D-Link warns of vulnerable routers

While D-Link and security company SourceSec disagree on details, they both agree D-Link routers have a protocol flaw
Written by Tom Espiner, Contributor

D-Link has acknowledged a vulnerability in three of its routers that could let hackers reconfigure admin settings.

The networking company said on Monday that the problem, discovered by security researchers SourceSec, affects three of its wireless routers: DIR-855 (hardware version A2), DIR-655 (versions A1 to A4) and DIR-635 (version B). The devices are marketed to consumers and businesses.

The flaw lies in D-Link's implementation of Cisco's Home Network Administration Protocol (HNAP), which allows remote router configuration. In a blog post on 9 January, the SourceSec researchers said they had "found a way to view and edit D-Link router settings without any administrative credentials", using a second admin interface. They also said they have written a proof-of-concept tool called HNAP0wn to exploit the vulnerability.

While there is no dispute that the flaw exists, SourceSec and D-Link disagree about which routers are affected.

In a paper accompanying its blog post, SourceSec said the affected D-Link routers are: DI-524 (hardware version C1, firmware version 3.23); DIR-628 (version B2, firmware versions 1.20NA and 1.22NA); and DIR-655 (version A1, firmware version 1.30EA).

However, D-Link said that those routers are either not exposed, or are not offered as described by the researchers.

"Of the three models allegedly affected, one was never sold in Europe and does not support HNAP," it said. "One does not exist [and] one runs a firmware version not available anywhere for download."

The model that D-Link said is not in the European market is DI-524 (C1). In addition, that model does not support HNAP, the company noted. The non-existent model is DIR-628 (B2), as only A hardware has ever been released for that device. Finally, model DIR-655 (A1, firmware 1.30EA) runs a restricted firmware version related to East Asia and therefore irrelevant for Europe.

SourceSec said in its blog post that it suspected "most, if not all, D-Link routers since 2006 are vulnerable".

However, in the course of an investigation in which D-Link tested its routers using the SourceSec tool, the company found that only three of its routers were affected by the vulnerability. In addition, just running the exploit code was not enough to compromise D-Link routers, it said.

"It is important to note that running the code on its own is not sufficient to hack into the router: only the software tool provided seems to achieve this result," said the D-Link statement.

The company is in the process of updating its firmware across Europe, a D-Link spokesperson told ZDNet UK on Monday.

"[D-Link] is uploading patches to its European websites," said the spokesperson, who added that firmware updates had been made available over the weekend.

D-Link criticised SourceSec, saying it had not been informed of the research prior to its publication, and that the report could have affected its customers.

"By publicising their tool, and giving specific instructions, the authors of the report have publicly outlined how the security can be breached, which could have had serious repercussions for our customers," said the D-Link statement.

Editorial standards