UPDATED twice with comment from D-Link.
Security-minded readers may wonder why they might want to buy D-Link routers at this point. Homeland Security warned us about using them. The Federal Trade Commission warned us about using them. Now, security researcher Pierre Kim is warning us not to use them — for the second time this year. According to Kim, the D-Link DIR-850L router is rife with flaws from top to bottom, but he would rather tell users directly as D-Link blew him off the last time he tried to play by their rules.
Kim, a South Korean researcher, published a post on Github last week detailing 10 zero-day flaws he found within the 850L.
"Basically, everything was pwned," or thoroughly hacked, he explained, "from the LAN [local area network] to the WAN [wide area network]. Even the custom MyDlink cloud protocol was abused.”
There’s nothing users can really do to protect themselves at the moment. Because of the severity of the flaws — and because Kim explained exactly how to exploit each one — a malefactor could compromise an 850L in a variety of ways, many of which could lead to a total takeover of a home network.
If you use a D-Link DIR-850L as your main router, and you have a spare router somewhere, you should probably hook it up. Otherwise, just hope for the best, since there’s no evidence that anyone aside from Kim has been able to compromise the device.
The exact flaws require a lot of technical know-how to explain. Suffice it to say that an unauthorized user could compromise an 850L remotely, and gain access to the router's administrative username, password and pretty much any other relevant network information. From there, the attacker could infiltrate computers on the network, either strip-mining them for sensitive data or drafting them into a botnet.
Alarmists may be tempted to wag a finger at Kim. Revealing the flaws in fine detail to the internet at large before even attempting to contact D-Link sounds irresponsible. However, Kim already went through this dance back in February, and wasn’t pleased with how the router company handled things.
"Following a very badly coordinated previous disclosure with D-Link last February … full-disclosure is applied this time," he wrote.
Back in February, Kim found 10 other disastrous flaws in a D-Link router. After a back-and-forth with the company, D-Link eventually patched one of them, leaving the other nine still exposed. This time around, Kim said he didn’t see any reason to withhold information from everyday users if the targeted company seemed unlikely to fix anything.
For now, owners of the D-Link DIR 850L can either wait for a full response from D-Link or invest in another router. Given D-Link’s security record over the past few years, it’s easy to imagine that many consumers might not want to stick with the brand.
D-Link representatives did not immediately respond to a request for comment.
UPDATE: A D-Link representative gave us this statement:
"On September 8, 2017, a news article reported zero-day flaws with D-Link DIR-850L routers. D-Link immediately took actions to investigate the issues and endeavors to solve them. A firmware update will be provided as soon as it becomes available via support.dlink.com."
Later on Wednesday, we received a second statement:
"On September 8, 2017, a news article reported zero-day flaws with D-Link DIR-850L routers. D-Link immediately took actions to investigate the issues and endeavors to find the solutions to resolve them. A firmware update is scheduled to be available on September 19, 2017. Please visit support.dlink.com to update your DIR-850L router firmware."