These routers are flawed but they will never be fixed

October 19, 2018

By

In many homes, the router is the gateway to the wide and wild world of the internet. It’s that little gadget you connect your devices to for internet access. It is an essential component in our internet-connected households and businesses.But much like our computers and other smart appliances, your humble router is vulnerable to security threats, attacks and vulnerabilities too.Case in point, a number of this popular brand’s router models were found to have gaping security holes. But the worst part about it? They probably won’t get patched… ever. Read on and see if your router is included in the list.

These router flaws will remain unpatched

A cybersecurity researcher from the Silesian University of Technology, Błażej Adamczyk, recently published a full disclosure article in Seclists.org about multiple serious vulnerabilities in eight D-Link router models.The D-Link models and the latest firmware versions that are affected are as follows:

Adamczyk said that he notified D-Link about these flaws way back in May and the company finally replied in June indicating that it will release a patch for models DWR-116 and DWR-111.However, the remaining six routers won’t get any further patches because they are considered end-of-life (EOL) models, meaning they are already obsolete.While it’s unfortunate — if you own a D-Link DWR-140L, DWR-512, DWR-512, DWR-640L, DWR-712, DWR-912, or DWR-921 router, maybe it’s time to consider getting a new router since most of these models are at least five years old by now.

D-Link security flaws revealed

The three discovered flaws are quite serious since they can potentially allow an attacker to access your files, steal your router’s admin password and even gain full router control.The first flaw is called a directory traversal flaw which allows an attacker to read your files via an HTTP request. Apparently, this flaw was caused by an earlier buggy firmware update.Next up is a flaw that allows an attacker to retrieve the router’s admin credentials in plain text. Combined with the directory traversal flaw, a hacker can fully take over a vulnerable D-Link router.The third flaw is a shell command injection vulnerability that could let an attacker insert code into one of the affected routers’ HTTP web server and gain total control of the device. Yikes!Here’s the video of the flaws in action.https://youtu.be/s2xrQlfd7BY

I own one of these routers, what should I do now?

If you own either a DWR-116 or DWR-111, update your firmware to the latest version immediately.Here’s how: Enter your D-Link router’s IP address on your browser address bar and that will take you directly to that page. The default IP address for D-Link routers is 192.168.1.1.Once you’re on the router administrator page, most of the time, you will have to enter a username and password to log in (while you’re at it, please change your router’s default username and password for obvious security reasons). Once logged in, check for a section called “Advanced” or “Management” to check for firmware updates.Usually, you will have the option to check, review, download, and install your router’s new firmware on the same page. Again, it depends on your router model, so check your user manual for detailed directions on how to do this.Keep in mind, though, that router firmware updates require a restart so make sure you don’t have ongoing activities that require a network connection when you apply the update.

How about the older routers?

Now, if you own any of the older affected D-Link routers that are already on the end-of-life list, please consider buying a new one soon. You may argue that there’s no need to update since it’s still working fine but remember, five years is like an eon in the tech world.You’ll get a ton of new features, speed boosts and security perks with the latest models, too. Just think of it as the tech world’s circle of life at work. Yep, keep your gadgets updated and it’s always hakuna matata.Click here to read Błażej Adamczyk’s full public disclosure of these D-Link router flaws.

https://www.komando.com/tips/cybersecurity/these-routers-are-flawed-but-they-will-never-be-fixed/