Slashdot Mirror
D-Link DIR-655 Firmware 1.21 Hijacks Your Internet Connection
chronopunk writes "Normally when you think of firmware updates for a router you would expect security updates and bug fixes. Would you ever expect the company that makes the product to try and sell you a subscription for security software using its firmware as a salesperson? I recently ran into this myself when trying to troubleshoot my router. I noticed when trying to go to Google that my router was hijacking DNS and sent me to a website trying to sell me a software subscription. After upgrading your D-link DIR-655 router to the latest firmware you'll see that D-link does this, and calls the hijacking a 'feature.'"
Is this even legal? This is my device; if it does something I don't like, and can't disable it, that seems like an attack on my rights; to do it to sell ads... that's just low, D-Link!
Well, I for one welcome our new SUBSCRIPTION REQUIRED overlords!
Please click here to renew subscription!
Moved to http://soylentnews.org/. You are invited to join us too!
I've been using rev1.21 for a few weeks now and I haven't seen this behavior at all.
Wednesday, November 05, 2008 5:51:22 PM
Firmware Version : 1.21, 2008/09/11
*shrug*
Before installing the new firmware, are you asked if this is Okay? If not, do they make it clear how it can be disabled?
I am now reluctant to upgrade my DLink firmware. Is it's easy and clear that one can opt out.
Thank you so much for the warning! I'll stay on 1.20 then and my next router certainly won't be a D-link.
My other account has a 3-digit UID.
I helped my father-in-law purchase a wireless router for his home and set it up for him recently. I was rather surprised when I updated the firmware and was then greeted by spam upon opening a web browser. I have to say that I'm really disappointed by d-link on this one. Here's to hoping that the backlash is enough to make them reconsider doing this type of stuff again.
Generally speaking, I'm a fan of their networking equipment (own a dgl-4300 that I'm very happy with myself), but if this is the direction that they are going in, I won't be buying or recommending their stuff anymore. I plan on e-mailing them and telling them I am unhappy with their practices.
Won't be buying any more Dell hardware for a while!
Check out my sci-fi book "Lacuna" at http://goo.gl/MVxX8
I haven't upgraded to 1.21; however, the reason was when 1.21 first dropped it had SecureSpot. Now I found this out by reading the information on 1.21 so I didn't download and install it. They now (and have for some time) offer 1.21 without SecureSpot; perhaps you should download and install that.
>You can disable this feature by logging into the router and clicking the Advanced Tab and Secure Spot on the left side.
>D-Link Customer Service
Unethical to enable it by default and not tell the customer about it *until* it hijacks the connection (if you ask me) but easily disabled apparently.
Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
Plus, upgrading your firmware "just because". Why?
Because router firmware upgrades often mean closing security holes.
My other account has a 3-digit UID.
The non securespot version has been there since the firmware was released. Its simply a case of the submitter not reading and comprehending. Either way, it asks you if you want to try it twice, and then leaves you alone.
there's a separate link at their firmware download page for the DIR-655 that says (in plain view, in a sensible spot): Click here for Firmware 1.21 WITHOUT SecureSpot 2.0
Well, I highly doubt that most customers know what "SecureSpot" is. So how are they supposed to know to download the non-annoying firmware update? Of course, you may say that this is the customer's problem: they should read up on all the features that are being installed in the firmware update, and be sure that this is really what they want, etc.
And, yes, in principle everyone should read every line of each and every EULA.
The fact is that any reasonable person would expect a firmware update to only fix bugs and security flaws. It would not be normal to expect entirely new features to be installed, and it is certainly abnormal for the new "feature" to actually include nagware that prompts you to pay for some new service.
The point here is that what they are doing is sleazy. The default configuration should have that redirect turned off. The link for a "without SecureSpot" firmware is nice, but the fact is that 99.9% of users will only notice that after they have already installed, and been annoyed by, the default update.
It's an annoying thing to do with a firmware update. And in that sense, it's a reason to not do business with them.
Back in 2003 Belkin introduced a router that periodically redirected HTTP connections to advertise its own software:
Help! my Belkin router is spamming me
Some commentary:
Ease-of-use or marketing-driven sabotage: Does your hardware's software do only what you expect of it?
Personally I'd be very happy if I got two oranges rather than just one!
