D-Link DIR-655 Firmware 1.21 Hijacks Your Internet Connection

chronopunk writes "Normally when you think of firmware updates for a router you would expect security updates and bug fixes. Would you ever expect the company that makes the product to try and sell you a subscription for security software using its firmware as a salesperson? I recently ran into this myself when trying to troubleshoot my router. I noticed when trying to go to Google that my router was hijacking DNS and sent me to a website trying to sell me a software subscription. After upgrading your D-link DIR-655 router to the latest firmware you'll see that D-link does this, and calls the hijacking a 'feature.'"

Re:Why...

[matthewncohen]

You have to manually upgrade the firmware and going back to plan old 1.20 is exactly the same process. It's not exactly hard to "disable". I have this router and also recently updated my firmware but I have not encountered this yet...

Huh?

[Ritz_Just_Ritz]

I've been using rev1.21 for a few weeks now and I haven't seen this behavior at all.

Wednesday, November 05, 2008 5:51:22 PM

Firmware Version : 1.21, 2008/09/11

*shrug*

Re:Why...

[mattytee]

If you RTFA, you'll see that you CAN disable it.

Still pretty hinky, though.

Is there any kind of agreement?

[dmomo]

Before installing the new firmware, are you asked if this is Okay? If not, do they make it clear how it can be disabled?

I am now reluctant to upgrade my DLink firmware. Is it's easy and clear that one can opt out.

Without SecureSpot 2.0

[KoD7085]

I haven't upgraded to 1.21; however, the reason was when 1.21 first dropped it had SecureSpot. Now I found this out by reading the information on 1.21 so I didn't download and install it. They now (and have for some time) offer 1.21 without SecureSpot; perhaps you should download and install that.

From The FA

[Blue Stone]

>You can disable this feature by logging into the router and clicking the Advanced Tab and Secure Spot on the left side.

>D-Link Customer Service

Unethical to enable it by default and not tell the customer about it *until* it hijacks the connection (if you ask me) but easily disabled apparently.

Slashdot Editors, Do Some Editing

[Knara]

From the goddamn article:

Hi Brandon, What you experienced was not an Attempt to "Hijack" your connection. In fact what it is an added feature called "Secure Spot", It is software that is built into the router, which is used to replace or work along with your firewall/Antivirus/Antispam software. It also provides more parental controls. This feature does require a subscription if you want to use it but it is entirely optional. This feature replaces a hardware device that we had that did the same tasks. The DSD-150. You can disable this feature by logging into the router and clicking the Advanced Tab and Secure Spot on the left side. D-Link Customer Service

So, you can turn it off. Not only that, but as of 9/30 there's a separate link at their firmware download page for the DIR-655 [dlink.com] that says (in plain view, in a sensible spot): Click here for Firmware 1.21 WITHOUT SecureSpot 2.0

Should they have included that in a readme/changelog for the firmware? Maybe, but since they were all too happy to tell you how to turn it off, this really doesn't seem like a huge offense to me.

Conclusion? Non-story.

Plus, upgrading your firmware "just because". Why?

Re:Thank you!

[Per Wigren]

Replying to myself to add some info. Firmware v1.20 doesn't have the "Advanced -> Secure Spot" page they mention so it really seems to be be new in v1.21. The 1.20 firmware can still be downloaded from here [dlink.com.tw].

There is also a firmware without secure spot 2.0

[Anonymous Coward]

If you look under the revision history of the 1.21 firmware - there is a link to download the new firmware without Secure Spot 2.0. Just look for: "Click here for Firmware 1.21 WITHOUT SecureSpot 2.0" and click on that...

Re:Slashdot Editors, Do Some Editing

[Per Wigren]

Plus, upgrading your firmware "just because". Why?

Because router firmware upgrades often mean closing security holes.

