D-Link DIR-655 Firmware 1.21 Hijacks Your Internet Connection

chronopunk writes "Normally when you think of firmware updates for a router you would expect security updates and bug fixes. Would you ever expect the company that makes the product to try and sell you a subscription for security software using its firmware as a salesperson? I recently ran into this myself when trying to troubleshoot my router. I noticed when trying to go to Google that my router was hijacking DNS and sent me to a website trying to sell me a software subscription. After upgrading your D-link DIR-655 router to the latest firmware you'll see that D-link does this, and calls the hijacking a 'feature.'"

Well....

Well, I for one welcome our new SUBSCRIPTION REQUIRED overlords!

Please click here to renew subscription!

Without SecureSpot 2.0

I haven't upgraded to 1.21; however, the reason was when 1.21 first dropped it had SecureSpot. Now I found this out by reading the information on 1.21 so I didn't download and install it. They now (and have for some time) offer 1.21 without SecureSpot; perhaps you should download and install that.

Belkin has done this before

Back in 2003 Belkin introduced a router that periodically redirected HTTP connections to advertise its own software:
    Help! my Belkin router is spamming me [theregister.co.uk]

Some commentary:
    Ease-of-use or marketing-driven sabotage: Does your hardware's software do only what you expect of it? [ibm.com]

Just like Belkin back in 2003

Here's [theregister.co.uk] an old article about Belkin doing a very similar thing:

Belkin, the consumer networking and connectivity firm, has promised customers a firmware upgrade to disable a controversial 'spamming' feature built into its routers.

As first reported on The Reg last week, the feature hijacks random HTTP requests every eight hours and redirects users to a page advertising Belkin's parental control software. There is an opt-out link but that failed to appease Net users who accused Belkin of creating a new mechanism for spam.

More reasons never to go consumer again

After massive amounts of pain with consumer/prosumer-grade (many of the D-Link) routers in the past two years, I finally dropped real money for a real broadband router earlier this year. So far, I've had months and months of trouble-free service.

Now I start hearing crap like this. Makes me even MORE thankful I bit the bullet.

Also "you can turn it off!" apologists? WHY IT IS ON BY DEFAULT? Moreover, tell that to some luddite who barely understands how to boot his computer.

So much for D-Link

Even if there's an option to disable this, the fact that it seems to be enabled by default is enough for me. D-Link from this point on will never be on my list of vendors when looking for networking gear.

Idiots...

Apparently they didn't learn from the shitstorm that hit belkin when they did the exact same thing years ago.

Another vendor goes down the tubes...

Simple solution...

Only buy home routers that can run opensource firmwares. I'm quite happy with my WRT54GL, although the hardware is a bit antiquated at this point.

Google Should Sue

This cannot be allowed to go unpunished. Google should sue since it was their domain name that was hijacked and a clear attack on their business.

Google should sue because they have lots of high-priced lawyers and can really make DLink regret this.

Re:Why...

You have to manually upgrade the firmware and going back to plan old 1.20 is exactly the same process. It's not exactly hard to "disable". I have this router and also recently updated my firmware but I have not encountered this yet...

That's the end of D-Link.

If true, that's the end of D-Link. We would never buy from them again.

Why are marketing people allowed to destroy companies? Then they go to a new company and do it again.

Re:Why...

If you RTFA, you'll see that you CAN disable it.

Still pretty hinky, though.

Re:Why...

What's annoying with things like this (and others) is that it just gets in the way and obstructs your work.

I choose things based on their lack of snarkiness. I don't want a Windows PC full of crapware. I'd rather just pay the manufacturer a few extra bucks to cover the loss of crapware kickbacks. I used to run an AV, but occassionally, it would bring up a message telling me I wasn't fully protected because I wasn't running their antispam (despite running Thunderbird). When my renewal came up, I chose another company, and I told them that this was one of the reasons.

Re:Why...

Probably not. But what are you going to do about it? After enough stink, there will likely be a class action suit. No one that has been wronged will get real resolution (maybe a coupon for a new D-link model router for their trouble!). The amount paid out by D-Link will be less than the profit they get from these things. Business as usual.

