Slashdot Mirror

← Back to Stories (view on slashdot.org)

D-Link Warns of Vulnerable Routers

Posted by kdawson on from the in-the-front-door dept.

wiedzmin sends in news of a vulnerability in some D-Link home routers. The company has made new firmware available for download. "D-Link announced today that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4), and DIR-635 (version B). The problem lies in D-Link's implementation of Cisco's Home Network Administration Protocol, which allows remote router configuration. The scope of the vulnerability is greatly reduced by the fact that these router models were not shipped with the affected firmware by default, so only customers who updated their firmware are potentially affected. Or at least this was indicated in the company's response to the SourceSac claim that all D-Link routers sold since 2006 were affected." SourceSec apparently made their research available, including an exploitation tool, without ever contacting D-Link.

7 of 133 comments (clear)

  1. Wouldn't the responsible thing be... by JoshDD · · Score: 4, Insightful

    to contact D-Link first? Maybe D-Link could have updated the firmware before this exploit became public knowledge. I doubt SourceSec cares about D-Links customers.

    1. Re:Wouldn't the responsible thing be... by Anonymous Coward · · Score: 4, Insightful

      hahahaha
      dlink wouldve done jack shit like every other company without being publicly humiliated.

    2. Re:Wouldn't the responsible thing be... by h4rr4r · · Score: 2, Insightful

      All that would have earned them is a lawsuit. Plus Dlink would never have fixed it.

    3. Re:Wouldn't the responsible thing be... by Anonymous Coward · · Score: 2, Insightful

      I don't think anyone on the planet can find a D-Link security contact. More responsible companies make this easy.

    4. Re:Wouldn't the responsible thing be... by Koby77 · · Score: 4, Insightful

      But what does SourceSac get out of the deal? Is the publicity for essentially releasing a 0-day really going to earn them that much money? Despite their brilliance in discovering such a flaw, I'm not sure anyone would want to associate themselves with this company for security. With friends like this....

    5. Re:Wouldn't the responsible thing be... by Wrath0fb0b · · Score: 2, Insightful

      dlink wouldve done jack shit like every other company without being publicly humiliated.

      Yes, but it would have been even more humiliating to say "We provided them with an exploit 4 weeks ago and they still haven't done shit, so now we are going public". That has the added advantage of giving them the chance to do the right thing, even if they don't take it and makes them look like douches instead of the security company.

    6. Re:Wouldn't the responsible thing be... by Wrath0fb0b · · Score: 4, Insightful

      The only reasonable solution to reduce vulnerability in the wild is to publicly expose the issues to force vendor resolution more quickly. Seems counterintuitive, but it does work.

      While that seems reasonable if the vendor either doesn't care or is dragging along on a fix, in this case they didn't even tell the vendor in the first place. Perhaps it's unlikely that DLINK would have responded to the security company but it seems they deserved a chance to do the right thing. It's not that disclosure is wrong, it's just that it's wrong at that stage of the game -- they would have lost nothing by trying to cooperate with D-Link and only disclosing if those lesser steps failed (or took too long). Plus, think about how much worse it sounds:

      "Here's a huge vulnerability that we discovered but didn't tell anyone until now. Surprise!"

      versus

      "Here's a huge vulnerability that we discovered. We went to D-Link 3-4 weeks ago and they wouldn't give us the time of day. Finally, we go through to someone that assigned it a low-priority and has been promising a fix but not delivering. At this point, we are tired of hearing their excuses and we don't think they are interested in fixing it so we are disclosing it."

      TL;DR version: Public disclosure is the last resort, not the first. Carrot first, stick second.