Re:Slashdot Editors, Do Some Editing

[Ryokurin]

The non securespot version has been there since the firmware was released. Its simply a case of the submitter not reading and comprehending. Either way, it asks you if you want to try it twice, and then leaves you alone.

Belkin has done this before

[Anonymous Coward]

Back in 2003 Belkin introduced a router that periodically redirected HTTP connections to advertise its own software:
    Help! my Belkin router is spamming me [theregister.co.uk]

Some commentary:
    Ease-of-use or marketing-driven sabotage: Does your hardware's software do only what you expect of it? [ibm.com]

Just like Belkin back in 2003

[alanw]

Here's [theregister.co.uk] an old article about Belkin doing a very similar thing:

Belkin, the consumer networking and connectivity firm, has promised customers a firmware upgrade to disable a controversial 'spamming' feature built into its routers.

As first reported on The Reg last week, the feature hijacks random HTTP requests every eight hours and redirects users to a page advertising Belkin's parental control software. There is an opt-out link but that failed to appease Net users who accused Belkin of creating a new mechanism for spam.

Submitter should not have submitted

[Anonymous Coward]

I think we're all agreeing that the submitter is an idiot for not reading before downloading and the editors should not have posted this "story" in the first place.

Thread closed.

Re:D-Link

[Anonymous Coward]

Better than that, google "dd-wrt hardware", and look at what hardware is inside your next router purchase. Get one with at least 16M ram and 4M flash, and upgrade to an open firmware. Tomato is my favorite, it has the slickest admin GUI, on top of full Linux flexibility.

Simple solution...

[Guspaz]

Only buy home routers that can run opensource firmwares. I'm quite happy with my WRT54GL, although the hardware is a bit antiquated at this point.

Re:Slashdot Editors, Do Some Editing

[kybosch]

I would agree. I, too, downloaded the version without secure-spot. When I saw that there was two versions, I went back and double checked what the difference was between the two versions. Saved myself some trouble.

I have to say, though, that Belkin has done this for years. I had a Belkin 54g router that always spammed me with child protection features after every firmware update. I am surprised that no one else has mentioned Belkin in this. (Or did I mod filter them out?)

Re:Just like Belkin back in 2003

[djwudi]

Possibly also of interest: The /. thread [slashdot.org] for the Belkin incident, and I put a small collection of related Google Group links in a weblog post [michaelhanscom.com] back then. The Belkin incident was the first thing I thought of when I saw this story post. Good to know I'm not the only one who remembered that.

Re:D-Link

[Tumbleweed]

> D-Link is Shit. Buy Linksys.

> > Linksys is even worse shit.

Buy the router/AP that has the features you want AND is supported by Tomato, DD-WRT, et al, and don't look back.

it's not illegal...

[roc97007]

...but dlink just fell off my vendor list.

Linksys + alternative firmware

[TheSHAD0W]

Linksys isn't so bad if you replace the firmware. Try dd-wrt [dd-wrt.com] if you want quick and easy, or OpenWRT [openwrt.org] if you want to customize. I guarantee you'll like 'em. (Get a WRT-54GL to try it on; they're cheap nowadays.)

Why not download the version without Securespot?

[menace690]

Its clearly listed on their website.. http://support.dlink.com/products/view.asp?productid=DIR-655 [dlink.com]

Re:Why...

[Hattmannen]

There are routers that run open source firmware. An example of a company that uses open source firmware is Canyon. I've had one for a couple of years now. I got the first hardware revision, so I haven't been able to upgrade my firmware to the latest, but my model is still manufactured, albeit in a later hardware revision and the firmware is open source. Works like a charm.

Router Setup Page downloads Securespot version

[chronopunk]

This is the original poster. I did a firmware upgrade from withing the router setup page not by downloading it from their website.

Re:D-Link

[thogard]

Better firmware is only part of the problem.

As a member of Melbourne Wireless [wireless.org.au] where we have lots of cheap wireless routers, I can say the best consistent brand of low end routers is ASUS. I expect they are the OEM for many of the early versions of other routers as well based on looking at the insides.

