Routers from Taiwanese firm D-Link Corp. have a serious vulnerability that can allow hackers to steal data, but in unexpected twist, the company is doing nothing to address it.

The vulnerability was detailed by security researchers at Fortinet Inc. Oct. 3, after D-Link was informed of the issue in September. The vulnerability, known as CVE-2019-16920, starts with a “bad authentication check” then progresses from there.

Affecting D-Link models DIR-655. DIR-866, DIR-652 and DHP-1565, the remote code execution vulnerability opens the door to attackers by allowing a “PingTest” to be accepted. Once the nefarious message is accepted by the D-Link router, those behind it can inject command code and hijack the D-Link product, complete with the ability to spy on all data that flows through it.

Typically a story about a vulnerability in hardware would, at this point, note how the security company informed the manufacturer of the issue and having done so, the company has issued to a patch prior to publication of the vulnerability to address it.

D-Link not only recognized the vulnerability but told Fortinet that it has no intent to addressing the vulnerability because “these products are at End of Life (EOL) support … the vendor will not provide fixes for the issue we discovered.”

As Tom’s Guide noted, one of the models, DIR-866L, was introduced in 2014 and discontinued only in 2018. Another model, the DIR-655, was introduced in 2006, but also discontinued only last year. Some of the models can still be purchased new on Amazon.com Inc.

D-Link is under no legal obligation to support discontinued models, but simply ignoring a security vulnerability across previously sold products is not a small issue. The company sells millions of routers worldwide, and given that it’s based in Taipei, Taiwan, a place that China claims is a rogue province, not caring about previous customers is all future customers may need to know when considering its products in the future.

Photo: Publicdomainpictures