This D-Link router has serious security flaws: What to do now
Eight-year-old router won't get all the patches it needs
If you've got an old D-Link DIR-865-L Wi-Fi router, you should update its firmware right away. Better yet, throw out the unit and replace it with one of the best wireless routers.
This is because the DIR-865-L, first released in 2012, has at least six serious security flaws, and D-Link doesn't plan to fix three of them.
- The best Wi-Fi routers for your home or small business
- The one router setting everyone should change, but no one does
- New: Dozens of Netgear routers can easily be hacked — what to do right now
"The product has reached End of Life(EoL)/End of Support(EoS), and there is no more extended support or development for them," a recent D-Link support announcement says of the DIR-865-L router. "D-Link recommends this product be retired, and any further use may be a risk to devices connected to it and end-users connected to it."
This is standard D-Link policy with older devices. In the fall of 2019, similar flaws were found on more than a dozen other D-Link routers, but the company said none would be patched.
We're a tad miffed that, as with many of those routers from last fall, you can still buy the D-Link DIR-865-L on numerous online outlets, including Amazon and NewEgg. We certainly don't recommend buying one, or indeed any router model that's more than 5 years old.
- A router VPN is the best way to secure your Wi-Fi at home
Half a dozen serious security flaws
Palo Alto Networks' Unit 42 discovered these six flaws in February and notified D-Link accordingly. Now that the standard 90-day disclosure window is over and D-Link has declared its position, Palo Alto has published its findings.
To use Unit 42's descriptions, the flaws involve cross-site request forgery (CSRF), inadequate encryption strength, cleartext storage of sensitive information, improper neutralization of special elements used in a command (command injection), predictable seed in pseudo-random number generator and cleartext transmission of sensitive information.
Sign up to get the BEST of Tom's Guide direct to your inbox.
Get instant access to breaking news, the hottest reviews, great deals and helpful tips.
D-Link's firmware update fixes only the first three. An attacker would need to get at least in range of a router's Wi-Fi network to exploit any of these flaws, but that's not hard to do in an apartment building or even a suburban neighborhood.
Palo Alto warned that these problems may not be limited to this model.
"It is possible that some of these vulnerabilities are also present in newer models of the router because they share a similar codebase," the Unit 42 report says.
- Setting up a virtual router is the perfect way to share your connections
How to update the D-Link DIR 865-L's firmware
Again, if you have the D-Link DIR-865-L, please consider just getting a new router. You'd think a Wi-Fi router would last many years, but in fact they're like any other electronic device. By the time you're reached Year 7 or 8, it's time to seriously consider upgrading.
D-Link feels the same way. This is from the U.S. version of its support announcement, but it applies worldwide: "If U.S. consumers continue to use the product against D-Link's recommendation, please make sure the device has the most recent firmware from https://legacy.us.dlink.com/, installed, make sure you frequently update the device's unique password to access its web-configuration and always have WiFI encryption enabled with a unique password."
To update the firmware, you'll need to go through the router's administrative interface and have a working internet connection. We found detailed instructions on to update the D-Link DIR-865-L's firmware on D-Link's Canadian support website.
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.