Researcher discloses 10 D-Link zero-day router flaws

The security researcher says the general public should immediately disconnect their router until patches are available.
Written by Charlie Osborne, Contributing Writer

When a zero-day vulnerability becomes public, of which by its nature no patches or fixes are available at the time, one is enough for vendors to come to terms with in order to rapidly devise a solution.

D-Link now has 10 such previously-unknown bugs on its plate to fix.

Last week, security researcher Pierre Kim chose to publicly disclose his findings related to D-Link 850L routers due to "difficulties" working with the vendor on a coordinated disclosure.

In a blog post, Kim said the flaws were found in the D-Link 850L, a wireless AC1200 dual-band gigabit cloud router, which also enables users to use Mydlink Cloud Services to access their home networks remotely.

Kim describes the product as a "router overall badly designed with a lot of vulnerabilities," and says that he was able to compromise everything, from the LAN to the WAN, as well as the custom MyDlink cloud protocol.

There are two different versions of the router, revA and revB, available and the vulnerabilities below impact both.

The bugs were discovered in June this year, the advisory was written up in July, and the public advisory appearing on security mailing lists last week.

"Due to difficulties in previous exchange[s] with D-Link, Full-disclosure is applied," Kim says. "Their previous lack of consideration about security made me publish this research without coordinated disclosure."

"I advise to immediately disconnect vulnerable routers from the Internet," the researcher added.

According to the security researcher, he has chosen full disclosure even though no patches have been issued to fix all of the issues.

Kim has apparently experienced trouble with D-Link in the past, with a disclosure last February resulting in no acknowledgment from the vendor, but rather just the silent issue of a patch which fixed only one problem of many.

Rather than contact the researcher, D-Link apparently downplayed the findings, claiming the security researcher found the issues "by chance."

ZDNet has reached out to D-Link and will update if we hear back.

Previous and related coverage

    Router flaws put AT&T customers at hacking risk

    The bugs are easy to exploit, but can be easily mitigated.

    CIA has been hacking into Wi-Fi routers for years, leaked documents show

    The hacking tools target hundreds of models developed by dozens of router manufacturers.

    Virgin Media tells 800,000 customers to change passwords after routers found vulnerable to hackers

    Ethical hackers carried out research on the Super Hub 2 router and found it could be used to take control of Internet of Things devices.

      10 steps to erase your digital footprint

      Editorial standards