Re:D-Link

[Anonymous Coward]

As a tech support worker for a very large ISP I can say that all the end-user brands have shit models, and decent models.

It really is back and forth. Usually one company will have a crap model run or version, or a shitty firmwware.
A few months later the other company does something that blows chunks.
Either way I get a lot of idiots on the phone with router problems, and no one end-user brand is any better than the rest.

I will say, however, the following:
Netgear sucks ass, period. If yours works then congrats.
Linksys is really hit/miss depending on the model and version. Some of them are rock-solid and run cool, others will heat up badly. I think it's a quality control issue, but they do tend to sell more junk hardware to big box stores like WalMart.
It also depends on what function you enable. If you are using it as a switch with NAT, most of them aren't too bad. Start turning on the rest of the firmware features and then things change, again the model & version make more difference than the manufacturer.
D-link generally does ok, same with belkin, but both of them have turds too. But if you really want a decent router you need to look into the $200 and above price range to start off with.

If you have a choice between a Sonicwall and a Cisco, get the Cisco. Sonicwall is the cheap end of the business market, we see problems with them in our business groups quite often, but the other corporate-grade routers like Cisco, Juniper, and Pix are generally rock-solid. And get a UPS, I see more routers get bricked from bad power than anything else.

Re:Then stop using their crap firmware.

[synthesizerpatel]

Thirded. I just completed a project that cost about $8k dollars by rolling a customized OpenWRT/DD-WRT setup that includes 802.1q VLANs (no wonky iptables junk to seperate networks), 802.1x with authentication against ActiveDirectory, public and private SSIDs available from a single access point, the list goes on.

OpenWRT is enterprise wireless firmware for free that runs on home consumer priced hardware, making it enterprise quality hardware. (Although lacking POE)

My company was going to spend about $75k on a comparable solution from Aruba and I was able to squeeze out every single feature they offer from OpenWRT. So instead of $75k, we're spending $4,500 for the same feature set. Not bad.

So, while D-Link's own firmware is goofy, if you just buy their box and wipe it it you'll be saving yourself money in the long run.

RISKS: Hardware-borne Trojan Horse programs

[HTH NE1]

Ah, I found one. The Risks Digest, Volume 16: Issue 55, Weds 9 November 1994 [ncl.ac.uk]. The relevant section is reprinted below for preservation's sake, edited only for spelling ("entirity"), converting asterisk-marked text to strong text, formatting, block quoting, and adding links.

Hardware-borne Trojan Horse programs
Chris Tate <FIXER@FAXCSL.DCRT.NIH.GOV [nih.gov]>
Tue, 8 Nov 1994 12:34:36 -0500 (EST)

I had an unpleasant experience this past weekend, and I imagine some other readers of RISKS [wikipedia.org] will find it interesting.

I recently purchased an Apple [wikipedia.org] Macintosh [wikipedia.org] computer at a "computer superstore [wikipedia.org]," as separate components - the Apple CPU, and Apple monitor [wikipedia.org], and a third-party [wikipedia.org] keyboard [wikipedia.org] billed as coming from a company called Sicon.

This past weekend, while trying to get some text-editing work done, I had to leave the computer alone for a while. Upon returning, I found to my horror that the text "welcome datacomp" had been inserted into the text I was editing. I was certain that I hadn't typed it, and my wife verified that she hadn't, either. A quick survey showed that the "clipboard" (the repository for information being manipulated via cut/paste operations) wasn't the source of the offending text.

As usual, the initial reaction was to suspect a virus [wikipedia.org]. Disinfectant [wikipedia.org], a leading anti-viral application for Macintoshes, gave the system a clean bill of health; furthermore, its descriptions of the known viruses (as of Disinfectant version 3.5, the latest release) did not mention any symptoms similar to my experiences.

