The latest firmware for Dlink 850L revA (DIR850L_REVA_FW114WWb07_h2ab_beta1.bin) is not protected and a new firmware image can be trivially forged by an attacker.
I don't think those goals are actually contradictory. Cryptographically verified auto updates, manually acknowledged non signed file upload updates can coexist peacefully.
Maybe some of this is legitimate, but the user being able to install their own firmware is not a security vulnerability. Yesterday I had to download a large ISO for a friend instead of using the Linux.efi file I use on my laptop because their's was made "secure" by Microsoft.
And this is why we finally need fines in the magnitude of a few million to make corporations even think about having a secure-by-default mentality, not patch-when-sh*t-hits-the-fan (and even then only barely).
Impressive. (Not you, D-Link)
But seriously, why? Just why? I haven't even gotten a degree in security or anything, but I know better than to store a password in plaintext, at least!
The sad thing is that it's not really impressive work. And I don't say that to discredit the author, but to discredit dlink, because the bugs found are really security 101 kinda stuff we really should not be seeing anymore.
Most home networking gear I've come across are basically MVP (minimum viable product) only. I've managed to trivially bypass quite a few via using common techniques in whitepapers/research docs (hardcoded admin passwords stored in plaintext, looking for open ports, etc etc)
Sadly, none of this is going to change in the foreseeable future.
Ah, cheap shit, programmed terribly. There should be legislation saying anything you plug permanently to your internet connection should be secure, and anyone caught being part of a botnet because they're using a known "bad" hardware will be fined. And just add to this blacklist "anything made by DLink". That will get them to fix their shit.
We already have laws on the books for vandalization and sabotage. We also have that horrific law that criminalizes EULAs and "Authorized Access". Why aren't they being used against these companies that make easy to remote-pwn gear? Its readily evident that it's not the end-user's actions that cause these forms of vandalization and digital assault.
Id much prefer enforcing laws, rather than make new ones we hardware creators have to parse and understand.
(Like, how does this affect open source hardware? Some of my side projects are put online. I know a few implementations in the wild already.)
>are password-protected with a hardcoded password.
This is pretty scary stuff. I suspect dlink just resells generic firmwares and add branding while the real OEM is so no-name Chinese shop that provides everything but the industrial design of the plastic case. With generic OEMs like these you can't burn your key into the hardware, so you more or less have to do non-key passwords, which as the article shows, are trivially cracked on modern equipment.
I think its safe to say budget brands are usually a security risk. They just don't have the funding to actually take security seriously, even if the engineers have the political will to do so.
This is also the same D-link that was sued by the FTC for its poorly secured cameras, which I believe were also a rebranding of a no-name OEM product.
I find that Netgear, Cisco small business, and Linksys aren't perfect, they are miles ahead of d-link, belkin, and other budget brands for home use and really don't cost all that much more. I'm pleasantly surprised to see how often my Netgear gets security updates and Linksys/Cisco small business line is wonderful for the price.
That said, most consumers will be on the receiving end of a ISP provided router. I suspect a good chunk of these things aren't actually internet facing, they're behind the ISP router and working as a access point, but typically consumers won't or can't put them in access point mode. I think there's a lot of dumb luck in home networking that ironically keeps people secure because if they knew how to put the ISP router/modem into gateway mode they'd be in a lot more trouble once their dlinks and belkins are internet facing.
Short open tags are still in the current builds according to the docs.
The only thing that's changed is that while in older versions the <?= shorthand was also controlled by the short_open_tags ini option, it's now permanently enabled.
That's a feature, not a bug. ( https://openwrt.org/ )
At least it makes it possible to patch the other (real) bugs yourself.