D-Link Apologizes For Router Security

← Back to Stories (view on slashdot.org)

D-Link Apologizes For Router Security

Posted by samzenpus on Monday April 20, 2015 @03:02AM from the our-bad dept.

Mark Wilson writes D-Link has issued an apology to its customers for an on-going security issue with many of its routers. A problem with the Home Network Administration Protocol (HNAP) means that it is possible to bypass authorization and run commands with escalated privileges. The list of routers affected by the issue is fairly lengthy, and D-Link has already issued one patch. But rather than fixing the problem, last week's update left routers wide open to exactly the same problem. As it stands at the moment, a firmware patch is still being produced for a total of 17 routers. In the meantime, all D-Link has to offer is an apology. While unhelpful patches have already been issued, D-Link is currently working away on replacement firmware updates. The release dates for these patches is not yet set in stone, but some are due today (20 April), some tomorrow (21 April) and the remainder on 24 April.

20 of 107 comments (clear)

Min score:

Reason:

Sort:

Words without actions are meaningless by TWX · 2015-04-20 03:05 · Score: 4, Insightful

An apology doesn't really mean anything in this case, does it?

--
Do not look into laser with remaining eye.
1. Re:Words without actions are meaningless by gstoddart · 2015-04-20 03:16 · Score: 5, Insightful
  
  Depends on how we define "mean anything".
  "We're sorry we have sold you shitty products but won't fix it" is just PR.
  "We're sorry we've solve you shitty products but will replace it at our expense" is actually doing something.
  I suspect this is one of those corporate apologies designed to say "fuck you, but thanks for playing, hopefully we've minimized the fallout of writing shitty products by issuing a half-assed apology".
  I'm hoping the absence of my DIR-615 isn't "we're sorry to tell you we made a shitty product and forgot to check if it was vulnerable".
  I keep saying, corporations should have some liability for implementing terrible security. Especially for a product whose job it is to be a firewall.
  
  --
  Lost at C:>. Found at C.
2. Re:Words without actions are meaningless by ron_ivi · 2015-04-20 03:22 · Score: 3, Insightful
  
  "We're sorry we've solve you shitty products but will replace it at our expense" is actually doing something.
  The ideal response in my mind would be: "We're sorry - so here's how to unlock the boot-loader and here are third-party open source firmware providers that we tested for you."
3. Re:Words without actions are meaningless by ruir · 2015-04-20 04:42 · Score: 2
  
  Firewall and linksys does not compute.
4. Re:Words without actions are meaningless by LordLimecat · 2015-04-20 05:23 · Score: 2
  
  NAT provides implicit security, even if it is not explicit. Being on an unroutable subnet means theres really nothing an intruder can do to get to your PC short of static port mappings.
5. Re:Words without actions are meaningless by Ravaldy · 2015-04-20 05:50 · Score: 2
  
  I worked for D-Link for over 7 years. The major issue have always been software, same as most low cost product. The competitors were also plagued with some of these issues because they used the same H/W and software with a different plastic case and different looking web interface. So chances are that not just D-Link has these issues but possibly Retail+, SOHO, and many of the other off brands you see at Wal-Mart, Best Buy and Staples.
  When I worked there, the biggest issue was competitor launching products before standards were ratified. This almost always resulted in rushed firmware and hardware which was a big issue for both D-Link and it's competitors. Around 2003 a smart individual convinced the company to create a north American QC team. This team was comprised of people that had worked in technical support as well as technology experts. The results were much better products released in the US and Canada. Regardless, these types of security issues would not have been caught in QC due to it's complex nature and the limited amount of resources available to the QC team.
  Nobody can ever tell me a PR apology is sincere since it's all about saving face but what do I really care about an apology? What matters is that the company issues a fix for the current issue and makes internal changes to avoid future issues.
6. Re:Words without actions are meaningless by LordLimecat · 2015-04-20 08:58 · Score: 3, Informative
  
  I understand these things quite well, as I wouldnt be in the field if I didnt. NAT provides some degree of security in the sense that if you are on an IPv4 network (99% of home users) on an RFC 1918 network (99% of home users) with NAT enabled, it is impossible for anyone to send an unsolicited datagram to your computer behind the NAT.
  There are technologies which punch holes in this (like uPnP), but that does not change the implicit security.
  
