UniFi and Time users with D-Link DIR-850L router are at risk

The D-Link DIR-850L router, which is provided with some UniFi and Time high-speed broadband plans, has 10 security vulnerabilities.

Security researcher Pierre Kim posted in GitHub, a platform for the developer community, that the router suffers from insecure firmware, backdoor access, weak file permissions, credentials in clear text and many more.

D-Link has said the patch to fix the issues will be released in Malaysia on Sept 21 although Singapore will be getting it today (Sept 19). It’s unclear if the patch released for Singapore can be used by Malaysians.

At the moment, the Taiwanese network equipment maker has asked users to follow these steps to protect their privacy:

1. Reset the router to its default factory setting.

2. Disable the WAN (wide area network) remote admin feature

3. Do not access the router through unauthorised WiFi

4. Change the wireless SSID (service set identifier) password and PIN code to prevent unauthorised users from accessing the LAN (local area network).

5. Change the device’s administrator password. Be sure to use a strong new password.

It also posted that it has a task force and product management team on call to address any security issues. Users can reach its technical hotline at 1-800-88-2880.

According to Kim, there are two variants of the router – DIR-850L HW A and DIR-850L HW B – and both have the same vulnerabilities.

He found the vulnerabilities when analysing the router for a contest organised by a security company.

“The Dlink 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink Cloud protocol was abused,” he posted.

We have reached out to TM and CyberSecurity Malaysia for comments so stay tuned for updates.