UPDATED Nov. 20, 2019 with the addition of three , perhaps four, more vulnerable D-Link models. This story was originally published Oct. 8, 2019, and updated Oct. 24, 2019 with the addition of six more vulnerable models.
A serious security flaw has been found in four D-Link routers. But if you have one of these models, you'd better just throw it out, because the flaw will never be fixed.
The routers in question are the DIR-652, DIR-655, DIR-866L and DHP-1565. Researchers from Fortinet (opens in new tab) disclosed last week that the most recent firmware for each had an "unauthenticated command-injection vulnerability" that could permit remote code execution.
In other words, a hacker halfway across the world could fairly easily hijack your router and then monitor your internet traffic or send you to malicious websites.
Usually, you would install new firmware to repair such router issues. But Fortinet was notified by D-Link that because "these products are at End of Life (EOL) support ... the vendor will not provide fixes for the issue we discovered."
MORE: Best Wi-Fi Routers
Unfortunately, one of the models, the DIR-866L, was introduced in 2014 and discontinued only in 2018. Another model, the DIR-655, was introduced in 2006, but also discontinued only last year.
Three of them — the DIR-655 (opens in new tab), DIR-866L (opens in new tab) and DHP-1565 (opens in new tab) — can still be bought new from third-party sellers on Amazon's U.S. website, and the first is even an Amazon's Choice model. (The fourth, the DIR-652, was never sold in the United States.)
We know that if we bought a router last year, we'd expect it to be safe to use for longer than 12 months — especially if it's an Amazon's Choice. And some other router makers, such as Netgear, do continue to provide security updates (opens in new tab) for routers that they no longer manufacture.
MORE: Encrypt every byte of your traffic with a router VPN
However, D-Link is under no obligation to provide support for a device that it no longer makes. The upshot is that before you buy a router, check with the manufacturer to see if it's still supported.
For example, here is an official web page listing D-Link's "legacy products," (opens in new tab) and a third-party page listing Netgear's discontinued products (opens in new tab). (Netgear's own list of legacy routers is way out of date.)
We asked around the Tom's Guide offices to see how long people expected a home Wi-Fi router to last. The consensus seemed to be between five and eight years.
If you'd like your new router to last as long, you might want to check what the manufacturer's policy is for end-of-life support.
And, frankly, you might want to check whether your router manufacturer has ever been sued by the Federal Trade Commission (opens in new tab) for not properly securing its networking devices.
UPDATES: Based on additional research (opens in new tab), the CERT Coordination Center (opens in new tab), located at Carnegie Mellon University in Pittsburgh, on Oct. 23 added six more D-Link router models to the list of devices that cannot be updated and should be replaced.
On Nov. 19, D-Link updated its own security bulletin (opens in new tab) to add three, or perhaps four, models to the list.
The full list of affected models is now:
DIR-862 (as listed by D-Link)
DIR-862L (as listed by researcher Heige)