Router-maker D-Link has been in trouble over poor security in its products, but a new problem has emerged because customers are still using unsupported router models that were recently found to have a critical remotely exploitable flaw in them.
Security firm Fortinet in September identified several D-Link router models with a remote code execution flaw that could be exploited from a malicious web page without any authentication. But D-Link promptly responded that it would not be patching the bug because the models were no longer supported.
The problem is that many users of affected models probably have no idea whether their router could be one of them and, anyway, probably missed the security news about the issue. On top of that,
The D-Link case prompted Will Dormann at Carnegie Mellon University’s CERT/CC to publish an alert on Wednesday advising consumers to replace affected devices.
“Because D-Link is not providing updates to the devices listed above, it is important to replace any affected device with one that is currently supported by the vendor,” wrote Dormann.
An attacker can use the flaw, tracked as CVE-2019-16920, to reconfigure a router and make a user’s network — which is usually hidden from the Internet — accessible to it. Attackers could, for example, redirect web mail and bank domain names to sites they control.
According to security firm BadPackets, “Opportunistic mass exploitation of this vulnerability has already begun.”
It’s not a surprise that consumers are still using affected models, given that very few products — including Google Android and Apple’s iOS — proactively alert users when an internet-connected product will soon no longer receives patches, save for small “end of life” notices on support pages.
It doesn’t help that D-Link’s and other vendors’ home router models have weird names. D-Link routers affected by CVE-2019-16920 include DIR-655, DIR-866L, DIR-652, DHP-1565, DIR-855L, DAP-1533, DIR-862L, DIR-615, DIR-835, DIR-825.
Dormann has posted links to the support pages for each of the models in a separate post that explains why consumers need to stop using all unsupported products, such as Windows XP, which Microsoft long ago stopped providing patches for.
Consumers should check Dormann’s list of D-Link routers and see if the model number on the front of the router matches those listed. He’s also provided a proof of concept exploit for the flaw that causes an affected device to disconnect the network for a minute and then reboot. If that happens, it’s critical that users replace the router with a new one. But checking the model number should suffice for non-techies.
Routers really are just one of the first of the emerging class of IoT devices that continue function well beyond ‘end of life’, or the date the device no longer receives security updates. The D-Link vulnerability does however offer a larger lesson in how consumers should weigh up the purchasing decision for the growing number of internet-connected products.
Routers are fairly cheap, but think about a fancy internet-connected refrigerator or smart juicer, Dormann suggests; the machine itself could easily outlive the software support required to keep them safe from hackers. There should be some onus on vendors and retailers to inform consumers about these cut-off dates, but today there is not.
Dormann lists five questions consumers should ask themselves when purchasing smart gadgets, which introduce new and possibly higher risks.
- When you purchased a device that has some sort of network connectivity, did you consider how long the vendor will support the software that runs it?
- Did the vendor even make that information available before you purchased the device?
- How will the device's behavior change once its support has reached EOL?
- What will happen to the device if the vendor decides to turn off a service the device relies on?
- What if the company goes out of business?
In cases where a consumer item has outlived end of life, Dormann says there are two options. If internet connectivity isn’t essential, take it off the network. If the internet is essential and support has ended, replace it.