D-Link DIR-655 Firmware 1.21 Hijacks Your Internet Connection 428
chronopunk writes "Normally when you think of firmware updates for a router you would expect security updates and bug fixes. Would you ever expect the company that makes the product to try and sell you a subscription for security software using its firmware as a salesperson? I recently ran into this myself when trying to troubleshoot my router. I noticed when trying to go to Google that my router was hijacking DNS and sent me to a website trying to sell me a software subscription. After upgrading your D-link DIR-655 router to the latest firmware you'll see that D-link does this, and calls the hijacking a 'feature.'"
Re:Why... (Score:5, Informative)
Huh? (Score:4, Informative)
I've been using rev1.21 for a few weeks now and I haven't seen this behavior at all.
Wednesday, November 05, 2008 5:51:22 PM
Firmware Version : 1.21, 2008/09/11
*shrug*
Re:Why... (Score:5, Informative)
Still pretty hinky, though.
Is there any kind of agreement? (Score:4, Informative)
Before installing the new firmware, are you asked if this is Okay? If not, do they make it clear how it can be disabled?
I am now reluctant to upgrade my DLink firmware. Is it's easy and clear that one can opt out.
Without SecureSpot 2.0 (Score:5, Informative)
From The FA (Score:3, Informative)
>You can disable this feature by logging into the router and clicking the Advanced Tab and Secure Spot on the left side.
>D-Link Customer Service
Unethical to enable it by default and not tell the customer about it *until* it hijacks the connection (if you ask me) but easily disabled apparently.
Slashdot Editors, Do Some Editing (Score:1, Informative)
Hi Brandon, What you experienced was not an Attempt to "Hijack" your connection. In fact what it is an added feature called "Secure Spot", It is software that is built into the router, which is used to replace or work along with your firewall/Antivirus/Antispam software. It also provides more parental controls. This feature does require a subscription if you want to use it but it is entirely optional. This feature replaces a hardware device that we had that did the same tasks. The DSD-150. You can disable this feature by logging into the router and clicking the Advanced Tab and Secure Spot on the left side. D-Link Customer Service
So, you can turn it off. Not only that, but as of 9/30 there's a separate link at their firmware download page for the DIR-655 [dlink.com] that says (in plain view, in a sensible spot): Click here for Firmware 1.21 WITHOUT SecureSpot 2.0
Should they have included that in a readme/changelog for the firmware? Maybe, but since they were all too happy to tell you how to turn it off, this really doesn't seem like a huge offense to me.
Conclusion? Non-story.
Plus, upgrading your firmware "just because". Why?
Re:Thank you! (Score:5, Informative)
Replying to myself to add some info. Firmware v1.20 doesn't have the "Advanced -> Secure Spot" page they mention so it really seems to be be new in v1.21. The 1.20 firmware can still be downloaded from here [dlink.com.tw].
There is also a firmware without secure spot 2.0 (Score:1, Informative)
If you look under the revision history of the 1.21 firmware - there is a link to download the new firmware without Secure Spot 2.0. Just look for: "Click here for Firmware 1.21 WITHOUT SecureSpot 2.0" and click on that...
Re:Slashdot Editors, Do Some Editing (Score:5, Informative)
Plus, upgrading your firmware "just because". Why?
Because router firmware upgrades often mean closing security holes.
Re:Slashdot Editors, Do Some Editing (Score:4, Informative)
The non securespot version has been there since the firmware was released. Its simply a case of the submitter not reading and comprehending. Either way, it asks you if you want to try it twice, and then leaves you alone.
Belkin has done this before (Score:5, Informative)
Back in 2003 Belkin introduced a router that periodically redirected HTTP connections to advertise its own software:
Help! my Belkin router is spamming me [theregister.co.uk]
Some commentary:
Ease-of-use or marketing-driven sabotage: Does your hardware's software do only what you expect of it? [ibm.com]
Just like Belkin back in 2003 (Score:5, Informative)
Here's [theregister.co.uk] an old article about Belkin doing a very similar thing:
Belkin, the consumer networking and connectivity firm, has promised customers a firmware upgrade to disable a controversial 'spamming' feature built into its routers.
As first reported on The Reg last week, the feature hijacks random HTTP requests every eight hours and redirects users to a page advertising Belkin's parental control software. There is an opt-out link but that failed to appease Net users who accused Belkin of creating a new mechanism for spam.
Submitter should not have submitted (Score:2, Informative)
I think we're all agreeing that the submitter is an idiot for not reading before downloading and the editors should not have posted this "story" in the first place.
Thread closed.
Re:D-Link (Score:2, Informative)
Better than that, google "dd-wrt hardware", and look at what hardware is inside your next router purchase. Get one with at least 16M ram and 4M flash, and upgrade to an open firmware. Tomato is my favorite, it has the slickest admin GUI, on top of full Linux flexibility.
Simple solution... (Score:5, Informative)
Only buy home routers that can run opensource firmwares. I'm quite happy with my WRT54GL, although the hardware is a bit antiquated at this point.
