D-Link Apologizes For Router Security

← Back to Stories (view on slashdot.org)

D-Link Apologizes For Router Security

Posted by samzenpus on Monday April 20, 2015 @03:02AM from the our-bad dept.

Mark Wilson writes D-Link has issued an apology to its customers for an on-going security issue with many of its routers. A problem with the Home Network Administration Protocol (HNAP) means that it is possible to bypass authorization and run commands with escalated privileges. The list of routers affected by the issue is fairly lengthy, and D-Link has already issued one patch. But rather than fixing the problem, last week's update left routers wide open to exactly the same problem. As it stands at the moment, a firmware patch is still being produced for a total of 17 routers. In the meantime, all D-Link has to offer is an apology. While unhelpful patches have already been issued, D-Link is currently working away on replacement firmware updates. The release dates for these patches is not yet set in stone, but some are due today (20 April), some tomorrow (21 April) and the remainder on 24 April.

7 of 107 comments (clear)

Min score:

Reason:

Sort:

Words without actions are meaningless by TWX · 2015-04-20 03:05 · Score: 4, Insightful

An apology doesn't really mean anything in this case, does it?

--
Do not look into laser with remaining eye.
1. Re:Words without actions are meaningless by gstoddart · 2015-04-20 03:16 · Score: 5, Insightful
  
  Depends on how we define "mean anything".
  "We're sorry we have sold you shitty products but won't fix it" is just PR.
  "We're sorry we've solve you shitty products but will replace it at our expense" is actually doing something.
  I suspect this is one of those corporate apologies designed to say "fuck you, but thanks for playing, hopefully we've minimized the fallout of writing shitty products by issuing a half-assed apology".
  I'm hoping the absence of my DIR-615 isn't "we're sorry to tell you we made a shitty product and forgot to check if it was vulnerable".
  I keep saying, corporations should have some liability for implementing terrible security. Especially for a product whose job it is to be a firewall.
  
  --
  Lost at C:>. Found at C.
2. Re:Words without actions are meaningless by ron_ivi · 2015-04-20 03:22 · Score: 3, Insightful
  
  "We're sorry we've solve you shitty products but will replace it at our expense" is actually doing something.
  The ideal response in my mind would be: "We're sorry - so here's how to unlock the boot-loader and here are third-party open source firmware providers that we tested for you."
3. Re:Words without actions are meaningless by LordLimecat · 2015-04-20 22:57 · Score: 3, Insightful
  
  The "security" you attribute to NAT does not come from NAT, it comes from using "private" addresses.
  Im pretty sure thats what I said, and no one is arguing that point. You're just insisting on being pedantic and condescending.
  Your original statement was that NAT is not security. This post of yours agrees that it is security in some shape. If we're agreeing there, then I dont think theres any reason to keep arguing. If youre disagreeing with that, Id ask you to take it up with the links I provided and with stackexchange. I dont have the time to try to make Cisco and SANS' cases on their behalf, if you are unwilling to take their word on it.\
  
  . Besides, why do you trust your ISP not to snoop around on your network?
  
  Because it is an unusual attack scenario, and it would be illegal. It does happen, sure, and defending against a malicious ISP is far beyond the scope of most home security. Luckily for us every consumer OS made in the last 10 years has a stateful firewall, and every consumer router built in the last 10 years has a firewall, so its not an issue.
  I mean good grief, 99% of home users are using the ISP provided DNS, and you're worried about probing through NAT in violation of the RFCs? DNS snooping is something that actually happens, and is actually legal. Risk assessment 101: focus on the probable threats.
  Without mentioning the need to filter incoming packets, that tutorial concludes: "A computer located in the internet is not able to establish a connection to a local computer, all he can do is address (a port of) the router and hope the best."
  Wrong, and leaves anyone who follows the tutorial vulnerable.
  As mentioned already, it is impossible in the absence of a published route to your network for someone to reliably send packets directly into a dynamically natted network. The fact that someone could splice onto your cable network is irrelevant, because at that level of effort they could probably climb in through your window and just steal all of your equipment. You're talking about extremely esoteric attacks.
  
  You're really doing people a disservice by perpetuating the myth that NAT adds security.
  
  Im perpetuating the stance of major infrastructure vendors. Argue with them. I imagine you could contact support@cisco.com and explain why their statement that NAT fulfills a security role is incorrect.
  In the meantime I would suggest you cut the condescending attitude.
Re:Automated Testing by Nerrd · 2015-04-20 03:19 · Score: 3, Insightful

Automated Testing really only works for making sure things work the way they're supposed to work. There really is no such thing as automated Penetration Testing.
Our customers won't know by ITRambo · 2015-04-20 03:23 · Score: 3, Insightful

The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.
1. Re:Our customers won't know by Anonymous Coward · 2015-04-20 03:37 · Score: 2, Insightful
  
  The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.
  Yes, this is absolutely true.
  But, more importantly, consumers SHOULDN'T HAVE TO patch the firmware in their routers. No software is perfect, but this is just getting ridiculous. It's not just D-Link, even though they may be among the worst of the worst, there is now a complete disregard, industry wide, for even the most basic standards of quality.