When 1person suffers from a delusion,it is called insanity.When many people suffer from a delusion,it is called religion
Here's an old article about Belkin doing a very similar thing:
Belkin, the consumer networking and connectivity firm, has promised customers a firmware upgrade to disable a controversial 'spamming' feature built into its routers.
As first reported on The Reg last week, the feature hijacks random HTTP requests every eight hours and redirects users to a page advertising Belkin's parental control software. There is an opt-out link but that failed to appease Net users who accused Belkin of creating a new mechanism for spam.
Conclusion? Non-story.
What if I want SecureSpot for its useful features? What if I didn't know SecureSpot redirects me like that?
Well now I know why the media is so sensationalist and ridiculous - apparently the average citizen / slashdotter isn't any better...
If it was that easy to resolve why even bother taking the time to post about it? It seems like it took longer to complain than it did to fix it.
You are using English. Please learn the difference between loose and lose; they're, there, and their; your and you're.
I think we're all agreeing that the submitter is an idiot for not reading before downloading and the editors should not have posted this "story" in the first place.
Thread closed.
I've owned several D-Link routers, either through no fault of my own or pressed for time and had to buy it. In all of the years I've had to deal with them, I've learned this:
D-Link is Shit. Buy Linksys.
After massive amounts of pain with consumer/prosumer-grade (many of the D-Link) routers in the past two years, I finally dropped real money for a real broadband router earlier this year. So far, I've had months and months of trouble-free service.
Now I start hearing crap like this. Makes me even MORE thankful I bit the bullet.
Also "you can turn it off!" apologists? WHY IT IS ON BY DEFAULT? Moreover, tell that to some luddite who barely understands how to boot his computer.
Chas - The one, the only.
THANK GOD!!!
Even if there's an option to disable this, the fact that it seems to be enabled by default is enough for me. D-Link from this point on will never be on my list of vendors when looking for networking gear.
Apparently they didn't learn from the shitstorm that hit belkin when they did the exact same thing years ago.
Another vendor goes down the tubes...
Only buy home routers that can run opensource firmwares. I'm quite happy with my WRT54GL, although the hardware is a bit antiquated at this point.
I would agree. I, too, downloaded the version without secure-spot. When I saw that there was two versions, I went back and double checked what the difference was between the two versions. Saved myself some trouble.
I have to say, though, that Belkin has done this for years. I had a Belkin 54g router that always spammed me with child protection features after every firmware update. I am surprised that no one else has mentioned Belkin in this. (Or did I mod filter them out?)
This cannot be allowed to go unpunished. Google should sue since it was their domain name that was hijacked and a clear attack on their business.
Google should sue because they have lots of high-priced lawyers and can really make DLink regret this.
"It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
If true, that's the end of D-Link. We would never buy from them again.
Why are marketing people allowed to destroy companies? Then they go to a new company and do it again.
D-link: now with built in dns spoofing.
So let's see, Linksys makes generic crap. I'm not completely impressed with my NETGEAR device so I don't think they're that great either. Don't even get me started on how bad Belkin's stuff was. D-Link sounded good, but now this?
NOW what do we go with?
I do agree it's not a HUGE issue since it's able to be disabled, but it's still not good that it's an opt in thing. I'd be buying a piece of hardware to connect to the Internet. NOT a subscription service. It may be good for those not comfortable with computers, but still, not so comfortable with those that DO understand them.
Pancakes. Oh I blew it.
Plus, upgrading your firmware "just because". Why?
Because router firmware upgrades often mean closing security holes.
While one might think this at first, there's no evidence that this is the case for this incident. It's just as likely, without a firmware being released with specific notes about "holes" that it "plugged", that the update created more bugs.
In this case, it was "I felt like upgrading the firmware". The downfalls: User obviously didn't know how the feature set changed (because didn't do research before upgrading the firmware, just saw that one number was larger than the other) and there's always the possibility of bricking your router that is already working just peachy.
So, no, I don't accept your reasoning, even though it seems "sensible" at the start.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Linksys isn't so bad if you replace the firmware. Try dd-wrt if you want quick and easy, or OpenWRT if you want to customize. I guarantee you'll like 'em. (Get a WRT-54GL to try it on; they're cheap nowadays.)
