A number of popular routers manufactured by D-Link suffer from noteworthy security vulnerabilities that require patching before users can continue using the devices without risk, according to a security researcher.

Pierre Kim disclosed in a blog post his discovery of 10 zero-day vulnerabilities plaguing the D-Link 850L router, a dual-band router designed to allow users to create their own cloud-accessible storage system by connecting an external storage device.

There are two different versions of the D-Link 850L router, the revA and revB models—both of which are affected by the vulnerabilities. Kim described the routers as “overall badly designed with a lot of vulnerabilities” and noted that he was able to compromise just about every aspect of the device, including the cloud storage protocol.

STRUCTURE SECURITY -- USE THIS ONE Newsweek is hosting a Structure Security Event in San Francisco, Sept. 26-27. Photo: Newsweek Media Group

The first major flaw in the security of the D-Link router is the protections built into the firmware. In the revA model there is no protection of the firmware at all, effectively allowing an attacker to forge the firmware image file to gain access to the router. In the revB model, the firmware is at least password-protected, but uses a hardcoded password that is publicly available and cannot be modified by the user.

The hardcoded password is at the core of a number of vulnerabilities on the revB router, including using a designated login that will give the attacker root access to the router and provide complete control over the device.

Next up on the list of vulnerabilities is a Cross-site scripting or XSS attack that allows an attacker to steal authentication cookies from the user. The routers are also at risk of remote code execution attacks and attacks that could crash a number of background processes remotely.

The cloud protocol built into the router also has its share of issues. Kim found vulnerabilities that would allow attackers to register the router as their own to gain complete and unfettered access to the cloud protocol.

The D-Link cloud protocol also has no encryption by default, so any traffic sent over Transmission Control Protocol (TCP) is done without any sort of protection. Worse yet, the router requests users to enter credentials for their email accounts, which are then transmitted without encryption and are stored in cleartext.

A number of other vulnerabilities put users at risk to a man-in-the-middle attack in which an attacker could intercept and redirect traffic, bruteforce attacks that could allow anyone the ability to modify the Domain Name System (DNS) configuration while forgoing administrative authentication checks.

Kim decided to go public with the findings after trying to coordinate with D-Link on a coordinated disclosure of the flaws and receiving little support from the manufacturer.

"Due to difficulties in previous exchange[s] with D-Link, Full-disclosure is applied," Kim wrote. "Their previous lack of consideration about security made me publish this research without coordinated disclosure."

The security researcher advised all those using the routers to disconnect them from the internet and cease use of the devices until the manufacturer issues security patches and fixes for the vulnerabilities.