If you own a D-Link DIR-850L AC1200 Dual Band Gigabit Cloud router, we have bad news for you on several fronts.
According to researcher Pierre Kim, the product has 10 security vulnerabilities serious enough for him to recommend owners to “immediately disconnect vulnerable routers from the internet”.
That sounds worrying, but it gets worse. First, Kim has made the flaws public without first coordinating with D-Link, an unusual step he says he took after the company responded poorly last year to issues he reported to them in another product, the DWR-932B mobile hotspot router.
Second, D-Link’s slow or non-response (and the fact that the AC1200 router was discontinued some months ago), raises the likelihood that the latest flaws might never be fully patched.
Kim describes the flaws as “zero days”, although given that he has now revealed their existence in uncomfortable detail, strictly speaking that that’s no longer true (zero days being undisclosed, unpatched flaws). They are, however, show-stopping:
Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.
- A lack of protection for the router’s firmware on revA hardware that would allow an attacker to upload a new image. The revB has a hard-coded password
- Lots of cross-site scripting (XSS) flaws.
- A litany of weaknesses in the devices cloud protocol implementation
- RevB routers allow backdoor access
- A lack of authentication protecting DNS configuration
This isn’t the first time D-Link has been in the headlines for product security. Naked Security has reported several rounds in recent times, including 2015 problems with the DIR-820L, and clutch of flaws from earlier in 2017 designated CVE-2017-6206.
Earlier in 2017, D-Link even upset the US Federal Trade Commission, which filed a suit regarding the company’s alleged failure to fix flaws in its IP cameras and routers.
Some might be unhappy at Kim for revealing flaws for which there is might not be a fix, but the counter-argument is that knowing they exist is preferable to a blissful but dangerous ignorance.
The issue at the heart of this is that while the company has discontinued a product launched in 2013 and sold (as far as we can tell) until 2016, users will continue using it for years afterwards.
If the company fails to fix flaws that are found after the date the product is superseded, owners must like it or lump it. Legally, companies are not obliged to continue patching flaws into the future – no matter that they shouldn’t have been there in the first place.
Unfortunately, routers do not sell with “use by” dates on the box – perhaps they should.