Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
D-Link
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
== Controversies == === Backdoors === D-Link systematically includes [[Backdoor (computing)|backdoor]]s in their equipment that compromise its users security.<ref>[https://www.bleepingcomputer.com/news/security/over-92-000-exposed-d-link-nas-devices-have-a-backdoor-account/ Over 92,000 exposed D-Link NAS devices have a backdoor account]</ref> One of the prominent examples is '''xmlset_roodkcableoj28840ybtide''', which contains the substring '''roodkcab''', which is the word '''backdoor''' written backwards.<ref>{{cite web | url=https://www.pcworld.com/article/448924/dlink-issues-fixes-for-firmware-backdoor-in-routers.html | title=D-Link issues fixes for firmware backdoor in routers }}</ref> In January 2013, version v1.13 for the DIR-100 revA was reported to include a backdoor in the firmware. By passing a specific [[user agent]] in an HTTP request to the router, normal authentication is bypassed. It was reported that this backdoor had been present for some time.<ref>{{Cite web |last=Yegulalp |first=Serdar |title=D-Link's backdoor: What else is in there? |url=http://www.infoworld.com/article/2612757/hacking/d-link-s-backdoor--what-else-is-in-there-.html |access-date=1 April 2016 |issn=0199-6649 |magazine=[[InfoWorld]]|date=14 October 2013 }}</ref> This backdoor however was closed soon after with a security patch issued by the company.<ref>{{Cite web |last=Krebs |first=Brian |author-link=Brian Krebs |title=Important Security Update for D-Link Routers |url=https://krebsonsecurity.com/2013/12/important-security-update-for-d-link-routers/ |access-date=17 September 2020 |website=Krebs on Security |date=2 December 2013 |language=en-US}}</ref> In 2024-06-17 information about CVE-2024-6045 backdoor was disclosed.<ref>https://securityonline.info/d-link-routers-exposed-critical-backdoor-vulnerability-discovered-cve-2024-6045/ {{Bare URL inline|date=August 2024}}</ref> === Vulnerabilities === In January 2010, it was reported that [[HNAP]] vulnerabilities had been found on some D-Link routers. D-Link was also criticized for their response which was deemed confusing as to which models were affected and downplayed the seriousness of the risk.<ref>{{Cite web |date=18 January 2010 |title=Which Routers Are Vulnerable to the D-Link HNAP Exploit? |url=http://www.sourcesec.com/2010/01/ |url-status=dead |archive-url=https://web.archive.org/web/20131226002253/http://www.sourcesec.com/2010/01/ |archive-date=26 December 2013 |website=Source Sec Tech Engine}}</ref> However the company issued fixes for these router vulnerabilities soon after.<ref>{{Cite magazine |date=15 January 2010 |title=D-Link Issues Fixes for Router Vulnerabilities |url=https://www.pcworld.com/article/186996/article.html |magazine=[[PC World|PCWorld]] |language=en |issn=0737-8939 |access-date=17 September 2020}}</ref> Computerworld reported in January 2015 that ZynOS, a firmware used by some D-Link routers (as well as [[ZTE]], [[TP-Link]], and others), are vulnerable to [[DNS hijacking]] by an unauthenticated remote attacker, specifically when remote management is enabled.<ref>{{Cite magazine |last=Constantin |first=Lucian |title=DNS hijacking flaw affects D-Link DSL router, possibly other devices |url=http://www.computerworld.com/article/2876292/dns-hijacking-flaw-affects-d-link-dsl-router-possibly-other-devices.html |magazine=[[Computerworld]] |issn=0010-4841 |access-date=1 April 2016}}</ref> Affected models had already been phased out by the time the vulnerability was discovered and the company also issued a firmware patch for affected devices for those still using older hardware.<ref>{{Cite web |last=Jackson |first=Mark |date=31 January 2015 |title=UPDATE D-Link Broadband Routers Vulnerable to DNS Hijack Attack |url=https://www.ispreview.co.uk/index.php/2015/01/d-link-broadband-routers-vulnerable-new-dns-hijack-attack.html |access-date=17 September 2020 |website=ISPreview UK |language=en}}</ref> Later in 2015, it was reported that D-Link leaked the private keys used to sign firmware updates for the DCS-5020L security camera and a variety of other D-Link products. The key expired in September 2015, but had been published online for seven months.