The only solution is to burn the place down or kill a few key people, then let them all know why. But no one is going to throw their life away on a bad router purchase.

Re:Why...

"The only solution is to burn the place down or kill a few key people, then let them all know why."

If only revolution was not such an outdated ideal.

Re:Why...

Damn, and I thought D-Link was one of the better companies to buy a router from.

Re:Why...

The only solution is to burn the place down or kill a few key people, then let them all know why. But no one is going to throw their life away on a bad router purchase.

that's the problem with the youth today, no commitment to principles.

Re:Why...

Legal? yes. Ethical? no. Tolerated by your customers? Hell no.

Re:Why...

Wow. Recent Netgear switches I've bought were doing the whole 70% packet loss thing (of the five white Netgear hubs I've dealt with, three have been completely worthless; haven't tried the blue metal ones lately), and now DLink moves right along with them onto my do-not-buy list. Linksys (won't work reliably with upstream switches) and Belkin (Wi-Fi routers crash constantly when passing wireless traffic) are both so buggy (to the point of being unusable) that they've been on my do-not-buy list for years. I've just about run out of networking hardware manufacturers....

Why can't just ONE SINGLE networking product company make a pledge to stop cutting corners on quality and looking for ways to make a quick buck off their users and just deliver decent hardware!?!?!?!?!?! Don't ANY of these companies' management chains have the SLIGHTEST bit of fiscal common sense?

Sheesh!

Linksys + alternative firmware

Linksys isn't so bad if you replace the firmware. Try dd-wrt [dd-wrt.com] if you want quick and easy, or OpenWRT [openwrt.org] if you want to customize. I guarantee you'll like 'em. (Get a WRT-54GL to try it on; they're cheap nowadays.)

Re:Thank you!

Replying to myself to add some info. Firmware v1.20 doesn't have the "Advanced -> Secure Spot" page they mention so it really seems to be be new in v1.21. The 1.20 firmware can still be downloaded from here [dlink.com.tw].

Re:Slashdot Editors, Do Some Editing

Plus, upgrading your firmware "just because". Why?

Because router firmware upgrades often mean closing security holes.

Re:Slashdot Editors, Do Some Editing

Plus, upgrading your firmware "just because". Why?

Because router firmware upgrades often mean closing security holes.

While one might think this at first, there's no evidence that this is the case for this incident. It's just as likely, without a firmware being released with specific notes about "holes" that it "plugged", that the update created more bugs.

In this case, it was "I felt like upgrading the firmware". The downfalls: User obviously didn't know how the feature set changed (because didn't do research before upgrading the firmware, just saw that one number was larger than the other) and there's always the possibility of bricking your router that is already working just peachy.

So, no, I don't accept your reasoning, even though it seems "sensible" at the start.

Re:Slashdot Editors, Do Some Editing

there's a separate link at their firmware download page for the DIR-655 that says (in plain view, in a sensible spot): Click here for Firmware 1.21 WITHOUT SecureSpot 2.0

Well, I highly doubt that most customers know what "SecureSpot" is. So how are they supposed to know to download the non-annoying firmware update? Of course, you may say that this is the customer's problem: they should read up on all the features that are being installed in the firmware update, and be sure that this is really what they want, etc.

And, yes, in principle everyone should read every line of each and every EULA.

The fact is that any reasonable person would expect a firmware update to only fix bugs and security flaws. It would not be normal to expect entirely new features to be installed, and it is certainly abnormal for the new "feature" to actually include nagware that prompts you to pay for some new service.

The point here is that what they are doing is sleazy. The default configuration should have that redirect turned off. The link for a "without SecureSpot" firmware is nice, but the fact is that 99.9% of users will only notice that after they have already installed, and been annoyed by, the default update.

It's an annoying thing to do with a firmware update. And in that sense, it's a reason to not do business with them.

Re:Huh?

Well there's your problem... it was released on 9/11. Of course it came with a few unexpected surprises...