Re:Slashdot Editors, Do Some Editing (Score:2, Informative)
I would agree. I, too, downloaded the version without secure-spot. When I saw that there was two versions, I went back and double checked what the difference was between the two versions. Saved myself some trouble.
I have to say, though, that Belkin has done this for years. I had a Belkin 54g router that always spammed me with child protection features after every firmware update. I am surprised that no one else has mentioned Belkin in this. (Or did I mod filter them out?)
Re:Just like Belkin back in 2003 (Score:2, Informative)
Possibly also of interest: The /. thread [slashdot.org] for the Belkin incident, and I put a small collection of related Google Group links in a weblog post [michaelhanscom.com] back then.
The Belkin incident was the first thing I thought of when I saw this story post. Good to know I'm not the only one who remembered that.
Re:D-Link (Score:3, Informative)
> D-Link is Shit. Buy Linksys.
> > Linksys is even worse shit.
Buy the router/AP that has the features you want AND is supported by Tomato, DD-WRT, et al, and don't look back.
it's not illegal... (Score:3, Informative)
Linksys + alternative firmware (Score:5, Informative)
Linksys isn't so bad if you replace the firmware. Try dd-wrt [dd-wrt.com] if you want quick and easy, or OpenWRT [openwrt.org] if you want to customize. I guarantee you'll like 'em. (Get a WRT-54GL to try it on; they're cheap nowadays.)
Why not download the version without Securespot? (Score:2, Informative)
Re:Why... (Score:4, Informative)
There are routers that run open source firmware. An example of a company that uses open source firmware is Canyon. I've had one for a couple of years now. I got the first hardware revision, so I haven't been able to upgrade my firmware to the latest, but my model is still manufactured, albeit in a later hardware revision and the firmware is open source. Works like a charm.
Router Setup Page downloads Securespot version (Score:5, Informative)
Re:D-Link (Score:4, Informative)
Better firmware is only part of the problem.
As a member of Melbourne Wireless [wireless.org.au] where we have lots of cheap wireless routers, I can say the best consistent brand of low end routers is ASUS. I expect they are the OEM for many of the early versions of other routers as well based on looking at the insides.
Re:D-Link (Score:2, Informative)
As a tech support worker for a very large ISP I can say that all the end-user brands have shit models, and decent models.
It really is back and forth. Usually one company will have a crap model run or version, or a shitty firmwware.
A few months later the other company does something that blows chunks.
Either way I get a lot of idiots on the phone with router problems, and no one end-user brand is any better than the rest.
I will say, however, the following:
Netgear sucks ass, period. If yours works then congrats.
Linksys is really hit/miss depending on the model and version. Some of them are rock-solid and run cool, others will heat up badly. I think it's a quality control issue, but they do tend to sell more junk hardware to big box stores like WalMart.
It also depends on what function you enable. If you are using it as a switch with NAT, most of them aren't too bad. Start turning on the rest of the firmware features and then things change, again the model & version make more difference than the manufacturer.
D-link generally does ok, same with belkin, but both of them have turds too. But if you really want a decent router you need to look into the $200 and above price range to start off with.
If you have a choice between a Sonicwall and a Cisco, get the Cisco. Sonicwall is the cheap end of the business market, we see problems with them in our business groups quite often, but the other corporate-grade routers like Cisco, Juniper, and Pix are generally rock-solid. And get a UPS, I see more routers get bricked from bad power than anything else.
Re:Then stop using their crap firmware. (Score:4, Informative)
Thirded. I just completed a project that cost about $8k dollars by rolling a customized OpenWRT/DD-WRT setup that includes 802.1q VLANs (no wonky iptables junk to seperate networks), 802.1x with authentication against ActiveDirectory, public and private SSIDs available from a single access point, the list goes on.
OpenWRT is enterprise wireless firmware for free that runs on home consumer priced hardware, making it enterprise quality hardware. (Although lacking POE)
My company was going to spend about $75k on a comparable solution from Aruba and I was able to squeeze out every single feature they offer from OpenWRT. So instead of $75k, we're spending $4,500 for the same feature set. Not bad.
So, while D-Link's own firmware is goofy, if you just buy their box and wipe it it you'll be saving yourself money in the long run.
RISKS: Hardware-borne Trojan Horse programs (Score:4, Informative)
Ah, I found one. The Risks Digest, Volume 16: Issue 55, Weds 9 November 1994 [ncl.ac.uk]. The relevant section is reprinted below for preservation's sake, edited only for spelling ("entirity"), converting asterisk-marked text to strong text, formatting, block quoting, and adding links.
Re:Linksys + alternative firmware (Score:2, Informative)
Meh. I bought a WRT-54 from the store because I read about how great a product it was, took it home, set it all up... then found out it was a "new and improved" model that had scaled back the onboard RAM so much that installing open-source firmware proved to be impossible. And it's not possible to know what version-model you've purchased until you break open the theft-proof box and look at the label, either. Unfortunately I did not have the luxury to purchase a used box or find the GL model online, but nonetheless I was highly dismayed to find out that my later model had less than half the RAM of earlier models [wikipedia.org].