<ref>{{Cite web |title=In blunder threatening Windows users, D-Link publishes code-signing key |url=https://arstechnica.com/security/2015/09/in-blunder-threatening-windows-users-d-link-publishes-code-signing-key/ |access-date=1 April 2016 |website=Ars Technica|date=18 September 2015 }}</ref> The initial investigation did not produce any evidence that the certificates were abused.<ref>{{Cite web |title=D-Link Accidentally Leaks Private Code-Signing Keys |url=https://threatpost.com/d-link-accidentally-leaks-private-code-signing-keys/114727/ |access-date=17 September 2020 |website=threatpost.com |date=18 September 2015 |language=en}}</ref> Also in 2015, D-Link was criticized for more HNAP vulnerabilities,<ref>{{Cite web |title=Hacking the D-Link DIR-890L |url=http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/}}</ref> and worse, introducing new vulnerabilities in their "fixed" firmware updates.{{r|WTF_2014}} On 5 January 2017, the [[Federal Trade Commission]] sued D-Link for failing to take reasonable steps to secure their routers and IP cameras, as D-Link marketing was misleading customers into believing their products were secure. The complaint also says security gaps could allow hackers to watch and record people on their D-Link cameras without their knowledge, target them for theft, or record private conversations.<ref>{{Cite web |url=https://www.consumer.ftc.gov/blog/ftc-sues-d-link-over-router-and-camera-security-flaws |title=FTC sues D-Link over router and camera security flaws {{!}} Consumer Information |access-date=7 January 2017 |archive-date=7 January 2017 |archive-url=https://web.archive.org/web/20170107170851/https://www.consumer.ftc.gov/blog/ftc-sues-d-link-over-router-and-camera-security-flaws |url-status=dead }}</ref> D-Link has denied these accusations and has enlisted Cause of Action Institute to file a motion against the FTC for their "baseless" charges.<ref>{{Cite news |date=31 January 2017 |title=Cause of Action Institute Files Motion to Dismiss FTC's Baseless Data Security Charges Against D-Link Systems Inc. - Cause of Action Institute |language=en-US |work=Cause of Action Institute |url=http://causeofaction.org/cause-action-institute-files-motion-dismiss-ftcs-baseless-data-security-charges-d-link-systems-inc/ |access-date=12 February 2017}}</ref> On 2 July 2019, the case was settled with D-Link not found to be liable for any of the alleged violations.<ref>{{Cite web |title=proposed settlement, D-Link is required |url=https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf}}</ref> D-Link agreed to continue to make security enhancements in its software security program and software development, with biennial, independent, third-party assessments, approved by the FTC.<ref>{{Cite web |title=D-Link Agrees to Make Security Enhancements to Settle FTC Litigation |date=2 July 2019 |url=https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation}}</ref> On 18 January 2021 Sven Krewitt, researcher at Risk Based Security, discovered multiple pre-authentication vulnerabilities in D-Link's DAP-2020 Wireless N Access Point product.<ref>{{Cite web |last=Krewitt |first=Sven |date=January 18, 2021 |title=RBS-2021-002-D-Link DAP-2020 |url=https://www.riskbasedsecurity.com/research/rbs-2021-002-d-link-dap-2020/ |url-status=live |archive-url=https://web.archive.org/web/20210307204206/https://www.riskbasedsecurity.com/research/rbs-2021-002-d-link-dap-2020/ |archive-date=7 March 2021 |access-date=September 2, 2020 |website=Risk Based Security}}</ref> D-Link confirmed these vulnerabilities in a support announcement and provided a patch to hot-fix the product's firmware.<ref>{{Cite web |title=D-Link Technical Support |url=https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10201 |access-date=2021-09-02 |website=supportannouncement.us.dlink.com}}</ref> In April 2024, D-Link acknowledged a security vulnerability that affected all hardware revisions of four models of [[network attached storage]] devices. Because the products have reached their end of service life date, the company stated in a release that the products are no longer supported and that a fix would not be offered.