Open main menu
Home
Random
Recent changes
Special pages
Community portal
Preferences
About Wikipedia
Disclaimers
Incubator escapee wiki
Search
User menu
Talk
Dark mode
Contributions
Create account
Log in
Editing
D-Link
(section)
Warning:
You are not logged in. Your IP address will be publicly visible if you make any edits. If you
log in
or
create an account
, your edits will be attributed to your username, along with other benefits.
Anti-spam check. Do
not
fill this in!
=== Vulnerabilities === In January 2010, it was reported that [[HNAP]] vulnerabilities had been found on some D-Link routers. D-Link was also criticized for their response which was deemed confusing as to which models were affected and downplayed the seriousness of the risk.<ref>{{Cite web |date=18 January 2010 |title=Which Routers Are Vulnerable to the D-Link HNAP Exploit? |url=http://www.sourcesec.com/2010/01/ |url-status=dead |archive-url=https://web.archive.org/web/20131226002253/http://www.sourcesec.com/2010/01/ |archive-date=26 December 2013 |website=Source Sec Tech Engine}}</ref> However the company issued fixes for these router vulnerabilities soon after.<ref>{{Cite magazine |date=15 January 2010 |title=D-Link Issues Fixes for Router Vulnerabilities |url=https://www.pcworld.com/article/186996/article.html |magazine=[[PC World|PCWorld]] |language=en |issn=0737-8939 |access-date=17 September 2020}}</ref> Computerworld reported in January 2015 that ZynOS, a firmware used by some D-Link routers (as well as [[ZTE]], [[TP-Link]], and others), are vulnerable to [[DNS hijacking]] by an unauthenticated remote attacker, specifically when remote management is enabled.<ref>{{Cite magazine |last=Constantin |first=Lucian |title=DNS hijacking flaw affects D-Link DSL router, possibly other devices |url=http://www.computerworld.com/article/2876292/dns-hijacking-flaw-affects-d-link-dsl-router-possibly-other-devices.html |magazine=[[Computerworld]] |issn=0010-4841 |access-date=1 April 2016}}</ref> Affected models had already been phased out by the time the vulnerability was discovered and the company also issued a firmware patch for affected devices for those still using older hardware.<ref>{{Cite web |last=Jackson |first=Mark |date=31 January 2015 |title=UPDATE D-Link Broadband Routers Vulnerable to DNS Hijack Attack |url=https://www.ispreview.co.uk/index.php/2015/01/d-link-broadband-routers-vulnerable-new-dns-hijack-attack.html |access-date=17 September 2020 |website=ISPreview UK |language=en}}</ref> Later in 2015, it was reported that D-Link leaked the private keys used to sign firmware updates for the DCS-5020L security camera and a variety of other D-Link products. The key expired in September 2015, but had been published online for seven months.<ref>{{Cite web |title=In blunder threatening Windows users, D-Link publishes code-signing key |url=https://arstechnica.com/security/2015/09/in-blunder-threatening-windows-users-d-link-publishes-code-signing-key/ |access-date=1 April 2016 |website=Ars Technica|date=18 September 2015 }}</ref> The initial investigation did not produce any evidence that the certificates were abused.<ref>{{Cite web |title=D-Link Accidentally Leaks Private Code-Signing Keys |url=https://threatpost.com/d-link-accidentally-leaks-private-code-signing-keys/114727/ |access-date=17 September 2020 |website=threatpost.com |date=18 September 2015 |language=en}}</ref> Also in 2015, D-Link was criticized for more HNAP vulnerabilities,<ref>{{Cite web |title=Hacking the D-Link DIR-890L |url=http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/}}</ref> and worse, introducing new vulnerabilities in their "fixed" firmware updates.