Here's an article for those who'd rather read than watch someone's youtube video:

https://www.techradar.com/pro/security/d-link-says-it-wont-p...

Dlink has a long history of putting out insecure and even backdoored devices and so anyone with a dlink device is probably better off buying something different

If anyone is looking for alternatives as far as long term supported products go... I've had nothing but good experiences with Ubiquiti (Unifi) and OpenWRT. At the lower end of the price spectrum, OpenWRT supported devices can be an incredible value, and most will probably remain supported for decades to come.

More broadly, it's not just about the support commitment but also about the company's reputation for shipping solid software. i.e. what is the prior on a scenario like this after the product goes EOL.

This is something the EU Product Liability Directive potentially addresses. It demands that vendors (or importers) of products need to update their product if that's required to keep them secure. Otherwise they are liable for damages, even psychological damages.

There is no specific duration mentioned in the directive, so it's probably best from a vendor point of view to add product lifetime info to the product description or the contract, up front.

In Germany there is something similar in place, already and the expectation is that products (and necessary apps to run the products) need to be updated for 5 years on average.

Background on the underlying context of the bug: https://www.youtube.com/watch?v=-vpGswuYVg8 -- It's objectively unforgivable.

I've had a box of old wifi-routers for years that I'd been meaning to reverse engineer and write up blog posts on the vulnerabilities to educate people on just how poor quality the software is written for the things you buy in your local electronics store. Every 3-4 years I'd have to buy another because the manufacturer stopped providing updates, even when I was buying their higher-end stuff.

I myself moved on to an Ubiquiti Edge Router almost 10 years ago, but Ubiquiti didn't do a great job of that in the long term and they ditched the EdgeRouter/EdgeMAX line so I ended up (and I wasn't interested in Unifi line for my router/firewall) buying a Protectli box, flashed coreboot and used pfSense for a while before eventually moving to OPNSense.

I came to the conclusion over this time that any consumer network equipment is basically junk and if you care at all about security you shouldn't use it; sadly that's easier said than done for non-techy folks.

Many pieces of older/cheaper hardware can be flashed with OpenWRT and I'd recommend that as the cheapest option for anyone who cares just a little, and doesn't want to buy new hardware, and for everyone who really wants to make an effort should buy some hardware that can run a properly maintained router OS like pfSense or OPNSense, even an all-in-one wifi-router-switch if you don't want to build out an entire SMB network.

Or well… if you have one of these models, this is the way.

https://openwrt.org/toh/d-link/start

Look I am just being grumpy about this and I know it has nothing really substantive to do with the underlying story, which is D-Link EOL'ing products, but: there is really no such thing as a "9.8" or "9.2" vulnerability; there is more actual science in Pitchfork's 0.0-10.0 scale than there is in CVSS.

It's a shame that MikroTik routers' UI is completely unsuitable for non-powerusers.

Otherwise they would be perfect. Cheap and supported practically forever. Their trick seems to be that they use a single firmware image for all routers with the same CPU architecture.

Wasteful choice enabled by not being entirely responsible for pollution, energy consumption and trash. If they had to pay for environmental full restoration, energy at full cost and careful disposal of unsuitable hardware decision would have been different.

To be fair, CVE scores generally don't seem very useful in assessing the real impact of a security vulnerability. The CUPS thing was a 9.9 and that was completely irrelevant for a large swath of people.

Most "Critical" thing is: you buy a new router that is not from Duh-Link.

I remember this happened before, and someone smarter than me exploited the vulnerability to access every router and patch it remotely.

how about this: you can only abandon hardware if you enable open firmware on it.

Related:

D-Link tells users to trash old VPN routers over bug too dangerous to identify

https://news.ycombinator.com/item?id=42201639

Just opensource the firmware and redirect the update url.

Can't there be a law that says something like "you can't release new hardware while you have unpatched older hardware still in use"? Recall or update your stuff first, release new things second.

D-Link says buy a new router after vulnerability emerges after the signposted end of support date.

