D-Link Won't Fix Serious Security Flaw on at Least 13 Wi-Fi Routers

Hand plugging cable into a router Ethernet jack.
(Image credit: Proxima Studio/Shutterstock)

UPDATED Nov. 20, 2019 with the addition of three , perhaps four, more vulnerable D-Link models. This story was originally published Oct. 8, 2019, and updated Oct. 24, 2019 with the addition of six more vulnerable models.

A serious security flaw has been found in four D-Link routers. But if you have one of these models, you'd better just throw it out, because the flaw will never be fixed. 

The routers in question are the DIR-652, DIR-655, DIR-866L and DHP-1565. Researchers from Fortinet disclosed last week that the most recent firmware for each had an "unauthenticated command-injection vulnerability" that could permit remote code execution. 

In other words, a hacker halfway across the world could fairly easily hijack your router and then monitor your internet traffic or send you to malicious websites. 

Usually, you would install new firmware to repair such router issues. But Fortinet was notified by D-Link that because "these products are at End of Life (EOL) support ... the vendor will not provide fixes for the issue we discovered."

MORE: Best Wi-Fi Routers

Unfortunately, one of the models, the DIR-866L, was introduced in 2014 and discontinued only in 2018. Another model, the DIR-655, was introduced in 2006, but also discontinued only last year. 

Three of them — the DIR-655, DIR-866L and DHP-1565 — can still be bought new from third-party sellers on Amazon's U.S. website, and the first is even an Amazon's Choice model. (The fourth, the DIR-652, was never sold in the United States.)

We know that if we bought a router last year, we'd expect it to be safe to use for longer than 12 months — especially if it's an Amazon's Choice. And some other router makers, such as Netgear, do continue to provide security updates for routers that they no longer manufacture.

MORE: Encrypt every byte of your traffic with a router VPN

However, D-Link is under no obligation to provide support for a device that it no longer makes. The upshot is that before you buy a router, check with the manufacturer to see if it's still supported. 

For example, here is an official web page listing D-Link's "legacy products," and a third-party page listing Netgear's discontinued products. (Netgear's own list of legacy routers is way out of date.) 

We asked around the Tom's Guide offices to see how long people expected a home Wi-Fi router to last. The consensus seemed to be between five and eight years. 

If you'd like your new router to last as long, you might want to check what the manufacturer's policy is for end-of-life support. 

And, frankly, you might want to check whether your router manufacturer has ever been sued by the Federal Trade Commission for not properly securing its networking devices.

UPDATES: Based on additional research, the CERT Coordination Center, located at Carnegie Mellon University in Pittsburgh, on Oct. 23 added six more D-Link router models to the list of devices that cannot be updated and should be replaced.  

On  Nov. 19, D-Link updated its own security bulletin to add three, or perhaps four, models to the list. 

The full list of affected models is now:

DAP-1533

DGL-5500

DHP-1565

DIR-130

DIR-330

DIR-615

DIR-652

DIR-655

DIR-825

DIR-835

DIR-855L

DIR-862 (as listed by D-Link)

DIR-862L (as listed by researcher Heige)

DIR-866L

Paul Wagenseil

Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.