I took it back and decided not to skimp out by spending a mere $80 on a router. So I bought a DIR-655 for around $120 because of all the great reviews it was receiving.
*sigh*
To be fair, the DIR-655 has served me QUITE well. The QoS feature is reason alone to justify the extra cost.
Simple solution to this firmware update, which applies to ALL firmware, regardless of hardware: if it ain't broken, don't patch it.
Comment removed (Score:3, Informative)
Re:Why... (Score:3, Informative)
Re:Linksys + alternative firmware (Score:3, Informative)
http://www.dd-wrt.com/wiki/index.php/Installation [dd-wrt.com]
Some of the WRT300N and WRT600N models are usable.
Phonehome goodness (Score:4, Informative)
Re:Why... (Score:4, Informative)
What are we becoming? Now every sleazy behaviour is ok as long as you can opt-out? That hasn't worked for spam for the past 20 years, has everyone suddenly got a learning disorder?
Just to point out, if you RTFP (post) mattytee doesn't say it's ok, he says it's "hinky." Which might NOT mean okay. I admit, I don't know what it ACTUALLY means, so it might mean "good." I don't think I'd enjoy being called "hinky" so it doesn't sound like he's saying "You can opt out, so it's cool."
Link to download it without securespot (Score:4, Informative)
I have this router and it's worked really well - has been very stable and has a whole lot of really nice features - I do a lot of remote stuff both ways too and from work - not to mentioned bittorrent and binaries, webcams. Never have a problem, never have to reboot it.
Additionally the router has a feature that can email you when a new update comes out, the download page had a link for 1.21 with securespot and 1.21 without - I checked out what it was and decided against it. As others have mentioned. Below is the link I used:
ftp://ftp.dlink.com/Gateway/dir655/Firmware/dir655_firmware_121_no_securespot.zip [dlink.com]
I agree with how most people feel, that they need to be a little more upfront - a lot of the people here aren't going to want that feature - however, there are some people who may - among other things I think it has parental controls, it's like websense for the home user.
When you're updating the firmware on any device and not paying attention to the changes and what they actually do you're going to end up getting fucked, - especially when it comes to consumer home devices like these.
Re:Slashdot Editors, Do Some Editing (Score:3, Informative)
Oh, it wouldn't, eh?
iPhone users, you hear that? You should be pissed at Apple for adding new features to your phone. How dare they try to make you experience better. Same for you Tivo users, and early adopters everywhere. Tell the companies: I bought your product when it sucked, and I LIKE it that way. STOP TRYING TO MAKE MY EXPERIENCE BETTER!
I'm sorry, but you're an idiot. Firmware upgrades frequently add new features, and if those features are intended to make you internet connection more secure, then it is ABSOLUTELY reasonable for them to be added. I agree that the way D-Link handles the process (assuming that it is really the way it's described in the article) is bad, but the mere addition of the feature isn't. Criticize them all you want for their nagware, but don't be an idiot and complain that just because they are trying to add new features to their products they are somehow a bad company.
Re:Then stop using their crap firmware. (Score:2, Informative)
I should note, $4.5k in hardware costs, $3.5k in development time to get it all dialed in right. :D
As well, the hardware in question was DIR-330's, which are roughly $95-100 off the shelf.
Re:Why... (Score:3, Informative)
BitTorrent is usually the culprit for random router slugginess. Here's the instructions for solving it in DD-WRT by increasing the max connections. [dd-wrt.com]
Re:That's the end of D-Link. (Score:3, Informative)
Funny, Belkin still seems to be around.
Re:That's the end of D-Link. (Score:4, Informative)
I've actually dealt with a D-Link USB WiFi adapter that the USB connector wasn't soldered to the board.
It's a wonder the thing even worked at first without giving the user a problem. (Five minutes later, after the user complained, it was working fine... but it didn't work for long.)
Re:Simple solution... (Score:3, Informative)
I bought a WRT54GL just a few months ago, and installed DD-WRT on it. It's OK, although DD-WRT has some issues. Nothing worth singing about. The hardware is only "antiquated" in that it has twice the RAM and Flash storage as newer, cheaper devices.
And I totally agree about only buying routers that can run opensource firmwares.
add_record (shitlist, "DLink"); (Score:3, Informative)
Now I get to add DLink to the same list. Unless and until DLink issues a public apology and shows contrition for this, there they shall stay, alongside Belkin.
Schwab
Re:Why... (Score:4, Informative)
hinky: 1) Something as yet undefinable is wrong, out of place; not quite right; 2) "I've a bad feeling about that": something out of whack, wrong, off-kilter; 3) a state of being vaguely suspicious.
source: http://www.urbandictionary.com/define.php?term=hinky [urbandictionary.com]
this definition fits my previous (vague, contextual) knowledge of the term. some uses color towards sleazy, some towards kludgy; but they all have the general sense of something suspicious in some way.
Re:Why... (Score:2, Informative)