Its clearly listed on their website.. http://support.dlink.com/products/view.asp?productid=DIR-655
A conservative is a man with two perfectly good legs who, however, has never learned to walk forward. -- FDR
Sounds like a prime example of what happens when salespeople get too much of a say in the development process. Wonder if they made them back-burner fixing actual bugs and security holes in favor of adding adware like this?
This is the original poster. I did a firmware upgrade from withing the router setup page not by downloading it from their website.
From the goddamn article:
So, you can turn it off. Not only that, but as of 9/30 there's a separate link at their firmware download page for the DIR-655 that says (in plain view, in a sensible spot): Click here for Firmware 1.21 WITHOUT SecureSpot 2.0
Plus, upgrading your firmware "just because". Why?
Double flame to you buddy.
1) I wouldn't call "WITHOUT SecureSpot 2.0" in plain view. It's not like SecureSpot means anything to me. It has the name Secure so it sounds like something I would want. Now if they named it KickInTheBalls 2.0 or maybe SlapInTheFace 3.2 I would know to avoid it. SecureSpot means nothing to me.
2) Upgrading firmware on a firewall/router why? Are you kidding me? You're going to be-little people who pro-actively secure their main entry point to the outside world. From now on you should lose your Slashdot posting privs.
Thirded. I just completed a project that cost about $8k dollars by rolling a customized OpenWRT/DD-WRT setup that includes 802.1q VLANs (no wonky iptables junk to seperate networks), 802.1x with authentication against ActiveDirectory, public and private SSIDs available from a single access point, the list goes on.
OpenWRT is enterprise wireless firmware for free that runs on home consumer priced hardware, making it enterprise quality hardware. (Although lacking POE)
My company was going to spend about $75k on a comparable solution from Aruba and I was able to squeeze out every single feature they offer from OpenWRT. So instead of $75k, we're spending $4,500 for the same feature set. Not bad.
So, while D-Link's own firmware is goofy, if you just buy their box and wipe it it you'll be saving yourself money in the long run.
Ah, I found one. The Risks Digest, Volume 16: Issue 55, Weds 9 November 1994. The relevant section is reprinted below for preservation's sake, edited only for spelling ("entirity"), converting asterisk-marked text to strong text, formatting, block quoting, and adding links.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
So your message is "it's just a small pile of shit, swallow it already?"
No, sir!
It's still abuse if it's a small abuse. There's no such thing as "a little pregnant" or "a little dead". Abuse is abuse is abuse.
Why is this abuse? Because you will be very hard pressed to find a single customer who bought the product, expecting such a feature or, had you asked him, approving it.
If I give you a contract to paint my living room, that does not include the permission to record a porn movie while you're at it. And if I buy a router to handle my traffic, I don't give it permission to reroute me to advertisement.
Assorted stuff I do sometimes: Lemuria.org
The non securespot version has been there since the firmware was released.
"without SecureSpot" certainly doesn't sound like "without spam". It much more sounds like that version is lacking a security feature, don't you think?
Either way, it asks you if you want to try it twice, and then leaves you alone.
So? It shouldn't even "ask" once. Remember that "ask" in this case means intercepting and manipulating traffic. I'm not familiar with applicable US law, but in the UK and Germany, where I know the law a little, this "feature" runs afoul of criminal laws.
Besides, what kind of attitude is that? It's ok to feel up your wife if I stop after being told twice not to?
Assorted stuff I do sometimes: Lemuria.org
This firmware has been in beta for almost 2 years. It adds the SecureSpot feature which allows for web filtering. The idea with the splash page is to allow the users to immediately decide whether they want the feature enabled or not. So, I install a new DIR-655 router, my kids are immediately blocked from all internet access. If I decide to disable it, suddenly everyone can get to their favorite porn website. If I turn it on, I now have parental controls and the kids can only get to the sites/categories I approve. Is it really that bad they they are forcing you to "choose whether you want the feature on or off?" Maybe they could have disabled it by default, but those that want the feature, may never realize its there.
I do not agree with that. DNS hijacking should be considered illegal criminal activity, regardless of what the reason was. We have enough problems with DNS attacks, the last thing we need is for a company like D-Link to try and legitimize it.
