
D-Link Home Routers Open to Remote Takeover Will Remain Unpatched - LinuxBender
https://threatpost.com/d-link-home-routers-unpatched/148941/
======
jjguy
This is the new normal, folks. Consumer technology is manufactured for six to
twelve months, but live in our homes for three to five years. Today's
manufacturers cannot afford to update software for hardware devices they have
already moved on from. Changing that requires a significant upheaval in their
business models.

This applies to every "connected device:" printers, cell phones, home routers,
refrigerators, thermostats -- you name it. Michael DeGusta did a great
infographic demonstrating this for Android phones in 2011 [1, 2]. Sadly, this
hasn't materially changed in the eight years since. Just this year, Google
added new terms to the Android license requiring security patches, but even
then only for "popular devices." [3] Imagine those dynamics in the secondary
and tertiary markets of printers and refrigerators.

As an industry, we've been to this rodeo before. The advancements we've made
in operating system and core applications security over the last 20 years have
more about patching speed and agility than shipping fewer bugs. However, those
areas have backing and control from Apple and Microsoft, managing the end to
end ecosystem. There is not a similarly equipped manufacturer of embedded
operating systems with the scale to provide post-sale/post-deployment patching
infrastructure.

Since this is Hacker News, I'll point out the enormous opportunity to anyone
who can address that problem. Can you provide an "enterprise class embedded
OS" to device manufacturers and address post-deployment updates? Can you
provide infrastructure device manufacturers can use to manage post-deployment
updates themselves? Do you have a better approach to it? There's a burgeoning
multi-billion dollar market waiting for a few leaders to take it over.

1 - [https://theunderstatement.com/post/11982112928/android-
orpha...](https://theunderstatement.com/post/11982112928/android-orphans-
visualizing-a-sad-history-of)

2 - img link is broken in his post, the graphic itself:
[http://media.theunderstatement.com/016a_android_orphans.png](http://media.theunderstatement.com/016a_android_orphans.png)

3 - [https://www.theverge.com/2018/10/24/18019356/android-
securit...](https://www.theverge.com/2018/10/24/18019356/android-security-
update-mandate-google-contract)

~~~
dangus
Until consumers are willing to spend on subscription services to keep devices
up-to-date, new hardware is the de facto method of paying for software
development work.

Of course, in reality, this CVE seems almost un-exploitable in the wild,
anyway. How will an exploiter get to the login page in the first place? They'd
have to know your network password and be in your physical vicinity, or your
ISP would have to send traffic to your router's login page from the Internet.

So they'd have to physically drive around looking for these three specific
D-Link routers.

And then what would they get out of a successful exploit? Access to your
network's traffic and unprotected file shares (most people don't even have any
file shares), and even that level of access will be rather useless for getting
important information like bank credentials (protected by HTTPS).

Am I wrong about any of this?

A lot of non-technical people use old Android phones, old printers, etc, and
never experience any serious security breach. Some of them do experience a
security breach, but it's far more likely to happen in a social exploit
(phishing, whaling, etc) or institutional breach (your reused password being
breached from a database hack of a popular website). In a lot of ways,
ignorance is bliss.

~~~
dredmorbius
_Until consumers are willing to spend on subscription services..._

You cannot shift a Gresham's Law race-to-the-bottom dynamic by insisting on
consumer (or producer) willpower. You've got to enforce a floor.

In other consumer (and industrial) products, this has tended to happen through
the combined mechanisms of strict liability, certification, and independent
inspection (in specific cases).

Where manufacturers, or as seems more likely given the industry concentration
around sales points, _retailers_ , are liable for the consequences of unfit-
for-purpose devices and services, a reasonable set of minimum requirements
(including life-of-product and update requirements) can be specified, _then_
you might see a shift to some mix of time-of-sale plus subscription service
pricing and payment models.

More likely you'll see devices bundled with services (which sometimes
happens), though preferably in a far more user-friendly basis than is
presently the case (e.g., cable service set-top boxes).

