Feeds

back to article Control panel backdoor found in D-Link home routers

A group of embedded-device hackers has turned up a vulnerability in D-Link consumer-grade products that provides unauthenticated access to the units' admin interfaces. The backdoor means an attacker could take over all of the user-controllable functions of the popular home routers, which includes the DIR-100, DI-524, DI-524UP, …

COMMENTS

This topic is closed for new posts.

Page:

D-Link is, surprisingly, Taiwanese.

Which makes this backdoor a bit puzzling.

0
0
Silver badge
Paris Hilton

D-Link and G-String level security

Why though?

1
0

Re: D-Link and G-String level security

Well, I suppose it depends on who put the backdoor there, but the only country in the world Taiwan is interested in spying on is China, and somehow I doubt they sell many routers to China.

0
0
Anonymous Coward

Fail

Having scanned the entire street and my route to work I have failed to find a D-Link device. This is most unfortunate as I really wanted to test this theory.

3
0
Silver badge

Re: Fail

These are all pretty old devices. I have a DI-524 on my network (and a DI-604 lying around somewhere spare), and they both have firmware issues that really mean that anybody still using them must have a masochistic streak, or not care (which may include the majority of users, unfortunately).

There has not been a firmware update for something like 8 or 9 years, and it is not possible to set the date on them (either manualy or by pointing it at an SNTP server) to any date after December 2008 if I remember correctly. I would expect that most people would have tossed theirs whenever they updated their broadband package.

Just in case anybody was tempted to try hacking into mine, I'm not using the WAN side at all, merely using it as a WiFi router on one of my wireless zones behind my Linux firewall.

2
0
Bronze badge

Re: Fail

Having scanned the entire street and my route to work I have failed to find a D-Link device. This is most unfortunate as I really wanted to test this theory.

Based on the mean time to failure of D-Link devices, you'll be lucky to find one of the older models with this flaw.

2
0
Bronze badge

Re: D-Link and G-String level security

re. Why

I go for cock-up rather than conspiracy; it's probably a feature for D-Link's own diagnostic/management software. It's still alarmingly stupid though.

1
0
Joke

Has anyone yet claimed that the people who published this are aiding terrorism for revealing t̶h̶e̶i̶r this back door?

8
0

No, read the user agent string backwards. It's the name and employee ID of the coder who implemented the backdoor. Interestingly enough the CTO has the same first name.

5
0

It would be nice to think

That the default config disables management access via the WAN port anyway, but I suppose that's too much to hope for.

6
0
Silver badge

Re: It would be nice to think

It does, usually. Thing is, is that enough or can this be triggered even with remote management turned off?

0
0

Re: It would be nice to think

on the 604, and the 614+ the default setting for the WAN port is remote management is OFF

0
0
Silver badge

Re: It would be nice to think

/yes on the router with the deliberate back door the same firmware says the remote admin is off

1
0
Silver badge
Unhappy

Depressing

And hardly uncommon.

Does anyone have a link to a list of network gear which has been found to have this sort of idiocy plumbed in? It's getting hard to keep track.

6
0
Bronze badge
Pirate

Re: Depressing

I too would like such a link.

Many of the routers in my area are older and I would like to help my neighbors. ;)

1
0
Gold badge
Joke

Re: Depressing

"Does anyone have a link to a list of network gear which has been found to have this sort of idiocy plumbed in? It's getting hard to keep track."

There is.

The link begins www.nsa.gov......

1
0
Bronze badge

Re: Depressing

"Many of the routers in my area are older and I would like to help my neighbors. ;)"

...help? As in relieve of some excess unused bandwith?

0
0
Anonymous Coward

Re: Depressing

Isn't the Shodan search engine (mentioned in the article) what you're looking for?

0
0
Bronze badge

Words..... there are.... no words!

WTF?!

How was this ever considered to be a good idea?

1
0
Gav

Debugging

It's clearly a debugging addition that someone forgot to remove.