I restarted the system in a fully minimal configuration, launched an editor, and waited. Sure enough, after a (rather long) wait, the text "welcome datacomp" once again appeared, all at once, on its own.

As a next step, I contacted John Norstad, the author of Disinfectant, and one of the international response team for dealing with new Macintosh virus sightings. Very promptly I received a response, which I shall quote here in its entirety (it's brief):

Yes, we have heard of this. It's a practical joke [wikipedia.org] in the ROM [wikipedia.org] code [wikipedia.org] in some third-party keyboards. The only solution is to get your bad keyboard replaced.

I was furious. Apparently there are hardware products on the market which have embedded "Trojan Horses [wikipedia.org]," programs which affect the operation of the system without the user's consent (or knowledge!).

I have returned the keyboard to the store where I purchased it, and I plan to contact Sicon about the problem. The potential for abuses in computer systems here is apparent, especially when the system involves "intelligent" peripherals [wikipedia.org] - such as many popular types of disk drive [wikipedia.org], Apple Desktop Bus [wikipedia.org] devices (such as the offending keyboard), and so forth.

John Norstad informs me that he has little knowledge of the extent of this particular problem, other than the fact that he has received quite a bit of mail from people who have been bitten. What is almost

Re:Linksys + alternative firmware

[Veggiesama]

Meh. I bought a WRT-54 from the store because I read about how great a product it was, took it home, set it all up... then found out it was a "new and improved" model that had scaled back the onboard RAM so much that installing open-source firmware proved to be impossible. And it's not possible to know what version-model you've purchased until you break open the theft-proof box and look at the label, either. Unfortunately I did not have the luxury to purchase a used box or find the GL model online, but nonetheless I was highly dismayed to find out that my later model had less than half the RAM of earlier models [wikipedia.org].

I took it back and decided not to skimp out by spending a mere $80 on a router. So I bought a DIR-655 for around $120 because of all the great reviews it was receiving.

*sigh*

To be fair, the DIR-655 has served me QUITE well. The QoS feature is reason alone to justify the extra cost.

Simple solution to this firmware update, which applies to ALL firmware, regardless of hardware: if it ain't broken, don't patch it.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:Why...

[Fulcrum of Evil]

damn straight. I went from resets every 2 days to rsets every 2 months - it just chugs along. The thing that really killed my linksys gear was bittorrent - something about huge numbers of remote connections.

Re:Linksys + alternative firmware

[TheSHAD0W]

http://www.dd-wrt.com/wiki/index.php/Installation [dd-wrt.com]

Some of the WRT300N and WRT600N models are usable.

Phonehome goodness

[wirelessfreek]

I have the DIR-625 and have tested out the Secure-Spot (3.06) firmware and even when its disabled it still phones-home and uses an SSL connection. Naturally you can not issue it a fake certificate to see what its really sending back. Test setup: 2 Routers, Favorite ARP spoofing program and a Network Protocol Analyzer (I use Wireshark) and watch the fun when you power on your D-Link router.

Re:Why...

[philspear]

What are we becoming? Now every sleazy behaviour is ok as long as you can opt-out? That hasn't worked for spam for the past 20 years, has everyone suddenly got a learning disorder?

Just to point out, if you RTFP (post) mattytee doesn't say it's ok, he says it's "hinky." Which might NOT mean okay. I admit, I don't know what it ACTUALLY means, so it might mean "good." I don't think I'd enjoy being called "hinky" so it doesn't sound like he's saying "You can opt out, so it's cool."

Link to download it without securespot

[moxley]

I have this router and it's worked really well - has been very stable and has a whole lot of really nice features - I do a lot of remote stuff both ways too and from work - not to mentioned bittorrent and binaries, webcams. Never have a problem, never have to reboot it.