  NAT in a typical Linux based router does not prevent someone on the external interface from talking to any port and any host on the internal network
  Then you have a static port mapping. Generally to get through the NAT you need to know the public IP and port (out of 65536) you want to connect to, which is dynamically assigned. Then you need to deal with the fact that anything you send is going to be pinned to a specific client port not of your choosing, and you will not know the correct source port to get the client to accept your unsolicited datagram (whch will thence be dropped).
  I never said it was perfect security, but it prevents folks from accessing listening ports (like 135-139) as a listener port wont have a dynamic mapping-- only outbound traffic gets those.
  But you seem to think Im wrong, so educate me. Lets set up a scenario.
  Gateway Public: 1.2.1.1
  Gateway private: 192.168.50.1
  Windows XP box: 192.168.50.5
  No firewalls, NAT on the gateway, Windows XP listening on port 135-139.
  What Layer3/4 headers are you going to use thats gonna get a packet delivered to one of those 4 ports on that XP box?
7. Re:Words without actions are meaningless by LordLimecat · 2015-04-20 10:27 · Score: 4, Informative
  
  For starters, I have read up on it, and many many vendors agree that it IS security.
  Sources:
  Cisco (Top 2 paragraphs of intro)
  http://www.cisco.com/web/about...
  SANS institute (Page 5, 2nd paragraph)
  And so on.
  As to your solution, it has a massive issue. Route tables must use next hops as their gateway; you could not enter a command like that targetting my WAN, and have it work, because my WAN IP would not be a next hop for your computer. The only thing your route table can do is instruct your computer which IP on your broadcast domain will be willing to handle your datagrams. At that point, it is up to that router to figure out the next hops.
  You will note I asked you what the L3 / L4 headers would be on your packet; this was specifically to demonstrate why such attacks would fail. You would have a source address of 9.9.9.9, and a destination of 192.168.50.5, and you would instruct your computer to pass that datagram off to a router at ethernet address 99:99:99:99:99:99 (your router), and he would promptly vomit and say "what the hell I cant route an RFC1918". Add the route on your router, and you've shoved the issue back to your ISP, whose router would either fail to find a route for that subnet, or (more likely) outright reject it as a violation of RFC.
  The only scenario in which this attack makes sense is when the attacker IS the next hop, that is your ISP. And for 99.999% of users, this is not a realistic threat model they will face, and NAT will be "acceptable" security.
  No one argues that a stateful firewall is BETTER (as it prevents attacks like you mentioned), but to say that NAT adds no security whatsoever is being silly; major infrastructure vendors disagree with you.
8. Re:Words without actions are meaningless by LordLimecat · 2015-04-20 22:57 · Score: 3, Insightful
  
  The "security" you attribute to NAT does not come from NAT, it comes from using "private" addresses.
  Im pretty sure thats what I said, and no one is arguing that point. You're just insisting on being pedantic and condescending.
  Your original statement was that NAT is not security. This post of yours agrees that it is security in some shape. If we're agreeing there, then I dont think theres any reason to keep arguing. If youre disagreeing with that, Id ask you to take it up with the links I provided and with stackexchange. I dont have the time to try to make Cisco and SANS' cases on their behalf, if you are unwilling to take their word on it.\
  
  . Besides, why do you trust your ISP not to snoop around on your network?
  
  Because it is an unusual attack scenario, and it would be illegal. It does happen, sure, and defending against a malicious ISP is far beyond the scope of most home security. Luckily for us every consumer OS made in the last 10 years has a stateful firewall, and every consumer router built in the last 10 years has a firewall, so its not an issue.
  I mean good grief, 99% of home users are using the ISP provided DNS, and you're worried about probing through NAT in violation of the RFCs? DNS snooping is something that actually happens, and is actually legal. Risk assessment 101: focus on the probable threats.
  Without mentioning the need to filter incoming packets, that tutorial concludes: "A computer located in the internet is not able to establish a connection to a local computer, all he can do is address (a port of) the router and hope the best."
  Wrong, and leaves anyone who follows the tutorial vulnerable.
  As mentioned already, it is impossible in the absence of a published route to your network for someone to reliably send packets directly into a dynamically natted network. The fact that someone could splice onto your cable network is irrelevant, because at that level of effort they could probably climb in through your window and just steal all of your equipment. You're talking about extremely esoteric attacks.
  
  You're really doing people a disservice by perpetuating the myth that NAT adds security.
  
