depends on what function you enable. If you are using it as a switch with NAT, most of them aren't too bad. Start turning on the rest of the firmware features and then things change, again the model & version make more difference than the manufacturer.
D-link generally does ok, same with belkin, but both of them have turds too. But if you really want a decent router you need to look into the $200 and above price range to start off with.
If you have a choice between a Sonicwall and a Cisco, get the Cisco. Sonicwall is the cheap end of the business market, we see problems with them in our business groups quite often, but the other corporate-grade routers like Cisco, Juniper, and Pix are generally rock-solid. And get a UPS, I see more routers get bricked from bad power than anything else.
Thirded. I just completed a project that cost about $8k dollars by rolling a customized OpenWRT/DD-WRT setup that includes 802.1q VLANs (no wonky iptables junk to seperate networks), 802.1x with authentication against ActiveDirectory, public and private SSIDs available from a single access point, the list goes on.
OpenWRT is enterprise wireless firmware for free that runs on home consumer priced hardware, making it enterprise quality hardware. (Although lacking POE)
My company was going to spend about $75k on a comparable solution from Aruba and I was able to squeeze out every single feature they offer from OpenWRT. So instead of $75k, we're spending $4,500 for the same feature set. Not bad.
So, while D-Link's own firmware is goofy, if you just buy their box and wipe it it you'll be saving yourself money in the long run.
Ah, I found one. The Risks Digest, Volume 16: Issue 55, Weds 9 November 1994. The relevant section is reprinted below for preservation's sake, edited only for spelling ("entirity"), converting asterisk-marked text to strong text, formatting, block quoting, and adding links.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Nope. Working PC Repair I've seen more dead D-Links than any other brand. If you are just wanting cheap I'd suggest either TrendNet or ZoneNet. I've bought and installed several for customers and they seem to run well and are easy to manage. I am currently typing this on a TrendNet I bought to set up the boys their own network so they can game and share files with each other and after a $10 rebate the thing was only $9! Runs quite well. Now if you are wanting one for tweaking or running a customized Linux on I'd suggest a Linksys WRT54GL(just make sure you don't get the GS by mistake) so you can run DD-WRT. But after tossing one too many D-links I try to avoid them whenever possible,and stunts like this just make me really glad I do.
And as for those that just say disable updates? What if they come out with another DNS or other security hack that REQUIRES you to update your firmware? I don't like the idea of either get crapwared or risk being hacked. With the TrendNet and ZoneNet routers they take a little longer to get firmware updates,but so far every update I've ever run from them has been just that,an UPDATE. Which either gave the router new functionality or closed security holes,but never any crapware from them,knock on plastic.
ACs don't waste your time replying, your posts are never seen by me.
damn straight. I went from resets every 2 days to rsets every 2 months - it just chugs along. The thing that really killed my linksys gear was bittorrent - something about huge numbers of remote connections.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I have the DIR-625 and have tested out the Secure-Spot (3.06) firmware and even when its disabled it still phones-home and uses an SSL connection. Naturally you can not issue it a fake certificate to see what its really sending back. Test setup: 2 Routers, Favorite ARP spoofing program and a Network Protocol Analyzer (I use Wireshark) and watch the fun when you power on your D-Link router.
What are we becoming? Now every sleazy behaviour is ok as long as you can opt-out? That hasn't worked for spam for the past 20 years, has everyone suddenly got a learning disorder?
Just to point out, if you RTFP (post) mattytee doesn't say it's ok, he says it's "hinky." Which might NOT mean okay. I admit, I don't know what it ACTUALLY means, so it might mean "good." I don't think I'd enjoy being called "hinky" so it doesn't sound like he's saying "You can opt out, so it's cool."
I have this router and it's worked really well - has been very stable and has a whole lot of really nice features - I do a lot of remote stuff both ways too and from work - not to mentioned bittorrent and binaries, webcams. Never have a problem, never have to reboot it.
Additionally the router has a feature that can email you when a new update comes out, the download page had a link for 1.21 with securespot and 1.21 without - I checked out what it was and decided against it. As others have mentioned. Below is the link I used:
ftp://ftp.dlink.com/Gateway/dir655/Firmware/dir655_firmware_121_no_securespot.zip
I agree with how most people feel, that they need to be a little more upfront - a lot of the people here aren't going to want that feature - however, there are some people who may - among other things I think it has parental controls, it's like websense for the home user.
When you're updating the firmware on any device and not paying attention to the changes and what they actually do you're going to end up getting fucked, - especially when it comes to consumer home devices like these.
I should note, $4.5k in hardware costs, $3.5k in development time to get it all dialed in right. :D
As well, the hardware in question was DIR-330's, which are roughly $95-100 off the shelf.
BitTorrent is usually the culprit for random router slugginess. Here's the instructions for solving it in DD-WRT by increasing the max connections.
Funny, Belkin still seems to be around.
I've actually dealt with a D-Link USB WiFi adapter that the USB connector wasn't soldered to the board.
It's a wonder the thing even worked at first without giving the user a problem. (Five minutes later, after the user complained, it was working fine... but it didn't work for long.)
Now I get to add DLink to the same list. Unless and until DLink issues a public apology and shows contrition for this, there they shall stay, alongside Belkin.
Schwab
Editor, A1-AAA AmeriCaptions
hinky: 1) Something as yet undefinable is wrong, out of place; not quite right; 2) "I've a bad feeling about that": something out of whack, wrong, off-kilter; 3) a state of being vaguely suspicious.
source: http://www.urbandictionary.com/define.php?term=hinky
this definition fits my previous (vague, contextual) knowledge of the term. some uses color towards sleazy, some towards kludgy; but they all have the general sense of something suspicious in some way.
WRT54G isn't *really* a comparable device. It lacks both gigabit ethernet as well as Wireless-N [draft2] support. Don't get me wrong, I love the WRT54 series, but you may as well compare apples to apples.