If I buy a router, I wanted the router. I would not buy a router if I wanted a security stack; I would buy security software.
Palm trees and 8
Ya, but that's what release notes are for... I don't upgrade till I have a reason to. Back in my "Firmware Release Whore" days, I downgraded often, and it was a pain in the ass. (BEFSR41, the best residential router of it's time IMHO)
That sinking feeling deep in your gut when you KNOW you screwed up bad summed up with: {head desk} {head desk}
Ahhhh, the answer is right there..... This is Slashdot. Half of it's purpose is to complain. Not that I'm complaining.....
That sinking feeling deep in your gut when you KNOW you screwed up bad summed up with: {head desk} {head desk}
I have the DIR-625 and have tested out the Secure-Spot (3.06) firmware and even when its disabled it still phones-home and uses an SSL connection. Naturally you can not issue it a fake certificate to see what its really sending back. Test setup: 2 Routers, Favorite ARP spoofing program and a Network Protocol Analyzer (I use Wireshark) and watch the fun when you power on your D-Link router.
I have this router and it's worked really well - has been very stable and has a whole lot of really nice features - I do a lot of remote stuff both ways too and from work - not to mentioned bittorrent and binaries, webcams. Never have a problem, never have to reboot it.
Additionally the router has a feature that can email you when a new update comes out, the download page had a link for 1.21 with securespot and 1.21 without - I checked out what it was and decided against it. As others have mentioned. Below is the link I used:
ftp://ftp.dlink.com/Gateway/dir655/Firmware/dir655_firmware_121_no_securespot.zip
I agree with how most people feel, that they need to be a little more upfront - a lot of the people here aren't going to want that feature - however, there are some people who may - among other things I think it has parental controls, it's like websense for the home user.
When you're updating the firmware on any device and not paying attention to the changes and what they actually do you're going to end up getting fucked, - especially when it comes to consumer home devices like these.
Oh, it wouldn't, eh?
iPhone users, you hear that? You should be pissed at Apple for adding new features to your phone. How dare they try to make you experience better. Same for you Tivo users, and early adopters everywhere. Tell the companies: I bought your product when it sucked, and I LIKE it that way. STOP TRYING TO MAKE MY EXPERIENCE BETTER!
I'm sorry, but you're an idiot. Firmware upgrades frequently add new features, and if those features are intended to make you internet connection more secure, then it is ABSOLUTELY reasonable for them to be added. I agree that the way D-Link handles the process (assuming that it is really the way it's described in the article) is bad, but the mere addition of the feature isn't. Criticize them all you want for their nagware, but don't be an idiot and complain that just because they are trying to add new features to their products they are somehow a bad company.
Brilliant strategy... A company pisses you off, so you boycott their competitor. That'll teach 'em!
I should note, $4.5k in hardware costs, $3.5k in development time to get it all dialed in right. :D
As well, the hardware in question was DIR-330's, which are roughly $95-100 off the shelf.
What annoys be about my D-Link DSL-504T router is that although it runs some sort of customised GNU/Linux (I did "ssh admin@10.1.1.1" and had a look inside), their documentation and website make not the slightest mention of this, let alone make the source code available.
We live in a world where we have to automatically upgrade adobe PDF, java, windows, iTunes, firewalls, antiviruses, antispam, smartphones, wmv codecs, xvid codecs, divx codecs, everything HP ever produced, video game consoles, etc. Of course people automatically update their routers: it's what we've been conditioned to do.
The ______ Agenda
Now I get to add DLink to the same list. Unless and until DLink issues a public apology and shows contrition for this, there they shall stay, alongside Belkin.
Schwab
Editor, A1-AAA AmeriCaptions
Regardless of whether or not you can disable it, unless it was an *advertised* feature -- if it redirected you to a fake, substitute website that was other than the website you _thought_ you were going to, isn't that evidence of an unauthorized invasion and hack of the device to introduce a 3rd-party, fraudulent, redirection mechanism that can potentially be used not only by D-Link, but also by a cracker attempting a phishing exploit?
In the US, the unauthorized addition of redirection software to a hardware device (which itself would probably qualify as a small computer), with the right lawyer or prosecutor, could result in jail time for the perp, or, if it's a corporation, probably a bonus for the project manger. ;^/