You might not always believe what the government tells you, but if you own a D-Link Wi-Fi router, you should probably take Uncle Sam's advice. The Department of Homeland Security yesterday (Nov. 7) warned about a vulnerability affecting at least eight D-Link home Wi-Fi routers, and the only fix right now involves a fairly technical workaround. Otherwise, you may be better off living without Wi-Fi until D-Link provides a patch.
The DHS vulnerability warning, issued by the Computer Emergency Response Team (CERT) at Carnegie Mellon University in Pittsburgh, briefly describes the flaw and the routers affected. Security researcher Pedro Ribeiro from Agile Information Security in London discovered the flaw, which could let an attacker remotely seize control of a router without providing a username or password.
Because he (or she) who controls the router controls the network, this flaw could compromise anything on any Wi-Fi connected device, from Facebook passwords to financial information to webcam access.
MORE: Best Wi-Fi Routers
Just to show that this is a real threat, Ribeiro created a proof-of-concept exploit and put it on Github, although you'd have to have a pretty substantial understanding of router programming to use it. In brief, a malefactor could overflow the Home Network Administration Protocol (HNAP) login with improperly formatted messages, bypassing username, login, password and other protective fields.
There's no evidence that anyone has yet used this method of attack in the wild, but because Ribeiro's code is designed for the open-source hacking tool Metasploit, someone probably will soon.
The exploit has been proven to work on eight different D-Link routers, though more may be affected. The eight models are the DIR-818L (and its variant the DIR-818W), DIR-822, DIR-823, DIR-868L, DIR-880L, DIR-885L, DIR-890L and DIR-895L.
Confusingly, D-Link gives these models alternate names meant to sound sexier to consumers. For example, the DIR-895L is also known as the AC5300 Ultra Wi-Fi Router. You'll want to Google the model name, check your router's administrative login page, or just flip the physical device over to check for the model number.
If your device is one of those listed, you are at risk. D-Link has not yet patched the issue.
Users have one workaround at their disposal, although it's a bit of a pain to deploy and will limit users' options when away from home. You can disable remote administration of the router by accessing the router's administrative page (usually http://192.168.1.1/, http://176.16.1.1/ or http://10.1.1.1/) on a web browser connected to the local network (Ethernet works as well as Wi-Fi), as long as you have the administrator username and password.
The exact method of doing this varies by router, so consult D-Link’s support section if you want to try it for yourself. The process should only take five minutes or so, not counting the time it will take to remember what your login information is.
Also, be sure to check your router’s administration page frequently, even after D-Link fixes the issue. Unlike computers and mobile devices, routers generally do not accept automatic firmware updates; you’ve got to check in now and then to make sure that your system is up-to-date.