There's actually a long history of leased-equipment business in the IT sector,
most notably as pioneered by IBM in the 1950s and 1960s.

~~~
harikb
As soon as warranty/support expires, the device must be free for DRM/reverse-
engineering __. This will incentivize manufacturers to offer longer support.

 __Edit: Rather they should actually provide the spec, drivers etc

~~~
agret
There are a lot of routers using GPL code that have open source firmware
available (ddwrt,openwrt,tomato,etc.) I think once support for a device ends
it should be mandated that the company release the source code for future
development.

There is a worrying increase in the amount of IoT devices that will remain
forever unpatched due to the (cheap overseas) manufacturers never updating
them or ending support for them.

~~~
swinglock
Make that one year before ending support, so there is both time to prepare and
incentive to open source early.

------
pxeboot
Until there is some legally required amount of time to provide security
updates for connected devices, I would expect the "buy a new one if you want
to be protected" response to continue indefinitely.

~~~
hackbinary
What do you expect from companies that sell kit at $50/£50/€50?

You always kind of get what you pay for. If you pay an annual maintenance,
then you can expect regular and secure updates, otherwise you are buying the
product as is at time of purchase.

Then again, I buy stuff that can be flashed with OpenWRT ...

~~~
dclusin
If a car spontaneously combusts we hold the auto manufacturable liable for
correcting that defect. It doesn't matter if it's a Prius or a Ferrari. These
vendors are selling defective devices and it is fixable via software patch.
Just because they stopped selling them doesn't mean they shouldn't have to fix
it.

~~~
core-questions
> If a car spontaneously combusts we hold the auto manufacturable liable for
> correcting that defect.

This is a bit of a spurious comparison. Nobody is dying from an unpatched
router. Why should a company be on the hook for a device, particularly if it's
out of warranty? If you expect more than that, you need to be buying something
with a contract stating you're going to get more than that.

~~~
mtgx
It's not just "one unpatched router". It could be millions. Or millions or
_billions_ or IOT devices in the future that are unpatched.

That does have the potential to create some damage if anyone takes control of
them. Maybe even kill some people, if say they DDoS the V2I network for self-
driving cars in the future, or a hospital network over which remote surgeries
are performed, etc.

I feel like this argument that "you get what you pay for" is pretty lazy.
Usually, or ideally, consumer regulations are about _setting standards_ and
_raising the bar_.

So that means that if there were strong laws for stuff like this, then the
minimum router price may become $70 instead of $50 - but everyone would be
reasonably protected for the large majority a device's lifecycle (only a small
portion of the customers should be affected by leftover bugs when support
ends, like say <5%, as others will have moved on to new products by then).

~~~
harry8
Without agreeing with this point it's a perfectly reasonable one to make. Why
is it dead? Seems to be quite a bit of this sort of thing of late, new ML
tools?

------
eloff
I'll think twice before buying D-link again. They've just tarnished their
brand irrevocably for me, even though my router is not affected - I had to
turn it over and compare version numbers to be certain, and I don't want to
have to track exploits and check version numbers to have peace of mind.

What manufacturer can I buy next time with a good security record?

~~~
iforgotpassword
One where you can wipe the original firmware and install OpenWRT.

~~~
josteink
There may be other answers here, but this is really the only guaranteed one.

OpenWRT really is the greatest.

------
dredmorbius
The affected routers _may_ be supported by OpenWRT, a free software wireless
router project, or similar projects (dd-wrt, Tomato). Looking the OpenWRT
Table of Hardware
([https://openwrt.org/toh/start?dataflt%5BBrand*~%5D=D-Link](https://openwrt.org/toh/start?dataflt%5BBrand*~%5D=D-Link)),
I find:

DIR-655: OpenWRT: not listed.

DIR-866L: OpenWRT: not listed. dd-wrt: [https://wiki.dd-
wrt.com/wiki/index.php/D-Link_DIR-868L](https://wiki.dd-
wrt.com/wiki/index.php/D-Link_DIR-868L)

DIR-652: not listed

DHP-1565: Present:
[https://openwrt.org/toh/d-link/dhp-1565](https://openwrt.org/toh/d-link/dhp-1565)

Buying well-supported hardware and flashing with OpenWRT (or similar) is
strongly recommended.

