Andrew Connell, the man who uncovered the security flaw in Dynalink's RTA020 DSL modems, has contacted about 1000 users to warn them of the problem.
Connell discovered the problem, which saw user names and passwords exposed to anyone who looked for them with the appropriate tool, a couple of weeks ago.
After Connell went public Dynalink put a warning on its website and alerted ISPs, but hasn’t contacted users directly or advertised the problem other than on its site.
Consumers Institute chief executive David Russell says such a warning is not enough. Connell thought the same and therefore "took 10 minutes to email everyone [affected]" to alert them to the problem.
Connell says emailed users whose modems were unpatched, warning them of the problem and pointing them to Dynalink's website.
"Of that, I got 171 bounces and 53 replies from people."
Connell says most of the replies were grateful, some asking him to retest their connections after upgrading the firmware, others astonished he could see their user names and passwords and only one or two sceptical of his claims.
"A couple were unhappy about me contacting them but that's OK."
Connell says he's directed those with particular concerns, such as how to implement the upgrade using an Apple instead of Windows-based PC, to Dynalink.
Dynalink founder Ian Ferry says the Palmerston North company has been inundated with calls from customers.
"We've had a lot of people ringing our tech support desk asking for assistance and we've been able to do that fairly readily."
Ferry says no one has reported any attack on their account using the security flaw.
"Xtra and TelstraClear have also had information up on their websites and they seem to be quite satisfied with progress."
Ferry is concerned that users aren't aware of the capabilities of the technology they buy, in particular when it comes to DSL routers.
"Basically they're able to buy a DSL router and a modem and a firewall all in one box for less than they'd pay for an old dial-up modem." He advocates training and education for users in both security and networking, especially for home users.
The Consumers Institute’s Russell says retailers have a responsibility to their customers and should do as much as they can to warn them of potential problems.
"I would say no, it's not enough to simply put a warning up on a website. They should be contacting customers directly to warn them of the problem."
Russell, who was not aware of the Dynalink issue and was speaking generally about customer relations, says customers would probably be able to make a claim under the Consumer Guarantees Act should a retailer or manufacturer not alert them to such a problem.
"Especially security because that's something that's increasingly becoming a problem."