Security risk: D-Link advises to dispose of some router models

A malicious code gap has compromised certain D-Link routers. As support for these models has expired, they will no longer receive security patches. The manufacturer advises users to dispose of them and purchase a new device.

Dispose of VPN routers

This is the result of a recent article from D-Link. The following models in all hardware revisions are affected:

• DSR-150, DSR 150N
• DSR-250, DSR-250N
• DSR-500N
• DSR-1000N

There is no further information about the vulnerability so far; a CVE number is also not yet known. Attacks should be possible remotely and without authentication. Accordingly, the hurdles for attacks do not appear to be very high. So far, there have been no reports of ongoing attacks. However, owners of such devices should not hesitate too long before replacing them.

Unfortunately, neither the product description nor the 5-page data sheet of the successor model DSR250v2, which D-Link now recommends as a replacement, states how long updates will be available for the model. The EoL policy merely states: "We normally give customers 3 months' notice".

Criminals and state attackers use EoL devices like this to build botnets, which they then use as a basis for their further activities. The router then becomes either a gateway for ransomware, a DDoS catapult or, as a residential proxy or operational relay box, an intermediate station with a trusted IP address. This is an acute danger for society as a whole.

It is therefore to be hoped that the Cyber Resilience Act (CRA) will finally make a difference in this respect. It obliges manufacturers to take more responsibility and also brings manufacturer liability. The CRA has just been passed and will come into force across the EU on December 11:

(des)