OpenWRT: [https://www.openwrt.org/](https://www.openwrt.org/)

Tomato: [http://www.polarcloud.com/tomato](http://www.polarcloud.com/tomato)

dd-wrt: [https://dd-wrt.com](https://dd-wrt.com)

~~~
milankragujevic
Most DIR-XXX routers are actually Realtek (Lexra), which developers of OpenWRT
refuse to support due to the unweildy microarchitecture of the SoC.

~~~
dredmorbius
Thanks. I thought I'd at least look. Saw some indication that a few of the
devices were pretty specifically _not_ supported based on discussions.

------
jrochkind1
> D-Link last week told Fortinet’s FortiGuard Labs, which first discovered the
> issue in September, that all four of them are end-of-life and no longer sold
> or supported by the vendor (however, the models are still available as new
> via third-party sellers).

OK, let's say I am someone who actually knows "end-of-lifed" is a thing, and a
thing you don't want...

How would I check to see if a certain router was end-of-lifed before buying
it?

If I can figure that out, and I know it's not end-of-lifed, is there any way
for me to see how much time is left in it's life before it's end-of-lifed, how
would I check to make sure a router I was buying woudln't become end-of-lifed
tomorrow, or next week, but has, say, a year or two of supported life left at
least.

Obviously, what D-Link is counting on is that most customers won't know that
this is even a thing, wont' know what questions to ask, won't realize their
router is end-of-lifed, won't realize their router is vulnerable, won't
realize it if their router gets hacked, and it wont' effect their likelyhood
of buying another D-link router or telling others to. It's not that they think
this kind of support is going to be considered acceptable to their customers
-- it's that they think their customers won't even _be able to figure out_
what kind of support or security they are getting, mostly won't even realize
this is even a question to ask.

And they're probably right.

~~~
wmf
_How would I check to see if a certain router was end-of-lifed before buying
it?_

You should be able to Google "$MODEL_NUMBER support", although D-Link's Web
site is pretty bad and doesn't say tha the product is EOL (although since the
last firmware update is from 2013 you could guess).

------
elipsey
Schneier has recently argued that there is a missing market for IOT security
in the sense that devices manufacturers have no incentive to patch impose
external costs on society, and that this might be hard to fix without
regulation.

[https://www.eweek.com/security/ibm-s-schneier-it-s-time-
to-r...](https://www.eweek.com/security/ibm-s-schneier-it-s-time-to-regulate-
iot-to-improve-cyber-security)

~~~
silvr
Also - his recent book "Click Here to Kill Everybody" discusses the problem of
IoT security in depth (ie. that the lack of it will risk increasingly dire
consequences). One of his solutions is regulatory: a new federal agency for
consumer cybersecurity. One of the particular things he would want mandated is
that IoT devices be patchable, at a minimum.

------
H1Supreme
I have a D-Link DIR-655 (which is on this list) as my home router. Ironically,
I was going to replace it a few months ago, but the speed is still fast enough
for my network.

A few posts mentioned installing a different (open source) firmware. But, both
OpenWrt and DD-Wrt aren't compatible. Am I missing another option?

As an aside, can anyone recommend a wifi router that runs either OpenWrt or
DD-Wrt well, for $100-$150?

~~~
theandrewbailey
You aren't missing another option. The 655 is based on an exotic architecture
(Ubicom32) that never had the specs released for it to develop 3rd party
firmware. Its why I trashed my 655 years ago.

~~~
milankragujevic
Revision C1 is a standard QCA chip.

