If your router had a severe security vulnerability, and it was a router that was still being updated within the last decade, you'd probably expect it to still receive an update to fix whatever the security vulnerability was. After all, Microsoft has even done that a couple of times with Windows XP when critical exploits like WannaCry are discovered in the wild. However, that isn't the case with D-Link, and if you're an owner of an older router, then not only are you vulnerable to a remote code execution attack, you'll need to purchase a whole new router to make yourself safe.

D-Link is very aware of the problem and is offering 20% off to users who have an affected router and who live in the U.S. While this is arguably a good deal for those routers that reached the end of life a decade ago, for routers that reached the end of life in May this year, that's a bit of a tough pill to swallow. The affected routers are as follows:

DSR-150

DSR-150N

DSR-250

DSR-250N

DSR-500N

DSR-1000N

D-Link said the following in its security advisory:

“This exploit affects this legacy D-Link router and all hardware revisions, which have reached their End of Life (EOL)/End of Service Life (EOS) Life-Cycle. Products that have reached their EOL/EOS no longer receive device software updates and security patches and are no longer supported"

Is this really fair to consumers?

It makes sense... to a point

Ignoring those routers that reached their end of life a long time ago, it's not out of the question to believe that D-Link waited to disclose this security vulnerability until those other routers reached their end of life. I'm not claiming that they did, but if you own an affected router that just went past its end of life, I'm sure you might have a few questions.

Secondly, for those who do a bit of networking, you'll know that end-of-life doesn't always mean an end to updates. For example, Cisco publishes an end-of-life bulletin for its products, which clearly defines at what points various aspects of the product will stop receiving support. Typically, new feature updates end a lot earlier than security updates, and while this is more for enterprise-grade hardware, it's very clear to follow and see that end-of-life doesn't always mean a lack of security updates, particularly for critical security vulnerabilities. Even in the smartphone world, most devices have a separate features update window and a security update window.

You could argue that end-of-life products (that are no longer receiving updates) should be replaced rather than updated, but when problems like this arise, it's not always practical to expect everyone to replace their hardware. Plus, if it works just fine otherwise, all an end-of-life date with a critical vulnerability in the wild does is contribute to the growing problem of e-waste. It didn't need to be thrown out, but because of a problem that D-Link could fix but won't, people will need to go out and buy a new router to replace it.

Don't get me wrong, I get it for products that are over a decade old, but a few months past the end-of-life date has left many people questioning if it was truly the right way to go. As already mentioned, updating software past an end-of-life date isn't exactly unheard of. Microsoft released patches for WannaCry on Windows XP, Windows Server 2003, and Windows 8, as that was a critical vulnerability that was causing real-world damage. That's obviously a significantly bigger problem than an RCE affecting a (relatively) small number of routers, but the concept is the same.

What can you do?

Some of these routers support OpenWRT

The best bet if you don't want to replace your hardware is to install a custom firmware like OpenWRT on your router. As for D-Link, the best way to get ahead of problems like these is to open-source everything once a device reaches end-of-life. The reason for it is simple: D-Link could wash its hands of the problem a lot easier, as the community would be able to build patches to fix the problem.

Don't get me wrong, requiring users to install a custom firmware still wouldn't be ideal, but it would definitely soften the blow. After all, D-Link's "our products had a problem, so buy our new products" offer looks a lot worse when there isn't an alternative. If it was "you can install a custom firmware, or upgrade," it would look significantly better, especially for people who care about networking and are the ones who are most bothered by it.

The entire D-Link debacle raises questions about what constitutes "end-of-life" and whether companies should be forced to prevent e-waste and release updates in situations like these. The problem was discovered by a Taiwanese researcher, and many of these routers were distributed by ISPs in Asia. Would you expect your ISP to replace your router for you? It's not just D-Link that's putting people at risk, it's an overall questionable practice across the board that should raise questions about how we treat older hardware and what you can or should do with it.