Slashdot Mirror

← Back to Stories (view on slashdot.org)

D-Link Apologizes For Router Security

Posted by samzenpus on from the our-bad dept.

Mark Wilson writes D-Link has issued an apology to its customers for an on-going security issue with many of its routers. A problem with the Home Network Administration Protocol (HNAP) means that it is possible to bypass authorization and run commands with escalated privileges. The list of routers affected by the issue is fairly lengthy, and D-Link has already issued one patch. But rather than fixing the problem, last week's update left routers wide open to exactly the same problem. As it stands at the moment, a firmware patch is still being produced for a total of 17 routers. In the meantime, all D-Link has to offer is an apology. While unhelpful patches have already been issued, D-Link is currently working away on replacement firmware updates. The release dates for these patches is not yet set in stone, but some are due today (20 April), some tomorrow (21 April) and the remainder on 24 April.

2 of 107 comments (clear)

  1. Re:Words without actions are meaningless by gstoddart · · Score: 5, Insightful

    Depends on how we define "mean anything".

    "We're sorry we have sold you shitty products but won't fix it" is just PR.

    "We're sorry we've solve you shitty products but will replace it at our expense" is actually doing something.

    I suspect this is one of those corporate apologies designed to say "fuck you, but thanks for playing, hopefully we've minimized the fallout of writing shitty products by issuing a half-assed apology".

    I'm hoping the absence of my DIR-615 isn't "we're sorry to tell you we made a shitty product and forgot to check if it was vulnerable".

    I keep saying, corporations should have some liability for implementing terrible security. Especially for a product whose job it is to be a firewall.

    --
    Lost at C:>. Found at C.
  2. OpenWRT by Shadow+IT+Ninja · · Score: 5, Informative

    I'm glad I did my recent router shopping by starting with the list of OpenWRT supported devices. OpenWRT is a community supported router firmware. There is more active scrutiny of OpenWRT than proprietary manufacturer firmwares. They support hardware more actively and longer than the manufacturers, themselves, do because they use a common source with many hardware models. There is less likelihood of backdoors being introduced or going unnoticed if they are introduced. I'm talking about backdoors like the famous port 32764 back door which was found and patched but then the patch was reverse engineered and found to just hide the back door better.

    Now this story highlights another issue which is that the manufacturers are trying to add features to their routers. This is antithetical to security. The best thing for security is to keep it simple. HNAP, the basis of the vulnerability in this story, is just such a feature which I don't need or want. I think this all adds up to a situation where you want to avoid manufacturer supplied firmware if at all possible.