Routers from Taiwanese firm D-Link Corp. have a serious vulnerability that can allow hackers to steal data, but in unexpected twist, the company is doing nothing to address it.
The vulnerability was detailed by security researchers at Fortinet Inc. Oct. 3, after D-Link was informed of the issue in September. The vulnerability, known as CVE-2019-16920, starts with a “bad authentication check” then progresses from there.
Affecting D-Link models DIR-655. DIR-866, DIR-652 and DHP-1565, the remote code execution vulnerability opens the door to attackers by allowing a “PingTest” to be accepted. Once the nefarious message is accepted by the D-Link router, those behind it can inject command code and hijack the D-Link product, complete with the ability to spy on all data that flows through it.
Typically a story about a vulnerability in hardware would, at this point, note how the security company informed the manufacturer of the issue and having done so, the company has issued to a patch prior to publication of the vulnerability to address it.
D-Link not only recognized the vulnerability but told Fortinet that it has no intent to addressing the vulnerability because “these products are at End of Life (EOL) support … the vendor will not provide fixes for the issue we discovered.”
As Tom’s Guide noted, one of the models, DIR-866L, was introduced in 2014 and discontinued only in 2018. Another model, the DIR-655, was introduced in 2006, but also discontinued only last year. Some of the models can still be purchased new on Amazon.com Inc.
D-Link is under no legal obligation to support discontinued models, but simply ignoring a security vulnerability across previously sold products is not a small issue. The company sells millions of routers worldwide, and given that it’s based in Taipei, Taiwan, a place that China claims is a rogue province, not caring about previous customers is all future customers may need to know when considering its products in the future.
Photo: Publicdomainpictures
Since you’re here …
… We’d like to tell you about our mission and how you can help us fulfill it. SiliconANGLE Media Inc.’s business model is based on the intrinsic value of the content, not advertising. Unlike many online publications, we don’t have a paywall or run banner advertising, because we want to keep our journalism open, without influence or the need to chase traffic.The journalism, reporting and commentary on SiliconANGLE — along with live, unscripted video from our Silicon Valley studio and globe-trotting video teams at theCUBE — take a lot of hard work, time and money. Keeping the quality high requires the support of sponsors who are aligned with our vision of ad-free journalism content.
If you like the reporting, video interviews and other ad-free content here, please take a moment to check out a sample of the video content supported by our sponsors, tweet your support, and keep coming back to SiliconANGLE.