------
qwerty456127
For national security sake all routers should be required to support open
firmwares.

~~~
ktta
Open source software on routers is a little complicated.

FCC requires home router manufacturers to prevent users from modifying
transmit settings (primarily to prevent interference with weather systems -
which 5G is also going to mess with). While the router manufacturers
themselves might not provide features to modify the parameters, allowing
third-party open source firmware opens them upto liability, because third-
party firmware -- almost all of which are open source, can provide users with
features that allow changing the transmit parameters. This is because the
radio operation is controlled by the OS (most of these have linux on them),
and the parameters are to be included in the same firmware blob as the OS.

FCC is not the problem here either. FCC saw the quick-fix that some
manufacturers took, like TP-Link, which is to block any third-party firmware.
So they required TP-Link to reverse their decision to prevent installation of
third-party firmware. Then what's the solution?

The best way to prevent allowing consumers to change the transmit settings,
while allowing open source firmware meant for the rest of the board (where all
of the security issues arise), will require having different flash chips - one
for most of the firmware, and a separate on for the storage radio parameters.
This route is what Linksys is taking.

Personally, I doubt this is a good enough solution. Board designs today use a
single SoC that does everything. So I'm not sure how they think storing the
transmit settings on a different flash chip will prevent the firmware from
using different parameters. Any design that is more complex than the two flash
chip solution will require a lot of reworking of designs, because most board
designs basically consist of a few components: the SoC, the flash and RAM.
Nothing else.

Apart from the re-working of existing designs, there's another problem. The
problem is the BOM constraints router makers face, since they are always in a
race to the bottom price-wise. Adding additional chips, introduces cost and
complexity, which they don't want to go through.

~~~
zamadatix
The FCC is certainly the problem in this case. If someone modifies the product
to break the law the person is at fault not the manufacturer. That someone
could do modify their radio to do bad things shouldn't stop me from modifying
mine to do good things.

~~~
paggle
Would you also say that Uber doesn't violate taxi laws or AirBNB doesn't
violate zoning laws, and it's just the Uber drivers and AirBNB hosts who are
using the products to violate the law? What's your responsibility when you
hand someone a loaded gun and it goes off?

~~~
lone_haxx0r
> What's your responsibility when you hand someone a loaded gun and it goes
> off?

Zero, as long as the person:

(1) Knew it was loaded

(2) Voluntarily accepted to receive the gun.

~~~
penagwin
> Zero, as long as the person:

In this analogy the gun going off broke a law. So you voluntarily handed
somebody a loaded gun - who then committed a crime with that gun.

Obviously context matter - but you can bet the police will be asking why you
gave that gun to them.

------
sekjldfhsfklh
I think there is a simple solution: if the seller doesn't support it, then
they have to open source it.

Own (key word) an old RPG that won't run because the publisher decided the
servers were no longer profitable?

RPG gets opened sourced.

Have a John Deer remote operated tractor that John Deer won't fix a bug that
allows attackers to operate remotely?

John Deer's tractor software gets open sourced.

No support? No legal IP protection.

~~~
crankylinuxuser
Then the problem gets moved to encryption keys, which aren't part of the "open
source".

All the code's there - you just don't have the right to change it!

~~~
sekjldfhsfklh
I don't mean that the code is merely published.

Full access to the device you own, signing keys and all.

------
skwb
This is precisely why I chose to install DD-WRT on all my routers. Not only
does it give me more fine grain control over all my admin privileges, I know I
don't have to rely on some company making the cost-benefit decision over if
it's worth patching security bugs.

~~~
Maskawanian
DD-WRT doesn't necessarily provide more security, typically models will get
one release and then not get any more updates.

~~~
simcop2387
I've found OpenWRT to be better in this case, support does get dropped
eventually but it's usually longer term even if less polished.

------
aetherspawn
We don’t have cable or a phone line, so I recently bought a D-Link router with
a 4G SIM card slot and a massive yearly data plan that corresponds to the
approx. amount of data I use yearly at home as a light non-streaming user
(400gb at approx. $1 per gb).

I’m open to hardware suggestions that are/more open source capable or robust
in the first place, but my use case was really niche and the shop(s) had
nearly nothing suitable except this one model.

