Slashdot Mirror
D-Link DIR-655 Firmware 1.21 Hijacks Your Internet Connection
chronopunk writes "Normally when you think of firmware updates for a router you would expect security updates and bug fixes. Would you ever expect the company that makes the product to try and sell you a subscription for security software using its firmware as a salesperson? I recently ran into this myself when trying to troubleshoot my router. I noticed when trying to go to Google that my router was hijacking DNS and sent me to a website trying to sell me a software subscription. After upgrading your D-link DIR-655 router to the latest firmware you'll see that D-link does this, and calls the hijacking a 'feature.'"
You have to manually upgrade the firmware and going back to plan old 1.20 is exactly the same process. It's not exactly hard to "disable". I have this router and also recently updated my firmware but I have not encountered this yet...
If you RTFA, you'll see that you CAN disable it.
Still pretty hinky, though.
I haven't upgraded to 1.21; however, the reason was when 1.21 first dropped it had SecureSpot. Now I found this out by reading the information on 1.21 so I didn't download and install it. They now (and have for some time) offer 1.21 without SecureSpot; perhaps you should download and install that.
Replying to myself to add some info. Firmware v1.20 doesn't have the "Advanced -> Secure Spot" page they mention so it really seems to be be new in v1.21. The 1.20 firmware can still be downloaded from here.
My other account has a 3-digit UID.
Plus, upgrading your firmware "just because". Why?
Because router firmware upgrades often mean closing security holes.
My other account has a 3-digit UID.
The non securespot version has been there since the firmware was released. Its simply a case of the submitter not reading and comprehending. Either way, it asks you if you want to try it twice, and then leaves you alone.
Back in 2003 Belkin introduced a router that periodically redirected HTTP connections to advertise its own software:
Help! my Belkin router is spamming me
Some commentary:
Ease-of-use or marketing-driven sabotage: Does your hardware's software do only what you expect of it?
Here's an old article about Belkin doing a very similar thing:
Belkin, the consumer networking and connectivity firm, has promised customers a firmware upgrade to disable a controversial 'spamming' feature built into its routers.
As first reported on The Reg last week, the feature hijacks random HTTP requests every eight hours and redirects users to a page advertising Belkin's parental control software. There is an opt-out link but that failed to appease Net users who accused Belkin of creating a new mechanism for spam.
Only buy home routers that can run opensource firmwares. I'm quite happy with my WRT54GL, although the hardware is a bit antiquated at this point.
Linksys isn't so bad if you replace the firmware. Try dd-wrt if you want quick and easy, or OpenWRT if you want to customize. I guarantee you'll like 'em. (Get a WRT-54GL to try it on; they're cheap nowadays.)
There are routers that run open source firmware. An example of a company that uses open source firmware is Canyon. I've had one for a couple of years now. I got the first hardware revision, so I haven't been able to upgrade my firmware to the latest, but my model is still manufactured, albeit in a later hardware revision and the firmware is open source. Works like a charm.
People are not wearing enough hats.
This is the original poster. I did a firmware upgrade from withing the router setup page not by downloading it from their website.
Thirded. I just completed a project that cost about $8k dollars by rolling a customized OpenWRT/DD-WRT setup that includes 802.1q VLANs (no wonky iptables junk to seperate networks), 802.1x with authentication against ActiveDirectory, public and private SSIDs available from a single access point, the list goes on.
OpenWRT is enterprise wireless firmware for free that runs on home consumer priced hardware, making it enterprise quality hardware. (Although lacking POE)
My company was going to spend about $75k on a comparable solution from Aruba and I was able to squeeze out every single feature they offer from OpenWRT. So instead of $75k, we're spending $4,500 for the same feature set. Not bad.
So, while D-Link's own firmware is goofy, if you just buy their box and wipe it it you'll be saving yourself money in the long run.
I have the DIR-625 and have tested out the Secure-Spot (3.06) firmware and even when its disabled it still phones-home and uses an SSL connection. Naturally you can not issue it a fake certificate to see what its really sending back. Test setup: 2 Routers, Favorite ARP spoofing program and a Network Protocol Analyzer (I use Wireshark) and watch the fun when you power on your D-Link router.
hinky: 1) Something as yet undefinable is wrong, out of place; not quite right; 2) "I've a bad feeling about that": something out of whack, wrong, off-kilter; 3) a state of being vaguely suspicious.
source: http://www.urbandictionary.com/define.php?term=hinky
this definition fits my previous (vague, contextual) knowledge of the term. some uses color towards sleazy, some towards kludgy; but they all have the general sense of something suspicious in some way.