Support Announcements
DIR-3040-US :: Rev. Ax :: FW v1.02b03 :: Disclosure of Firmware Encyption Keys in Firmware Archive

Overview

 

On July 22, 2020, security researchers working with Bleeping Computer posted D-Link had DIR-3040-US disclosed the firmware encryption keys for the device in the firmware archive package v1.02b03. D-Link has investigated, confirmed the issue, and has removed the firmware archive availability.

 

The issue is limited to the DIR-3040-US model. The firmware encryption key is unique to this router model and does not affect other model 

hardware platforms.

 

We have released a beta firmware set that requires users to update the firmware manually in a two-step process to patch this issue. The beta patch is available to download from the link below.

 

The DIR-3040-US has an automatic firmware update feature also new firmware notification in the D-Link WIFi mobile application. We are preparing an update, and it will be available once it is thoroughly verified and approved to mitigate this issue.

 

The issue is limited to the DIR-3040-US model. The firmware encryption key is unique to this router model and does not affect other model hardware platforms.

 

Encrypted firmware is used by D-Link to help authenticate official release firmware. Encrypted firmware helps mitigate malicious users from changing the firmware that is loaded and executed by the device. Encrypted firmware is one of many requirements D-Link Systems, Inc. ("D-Link US") has to help avoid security-related issues.

 

Before finalizing firmware and encrypting firmware for distribution, D-Link Systems, Inc. ("D-Link US") requires rigorous independent security testing. Our security testing includes black-box security research, white-box security scans, test against OWASP exploit-list and validate against known exploits collected from previous D-Link security-related reports.

 

We are still investigating what lead to the firmware archive described in the Bleeping Computers disclosure. 

 

D-Link takes the issues of network security and user privacy very seriously. We have a dedicated task force and product management team on call to address evolving security issues and implement appropriate security measures. Please check the D-Link website for updates regularly.

 

3rd Party Report information


          - Report Posted : Researcher Nick Starke Interview Posted On Bleeping Computer :: LINK
 

 Affected Models

 

Model Hardware Revision Affected FW Fixed FW Recommendation  Last Updated
DIR-3040-US All Ax Hardware Revisions v1.11B02 & Below v1.13B01 Beta Hotfix** Completed 07/27/2019

 ** This Beta Hotfix is currently completing required testing and once approved will be pushed to routers via Automatic Firmware Update 

 

Regarding Security patch for your D-Link Devices

 

Firmware updates address the security vulnerabilities in affected D-Link devices. D-Link will update this continually, and we strongly recommend all users to install the relevant updates.

 

Please note that this is a device beta software, beta firmware, or hot-fix release, which is still undergoing final testing before its official release. The beta software, beta firmware, or hot-fix is provided on an "as is" and "as available" basis, and the user assumes all risk and liability for use thereof. D-Link does not offer any warranties, whether express or implied, about the suitability or usability of the beta firmware. D-Link will not be liable for any loss, whether such loss is direct, indirect, special or consequential, suffered by any party due to their use of the beta firmware.

 

As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information is on the product label on the product's underside next to the serial number. Alternatively, they are on the device web configuration page.