~~~
wmf
Mikrotik has an interesting outdoor LTE router (although I couldn't find
anywhere reputable to buy it in the US). You could also get a USB or MiniPCIe
modem and put it in whatever Linux box you want.

~~~
aetherspawn
I would love to build my own that also does proxy server.

------
Natales
Since I have an ESX box with multiple NICs running 24x7 at home, I've been
using both, pfSense [1] and OPNSense [2] on a VM for years, with excellent
performance, stability and top notch features.

Combine that with 2 UniFi APs, multiple SSIDs each landing on separate VLANs,
all converging on the router VM as separate "interfaces", so you can very
selectively do policy-based routing per MAC address, and whitelist/blacklist
IoT devices from accessing the Internet or specific sites. It gives you a huge
amount of control that is very hard to do otherwise.

[1] [https://www.pfsense.org/](https://www.pfsense.org/) [2]
[https://opnsense.org/](https://opnsense.org/)

~~~
tombert
I had come into possession of a bunch of thin clients with USB 3.0 and gigabit
ethernet about a year ago, and as a result I installed PFSense, which is my
router in my house.

It has been great...I'm definitely never going back to a crappy commercial
router ever again.

------
all_blue_chucks
Isn't planned obsolesce illegal in some places? Ending security updates is the
very definition of planned obsolesce for an internet-connected device.

------
evilsnoopi3
I do not own a DLink router but do own a consumer-grade Gateway from Netgear.
Is there any mechanism I can use to check for published vulnerabilities
against my hardware?

------
philpem
My last couple of WiFi routers were bought because they could run OpenWRT... I
feel like stories like this support that position.

At least if there was a security issue OpenWRT couldn't patch, I have the
source code to do so myself.

And I haven't bought D-Link kit in a very long time. Their record on a variety
of things (reliability, support, ...) means you get better value (in the low-
mid market segment at least) from the Chinese vendors e.g. TP-Link.

------
tzs
Two of these were discontinued in 2018 [1]. I'd be pretty pissed off if I
bought a router that a vendor was still listing as current, and the next year
told that it was EOL and would get no more updates.

[1] [https://www.tomsguide.com/news/d-link-wont-fix-serious-
secur...](https://www.tomsguide.com/news/d-link-wont-fix-serious-security-
flaw-on-four-wi-fi-routers)

------
peterwwillis
> D-Link last week told Fortinet’s FortiGuard Labs, which first discovered the
> issue in September, that all four of them are end-of-life and no longer sold
> or supported by the vendor

First released in 2011, EOL in 2018. Can't say I blame 'em, EOL is EOL, but
it's also the new planned obsolescence. (Better buy a new router every 7 years
or the hackerman'll get ya!)

~~~
eecc
Apple Time Capsules [0] released in 2011 received an update last June 2019 [1]
despite being also discontinued in 2018.

[0]:
[https://en.wikipedia.org/wiki/AirPort_Time_Capsule](https://en.wikipedia.org/wiki/AirPort_Time_Capsule)

[1]:
[https://support.apple.com/kb/DL2008?locale=en_US](https://support.apple.com/kb/DL2008?locale=en_US)

------
triangleman
Correct me if I'm wrong, but in order to perform this attack you need to be
connected to the router's LAN in order to access the admin page, right? So you
would need to gain access to the WiFi or attach a computer to the router via
Ethernet. This cannot be exploited over the internet, unless perhaps the user
enables the admin page via WAN.

~~~
crankylinuxuser
Sadly, wrong.

Assuming 192.168.1.1 is your router, you can craft a webpage on the public
internet to exploit that IP address, without javascript.

With js, it's trivial.. But you have to deal with CORS being set up. Question
then becomes - is CORS set up right? If not, pwn3d.

------
pjdemers
For what home routers cost, they could probably ship a new one to everyone who
complains about the bug for less than it costs to patch all of them.
Especially since the set of people who will actually apply a patch is only
slightly larger than the set who will complain about a bug.

------
kragen
Whoever patches them will be the one who maintains control over them. What
organizations are best positioned to do that? I suggest the intelligence
agencies of Russia, Israel, and the US. Whether any of them will take the
opportunity is anyone’s guess.