{{r|WTF_2014}} On 5 January 2017, the [[Federal Trade Commission]] sued D-Link for failing to take reasonable steps to secure their routers and IP cameras, as D-Link marketing was misleading customers into believing their products were secure. The complaint also says security gaps could allow hackers to watch and record people on their D-Link cameras without their knowledge, target them for theft, or record private conversations.<ref>{{Cite web |url=https://www.consumer.ftc.gov/blog/ftc-sues-d-link-over-router-and-camera-security-flaws |title=FTC sues D-Link over router and camera security flaws {{!}} Consumer Information |access-date=7 January 2017 |archive-date=7 January 2017 |archive-url=https://web.archive.org/web/20170107170851/https://www.consumer.ftc.gov/blog/ftc-sues-d-link-over-router-and-camera-security-flaws |url-status=dead }}</ref> D-Link has denied these accusations and has enlisted Cause of Action Institute to file a motion against the FTC for their "baseless" charges.<ref>{{Cite news |date=31 January 2017 |title=Cause of Action Institute Files Motion to Dismiss FTC's Baseless Data Security Charges Against D-Link Systems Inc. - Cause of Action Institute |language=en-US |work=Cause of Action Institute |url=http://causeofaction.org/cause-action-institute-files-motion-dismiss-ftcs-baseless-data-security-charges-d-link-systems-inc/ |access-date=12 February 2017}}</ref> On 2 July 2019, the case was settled with D-Link not found to be liable for any of the alleged violations.<ref>{{Cite web |title=proposed settlement, D-Link is required |url=https://www.ftc.gov/system/files/documents/cases/dlink_proposed_order_and_judgment_7-2-19.pdf}}</ref> D-Link agreed to continue to make security enhancements in its software security program and software development, with biennial, independent, third-party assessments, approved by the FTC.<ref>{{Cite web |title=D-Link Agrees to Make Security Enhancements to Settle FTC Litigation |date=2 July 2019 |url=https://www.ftc.gov/news-events/press-releases/2019/07/d-link-agrees-make-security-enhancements-settle-ftc-litigation}}</ref> On 18 January 2021 Sven Krewitt, researcher at Risk Based Security, discovered multiple pre-authentication vulnerabilities in D-Link's DAP-2020 Wireless N Access Point product.<ref>{{Cite web |last=Krewitt |first=Sven |date=January 18, 2021 |title=RBS-2021-002-D-Link DAP-2020 |url=https://www.riskbasedsecurity.com/research/rbs-2021-002-d-link-dap-2020/ |url-status=live |archive-url=https://web.archive.org/web/20210307204206/https://www.riskbasedsecurity.com/research/rbs-2021-002-d-link-dap-2020/ |archive-date=7 March 2021 |access-date=September 2, 2020 |website=Risk Based Security}}</ref> D-Link confirmed these vulnerabilities in a support announcement and provided a patch to hot-fix the product's firmware.<ref>{{Cite web |title=D-Link Technical Support |url=https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10201 |access-date=2021-09-02 |website=supportannouncement.us.dlink.com}}</ref> In April 2024, D-Link acknowledged a security vulnerability that affected all hardware revisions of four models of [[network attached storage]] devices. Because the products have reached their end of service life date, the company stated in a release that the products are no longer supported and that a fix would not be offered.<ref name="dlink2024">{{cite web | url = https://supportannouncement.us.dlink.com/security/publication.aspx?name=SAP10383 | title = DNS-320L / DNS-325 / DNS-327 / DNS-340L and All D-Link NAS Storage :: All Models and All Revison :: End of Service Life :: CVE-2024-3273 : Vulnerabilities Reported by VulDB/Netsecfish | work = D-Link | date = 8 April 2024 | accessdate = 8 April 2024}}</ref>
Edit summary
(Briefly describe your changes)
By publishing changes, you agree to the
Terms of Use
, and you irrevocably agree to release your contribution under the
CC BY-SA 4.0 License
and the
GFDL
. You agree that a hyperlink or URL is sufficient attribution under the Creative Commons license.
Cancel
Editing help
(opens in new window)