Additionally the router has a feature that can email you when a new update comes out, the download page had a link for 1.21 with securespot and 1.21 without - I checked out what it was and decided against it. As others have mentioned. Below is the link I used:

ftp://ftp.dlink.com/Gateway/dir655/Firmware/dir655_firmware_121_no_securespot.zip [dlink.com]

I agree with how most people feel, that they need to be a little more upfront - a lot of the people here aren't going to want that feature - however, there are some people who may - among other things I think it has parental controls, it's like websense for the home user.

When you're updating the firmware on any device and not paying attention to the changes and what they actually do you're going to end up getting fucked, - especially when it comes to consumer home devices like these.

Re:Slashdot Editors, Do Some Editing

[ibbey]

It would not be normal to expect entirely new features to be installed

Oh, it wouldn't, eh?

iPhone users, you hear that? You should be pissed at Apple for adding new features to your phone. How dare they try to make you experience better. Same for you Tivo users, and early adopters everywhere. Tell the companies: I bought your product when it sucked, and I LIKE it that way. STOP TRYING TO MAKE MY EXPERIENCE BETTER!

I'm sorry, but you're an idiot. Firmware upgrades frequently add new features, and if those features are intended to make you internet connection more secure, then it is ABSOLUTELY reasonable for them to be added. I agree that the way D-Link handles the process (assuming that it is really the way it's described in the article) is bad, but the mere addition of the feature isn't. Criticize them all you want for their nagware, but don't be an idiot and complain that just because they are trying to add new features to their products they are somehow a bad company.

Re:Then stop using their crap firmware.

[synthesizerpatel]

I should note, $4.5k in hardware costs, $3.5k in development time to get it all dialed in right. :D

As well, the hardware in question was DIR-330's, which are roughly $95-100 off the shelf.

Re:Why...

[Chris Pimlott]

BitTorrent is usually the culprit for random router slugginess. Here's the instructions for solving it in DD-WRT by increasing the max connections. [dd-wrt.com]

Re:That's the end of D-Link.

[russotto]

If true, that's the end of D-Link. We would never buy from them again.

Funny, Belkin still seems to be around.

Re:That's the end of D-Link.

[bhtooefr]

I've actually dealt with a D-Link USB WiFi adapter that the USB connector wasn't soldered to the board.

It's a wonder the thing even worked at first without giving the user a problem. (Five minutes later, after the user complained, it was working fine... but it didn't work for long.)

Re:Simple solution...

[WK2]

I bought a WRT54GL just a few months ago, and installed DD-WRT on it. It's OK, although DD-WRT has some issues. Nothing worth singing about. The hardware is only "antiquated" in that it has twice the RAM and Flash storage as newer, cheaper devices.

And I totally agree about only buying routers that can run opensource firmwares.

add_record (shitlist, "DLink");

[ewhac]

Belkin pulled this exact same crap back in the 2002/2003 timeframe, and got thoroughly and properly flayed alive for it. They quickly published an update that removed the "feature," but the fact that the "feature" got all the way through marketing, management, software development, and QA told me that everyone in that company was asleep at the switch, and Belkin got put on my shitlist. I won't even buy their cables anymore if I can avoid it.

Now I get to add DLink to the same list. Unless and until DLink issues a public apology and shows contrition for this, there they shall stay, alongside Belkin.

Schwab

Re:Why...

[scotsghost]

hinky: 1) Something as yet undefinable is wrong, out of place; not quite right; 2) "I've a bad feeling about that": something out of whack, wrong, off-kilter; 3) a state of being vaguely suspicious.

source: http://www.urbandictionary.com/define.php?term=hinky [urbandictionary.com]

this definition fits my previous (vague, contextual) knowledge of the term. some uses color towards sleazy, some towards kludgy; but they all have the general sense of something suspicious in some way.

Re:Why...

[azemute]

WRT54G isn't *really* a comparable device. It lacks both gigabit ethernet as well as Wireless-N [draft2] support. Don't get me wrong, I love the WRT54 series, but you may as well compare apples to apples.