Of course, the underlying problem here is that users depend on vendors for
patching, and their incentives are misaligned. Free software like DD-WRT
removes that dependency and thus the incentive misalignment problem. To the
extent that educational, legal, and technical measures prevent users from
exercising the freedoms of free software in practice, these problems will get
worse and worse

------
theandrewbailey
I used a DIR-655 router up until 4 or 5 years ago. I threw it out because
there was no new firmware for it, and neither OpenWRT nor DD-WRT supported it.
I replaced it with something that did. Looks like I made the right call.

------
slavik81
A friend is using my old DIR-655. I would like to warn them, but I need to
understand this better first.

Am I correct that this allows administrator access to the router, but requires
connecting to the router's network (either via having the WiFi password or
having physical access)?

IIRC, the DIR-655 is also stuck on WPA2, which was broken, so the WiFi
password doesn't offer any protection either. In which case, anyone within
range of the access point could access the admin panel.

On one hand, this sucks because aside from these vulnerabilities, the DIR-655
works fine. On the other hand, I think I bought it over a decade ago.

------
chimi
What is the best wifi-router out now for home hackers? I'd like to do a pi-
hole type setup but without the pi-hole and I also need a stronger wifi signal
than on the box my ISP gives me.

~~~
iagovar
Probably some low tier mikrotik. It's not for dummies though, it requires to
know a bit of networking.

~~~
mtgx
Mikrotik has had quite a bit of security issues, too.

[https://www.techrepublic.com/article/unpatched-
vulnerability...](https://www.techrepublic.com/article/unpatched-
vulnerability-in-mikrotik-routeros-enables-easily-exploitable-denial-of-
service-attack/)

~~~
iagovar
But they patch stuff, and afaik everyone gets the update.

------
hansdieter1337
And that's why you should flash your router with an open source firmware, such
as [https://dd-wrt.com/](https://dd-wrt.com/)

------
achillean
For an overview of D-Link devices I created the following page a few years
ago:

[https://dlink-report.shodan.io/](https://dlink-report.shodan.io/)

------
david_draco
We need brickerbot to come back
[https://en.wikipedia.org/wiki/BrickerBot](https://en.wikipedia.org/wiki/BrickerBot)

------
nly
It's times like this i'm glad my home router is a x86 mini PC running Arch
Linux + iptables + Unifi (Complete with DNS MITM forcing all DNS out of my
apartment over TLS)

~~~
redblacktree
How high-touch is this kind of setup? I have a separate access point and I am
using a consumer-grade "wireless router" for DHCP. (and other things?)

I'm more of an app developer that does DevOps stuff when I have to. Is this
something I can get done in a day or so? Is a Raspberry Pi enough, or do I
need something more powerful?

~~~
somehnguy
If you want a less touchy solution (not completely plug and play though!) I
can't recommend Ubiquiti products enough. I run an EdgeRouter X and Unifi AP
at home. Not big enterprise gear but way more enterprisey than whatever you'll
find on the shelf at Best Buy. Updates are released regularly and once you get
your initial configuration done they just chug along, no random 'internet is
down, need to reboot something' issues that (used to?) plague mass consumer
designed gear.

~~~
aesclepius
Cheaper and older alternative is the Ubiquity Unifi Security Gateway + 8 port
switch + UAC AP-PRO if you don't want the Edgerouter X cost. Less
customizeable but if you're buying an EdgeRouter you know what you want.

~~~
harry8
how does power consumption compare with a setup like this vs some consumer
all-in-one thing?

~~~
kazen44
to be honest, most routers like this have very low power usage. I think an
edgerouter X has a power consumption of something like 5W under load.