<ref name="dlink2024">{{cite web | url = https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | title = DNS-320L / DNS-325 / DNS-327 / DNS-340L and All D-Link NAS Storage :: All Models and All Revison :: End of Service Life :: CVE-2024-3273 : Vulnerabilities Reported by VulDB/Netsecfish | work = D-Link | date = 8 April 2024 | accessdate = 8 April 2024}}</ref> === Server misuse === In 2006, D-Link was accused of [[NTP server misuse and abuse#D-Link and Poul-Henning Kamp|NTP vandalism]], when it was found that its routers were sending time requests to a small [[Network Time Protocol|NTP server]] in Denmark, incurring thousands of dollars of costs to its operator. D-Link initially refused to accept responsibility.<ref>{{Cite news |last=Leyden |first=John |date=2006-04-13 |title=D-Link accused of 'killing' time servers {{!}} Time to stop freeloading |language=en-gb |work=[[The Register]] |url=https://www.theregister.com/2006/04/13/d-link_time_row_escelates/ |url-status=live |access-date=2022-08-09 |archive-url=https://web.archive.org/web/20200922150807/https://www.theregister.com/2006/04/13/d-link_time_row_escelates/ |archive-date=2020-09-22 |quote=D-Link, for its part, is hiding behind its lawyers. Instead of acknowledging it might have made an error, and operators say D-Link's attorneys have accused them of "extortion" or else demanded that disgruntled punters submit to Californian law. |df=dmy-all}}</ref> Later, D-link products were found also to be abusing other time servers, including some operated by the US military and [[NASA]].<ref>{{Cite news |last=Ward |first=Mark |date=2006-04-13 |title=Net clocks suffering data deluge |language=en-gb |work=[[BBC News]] |url=http://news.bbc.co.uk/1/hi/technology/4906138.stm |url-status=live |access-date=2022-08-09 |archive-url=https://web.archive.org/web/20220427003405/http://news.bbc.co.uk/1/hi/technology/4906138.stm |archive-date=2022-04-27 |quote=This has revealed that D-Link hardware is also causing problems for 50 other net time servers. The list includes some run by the US military, Nasa, US research organisations and government groups around the world. |df=dmy-all}}</ref> However, no malicious intent was discovered, and eventually D-Link and the sites owner Poul-Henning Kamp were able to agree to an amicable settlement regarding access to Kamp's GPS.Dix.dk NTP Time Server site, with existing products gaining authorized access to Kamp's server.<ref>{{Cite news |last=Leyden |first=John |date=2006-05-11 |title=D-Link settles dispute with 'time geek' {{!}} Time to kiss and make up |language=en-gb |work=[[The Register]] |url=https://www.theregister.com/2006/05/11/d-link_time_dispute_settlement/ |url-status=live |access-date=2022-08-09 |archive-url=https://web.archive.org/web/20220407030045/https://www.theregister.com/2006/05/11/d-link_time_dispute_settlement/ |archive-date=2022-04-07 |quote=Networking manufacturer D-Link has settled a dispute with a Danish administrator Poul-Henning Kamp over the way its kit queries internet time servers. |df=dmy-all}}</ref> === GPL violation === On 6 September 2006, the [[gpl-violations.org]] project prevailed in court litigation against D-Link Germany GmbH regarding D-Link's inappropriate and copyright infringing use of parts of the [[Linux kernel]].<ref>[http://gpl-violations.org/news/20060922-dlink-judgement_frankfurt.html GPL-Violations.org project prevails in court case on GPL violation by D-Link] {{webarchive |url=https://web.archive.org/web/20141007073104/http://gpl-violations.org/news/20060922-dlink-judgement_frankfurt.html |date=7 October 2014 }}</ref> D-Link Germany GmbH was ordered to pay plaintiff's costs.<ref>[https://www.jbb.de/judgment_dc_frankfurt_gpl.pdf Docket Number 2-6 0 224/06 DISTRICT COURT OF FRANKFURT AM MAIN] {{webarchive | url=https://web.archive.org/web/20061206101757/http://www.jbb.de/judgment_dc_frankfurt_gpl.pdf | date = 6 December 2006}}</ref> Following the judgement, D-Link agreed to a cease and desist request, ending distribution of the product, and paying legal costs.<ref>{{Cite web |title=German court raps D-Link over GPL violation |url=https://www.itnews.com.au/news/german-court-raps-d-link-over-gpl-violation-60373 |access-date=17 September 2020 |website=iTnews}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)