  Im perpetuating the stance of major infrastructure vendors. Argue with them. I imagine you could contact support@cisco.com and explain why their statement that NAT fulfills a security role is incorrect.
  In the meantime I would suggest you cut the condescending attitude.
im sure it took a few tries. by nimbius · 2015-04-20 03:08 · Score: 2

Dear Customer,
As you may know D-Link recently suffered a security exploit on our routers. Rest assured, as a company that relies on the rock-solid performance of our own affordable, reliable network hardware we took immE8!3#@T@[NO CARRIER]

--
Good people go to bed earlier.
1. Re:im sure it took a few tries. by the_B0fh · 2015-04-20 04:42 · Score: 2
  
  The NO CARRIER jokes were funny when triggered by +++ATH0+++
Good security by ArhcAngel · 2015-04-20 03:09 · Score: 4, Interesting

I think D-Link has excellent security. The minute you try to use it the hardware dies. I have some of the old metal box Netgear desktop switches that will outlive me. Almost all of my D-Link products have died prematurely.

--
"A person is smart. People are dumb, panicky dangerous animals and you know it." - K
you don't want their actions. by Lead+Butthead · 2015-04-20 03:19 · Score: 4, Interesting

Keep in mind this is a company that has a history of doing malicious things; willful violation of GPL that was resolved only when they're drag into the court and lost, hard coding default time server IP address in firmware (imagine hundreds of thousands of them all attempting to sync at the same time daily) It demonstrated a culture of (sociopathical) disregard for others, that alone is reason enough to not buy any of their products.

--
ELOI, ELOI, LAMA SABACHTHANI!?
Re:Automated Testing by Nerrd · 2015-04-20 03:19 · Score: 3, Insightful

Automated Testing really only works for making sure things work the way they're supposed to work. There really is no such thing as automated Penetration Testing.
Our customers won't know by ITRambo · 2015-04-20 03:23 · Score: 3, Insightful

The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.
1. Re:Our customers won't know by Anonymous Coward · 2015-04-20 03:37 · Score: 2, Insightful
  
  The majority of our customers have no idea how routers work, let alone that they can update its firmware. When we explain that a router is a mini-computer that offers a high level of control to them, some of their eyes glaze over as they think a port is what you plug a cable into. When told that firmware can be updated using DD-WRT or the latest OEM version to patch vulnerabilities, only a few understand how to do this, even when we explain it to them. We do offer to perform the work for them, but most don't care unless their router is acting wonky. Unless D-Link sends letters, not an email that would likely be perceived as spam, to registered owners with simple instructions on how to update firmware. very few of their routers will be patched in the real world.
  Yes, this is absolutely true.
  But, more importantly, consumers SHOULDN'T HAVE TO patch the firmware in their routers. No software is perfect, but this is just getting ridiculous. It's not just D-Link, even though they may be among the worst of the worst, there is now a complete disregard, industry wide, for even the most basic standards of quality.
Re:Automated Testing by TechyImmigrant · 2015-04-20 03:38 · Score: 3, Interesting

What he wants is automated regression testing. They did know about the bug before they tried to fix it.

--
I should use this sig to advertise my book ISBN-13 : 978-1501515132.
Re:Friends by rubycodez · 2015-04-20 03:59 · Score: 3, Funny

(hand holds egg) This is your home network. (breaks egg into frying pan). This is your home network on D-Link. Any questions?
Re:Automated Testing by rubycodez · 2015-04-20 04:01 · Score: 2

Yes there is. In fact many types compliance audits, like PCI Level I, require it.
Look up "vulnerability scanner"
OpenWRT by Shadow+IT+Ninja · 2015-04-20 04:20 · Score: 5, Informative

I'm glad I did my recent router shopping by starting with the list of OpenWRT supported devices. OpenWRT is a community supported router firmware. There is more active scrutiny of OpenWRT than proprietary manufacturer firmwares. They support hardware more actively and longer than the manufacturers, themselves, do because they use a common source with many hardware models. There is less likelihood of backdoors being introduced or going unnoticed if they are introduced. I'm talking about backdoors like the famous port 32764 back door which was found and patched but then the patch was reverse engineered and found to just hide the back door better.

Now this story highlights another issue which is that the manufacturers are trying to add features to their routers. This is antithetical to security. The best thing for security is to keep it simple. HNAP, the basis of the vulnerability in this story, is just such a feature which I don't need or want. I think this all adds up to a situation where you want to avoid manufacturer supplied firmware if at all possible.