------
tokzco
the more i think about it the more i notice that a lot of 'security' is
actually used to verify or 'add value' to the data that gets mined meaning
'verified' traffic holds more value than non verified traffic so that might
explain a reason why security protocols on routers and other common devices
are not as secure as they could be. you could note that this is also a form of
'security against you' meaning a 'proof' for a court.

i don't know what the answer is to this simply because of all the variables i
consider, especially the emergence of drones. how will this be secured to a
degree that few can interfere with package deliveries, the abuse of
surveillance and what space around a property is actually protected. as
example you can drive by in a vehicle collect AP information and the average
geek can obtain access so it will be with drones.

if you really want to get interesting, think about the things drones can do,
such as compromise crime scenes with planted evidence.

------
opan
Another issue that could be avoided by using free software. Ideally D-Link
would ship with free software so that the community can keep their gear
working well. In practice something like OpenWRT may need to be installed by
users, and depending on the hardware, support could be difficult.

If you're looking to be more careful in the future, I suggest only buying
routers with OpenWRT support.

------
chooseaname
I tell everyone who will listen don't buy consumer networking gear. Buy from
Ubiquity or get the enterprise routers/APs from your favorite brand. They are
much more likely to be updated and don't really cost much more. Sure, it takes
some know how to set up, but they can call me if they take my recommendations.

~~~
x2f10
Eero is a much better alternative for the average person. Solid features,
INCREDIBLY easy to setup, nice app, helpful support, etc. Big fan.

~~~
kalleboo
They got bought out by Amazon now though, which may worry some people

------
gambiting
Linksys routers still ship with Samba 1.0 which has literally been deprecated
for like 20 years now. These companies literally don't give a crap what they
ship, I can only imagine that the firmware is made by someone who stood next
to a building where a talk about internet security was held....a month
earlier.

------
rajesh-s
We live in a society where people upgrade their phones every 6 months but do
not think about the routers for years.

I wonder if there's any company that's trying to encourage people to upgrade
their routers often.

------
thelazydogsback
My experience only, of course, but every D-Link product I've owned has been a
nightmare, from config on. I've been sticking with ASUS for a while now and so
far all is well...

------
wethebestcoder
Are attacks on home networks really an issue? I mean what percent of home
networks have actually seen an intrusion? Does anyone know?

------
aetherspawn
Hey could anyone clarify if this is still an issue if I only use my router as
a gateway and not as the wireless (WiFi) device?

------
hyperman1
Sounds like exactly the kind of bug that lets you hack/install dd-wrt on them.

------
JoshuaMulliken
This is unacceptable. Companies that do this stuff should be boycotted.

------
adamc
Maybe we need some class-action lawsuits. This is very bad behavior.

------
ga-vu
DIR-655 has been EOLed in 2012... what do you people expect. Of course they
won't release firmware updates forever.

------
etxm
Sick

------
dubyabee2
D-Link SIRT :: For Accurate and Up-to-Date information please go to:
[https://bit.ly/2nNawAc](https://bit.ly/2nNawAc)

~~~
willis936
The irony of using a shortened link in a comment on cyber security.

~~~
frereubu
Non-shortened link:
[https://supportannouncement.us.dlink.com/announcement/public...](https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10124)

~~~
ape4
"D-Link takes the issues of network security and user privacy very seriously.
" ... "These products have entered End of Service Life. There is no support or
development for these devices. We recommend replacing the device with an new
device that is actively supported."

~~~
WalterSobchak
Reminds of an old post by Troy Hunt: [https://www.troyhunt.com/we-take-
security-seriously-otherwis...](https://www.troyhunt.com/we-take-security-
seriously-otherwise/)

------
eecc
I'm aware of the "but what if the router is connected to an ICU bed? A
patient's life depends on it!" straw man but let's be honest, it would only be
the ICU's admin fault.

Having sorted this out, let me clearly state that the only ethical solution is
to brick these devices offline.

~~~
kazen44
i hope an intensive care unit doesn't really on a bottom of the barrel
consumer device for their network reliability.

~~~
eecc
I wasn’t arguing that someone might or should, I was just expecting someone to
make the argument.

And there you go:
[https://news.ycombinator.com/item?id=21195759](https://news.ycombinator.com/item?id=21195759)