One of the reasons why there are major security f-ups: no accountability and no consequences

I see a lot of comments here recommending OpenWRT. I’ve been happy with it in some deployments, but also don’t overlook the alternatives! I just had a wonderful experience with Fresh Tomato repurposing an integrated router / AP / 4-port switch as a multi-WAN router.

It would have been doable with OpenWRT’s robust scripting support, but was just a few clicks in the UI with Fresh Tomato.

https://freshtomato.org/

https://en.m.wikipedia.org/wiki/Tomato_(firmware)

Not downplaying the risks, but could a vulnerability on a d-link router really let you monitor traffic on the device in a practical sense (as mentioned in the video)? Assuming it is non-SSL is there enough computing power to even do any meaningful monitoring and subsequent exfiltration? Or are the SOCs used on them powerful enough these days.

„Just buy a new modem“ they say … sure won’t be a D-Link ever again.

The D-Link DSR-150 was released in 2012

It was the first information I wanted to know, but it wasn't in the article.

Any good router access point that has nice gigabit Ethernet and really good WiFi, for a second access point in the house?

I could see them facing criminal liability here. Someone is having hard conversations with their insurance company.

Discussion around this seems very confused; there are quite a few severe vulnerabilities this year in various products (routers and NASes).

https://nvd.nist.gov/vuln/detail/CVE-2024-3273 https://supportannouncement.us.dlink.com/security/publicatio... (April 4) affects NASes (DNS-* products, same as one of the November vulnerabilities), no fix, official recommendation "buy a new one".

https://nvd.nist.gov/vuln/detail/CVE-2024-45694 https://supportannouncement.us.dlink.com/security/publicatio... (September 16) affects routers (DIR-* products), fix by upgrading frimware

https://nvd.nist.gov/vuln/detail/CVE-2024-10914 https://supportannouncement.us.dlink.com/security/publicatio... (November 6) affects NASes (DNS-* products), no fix, official recommendation "buy a new one" (despite not selling NASes anymore?).

CVE-2024-10915 looks to be identical to CVE-2024-10914 at a glance

https://nvd.nist.gov/vuln/detail/CVE-2024-11066 https://supportannouncement.us.dlink.com/security/publicatio... (November 11) affects routers (DSL* products), no fix, official recommendation "buy a new one". Note that you need to look at multiple CVEs to get the full picture here.

(no CVE?) https://supportannouncement.us.dlink.com/security/publicatio... (November 18) affects routers (DSR-* products), no fix, official recommendation "buy a new one".

(several other RCEs require login first, and I could not find an associated login vulnerability. Additionally there are several buffer overflows that theoretically could become an RCE)

Yeah, this doesn't surprise me one bit. The number of vulns that get patched in home routers is staggering (D-Link is particularly shit-tier and known for this.) If there's that many vulns being fixed then imagine the backlog of unfixed vulns... Then imagine how many legitimate issues have to be hand-waved away because engineers know there's no way in hell they'll ever get the time to fix them. And have to prioritize the worst problems.

It kind of surprises me that you can just release a commercial product that is dangerous, make tons of money from it, then totally refuse to fix any problems with it. These devices are going to sit on innocent peoples networks who deserve to have privacy and security like anyone else. It's not outside the realm of possibly that an owned device leads to crypto extortion which leads to a business going under. Or maybe someone's intimate pics get stolen and that person then... yeah. Security has a human cost when its done badly.

Huh I recently retired all my Dlink routers as soon as they stopped getting security updates, lucky me.

I mean... yes? "we no longer support these" devices were hit with critical vulnerabilities, and that'll never get patched, just like any other device that hit EOL.

You knew your device was no longer supported and would no longer receive security updates, "someone found an exploit" is kind of a given, and "d-link won't patch it" equally so?

I cannot identify who the aggrieved parties are, aside from bandwagoning D-Link haters.

These devices are end of life. Anyone running an EOL device doesn't care about security and probably wouldn't update the firmware if it was available.

For comparison, Apple does not update EOL devices outside exceptional circumstances. I never received a 20% discount to upgrade.