Big mistake, but while in development things like can be very useful and a good idea. What isn't a good idea is forgetting it's there. You should comment your code appropriately and do a global find to identify these things long before they reach production.

1
0
Bronze badge

Re: Debugging

Strange way to implement a debugging addition.

"You should comment your code appropriately and do a global find"

Much better to get into the habit of using compiler macro's so that dev/debug code forms part of the source code narrative.

0
0

Security through obscurity

I guess they thought that nobody would find it. Quite a brave assumption.

5
4
Anonymous Coward

Re: Security through obscurity

Downvoted. I've made it my mission to eliminate abuse of terms that doesn't mean anything and contains common misconception, especially when no security is even intended in this case.

5
20
Bronze badge

Re: Security through obscurity

True enough.

This is more a case of security through stupidity.

3
0

Re: Security through obscurity

Isn't most security via obscurity?

- My 50-character, random character password is obscure enough that you probably won't crack it.

- Ditto my SHA key.

- Ditto my fingerprint.

That security guy at the gate, though, with a Magnum 44... nothing obscure about him.

5
1

@AC (Re: Security through obscurity)

ob·scure adjective \äb-ˈskyu̇r, əb-\

: not well-known : not known to most people

: difficult to understand : likely to be understood by only a few people

: difficult or impossible to know completely and with certainty

se·cure adjective \si-ˈkyu̇r\

: protected from danger or harm

: providing protection from danger or harm

It appears that I am technically correct. The best kind of correct.

4
2
Anonymous Coward

Re: Security through obscurity

“… eliminate abuse of terms that doesn't mean anything and contains common misconception …”

I’ve made it my mission to eliminate bad grammar.

2
0
Bronze badge
Pint

None so blind, etc.

So there's factory firmware that provides a backdoor, and the advice given here is to ensure that remote management access via the WAN port is disabled... ...according to the GUI on that very same suspicious firmware.

Seriously?

3
0

Re: None so blind, etc.

Getting rid of the device would be the best first step, but not everybody will be able to act upon that measure in a timely fashion. Disabling remote admin would at least stop a completely unsolicited probe from owning you. The unit could still be attacked via XSS very easily.

0
0
Yag

Re: None so blind, etc.

Well, it's not like you cannot test by yourself if the remote management access via WAN port is indeed disabled...

2
0

Found in 2010, Backward "Edit by 04882 Joel Backdoor"

Well its clearly a malicious backdoor, "Joel" even calls it a backdoor.

http://forum.codenet.ru/q58748/

It seems to have been known/exploitable since 2010. At this point a full recall of D-Link kit and a lawsuit are required.

xmlset_roodkcableoj28840ybtide backwards is:

editby04882joelbackdoor_teslmx

3
1
Silver badge

Re: None so blind, etc.

"So there's factory firmware that provides a backdoor"

It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair.

Having said that, the sheer number of unconfigured routers I see on wifi isn't confidence inspiriing. There are still a lot of old pieces of kit out there even if more recent stuff has a random key or forces the user to set one.

0
1
Gav

Re: None so blind, etc.

Does anyone ever allow admin access by WAN? It's usually off by default and anyone turning it on is taking on a needless degree of risk I wouldn't accept.

If you want to access admin on the router, physically connect a cable. It's not so hard.

1
0
Silver badge
Linux

Re: None so blind, etc.

"It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair." -- Or simply a JTag programmers kit.

1
0
Anonymous Coward

Re: None so blind, etc.

Having actually read the original report, the backdoor was partially found through skill and partially a bit of luck. Who knows what else is in the code? If you can't trust the coder, then you can't trust the code.

Testing cannot reveal everything. It'd be like brute forcing. It ain't gonna work.

Open source is one viable option.

Do I need to explain everything?

2
0
Silver badge

Re: None so blind, etc.

"It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair."

With something like this, the usuall fallback is the factory reset, which is supposed to reset the firmware back to default settings (which are written in the manual with the caveat that you're supposed to CHANGE it once you're in). Failing that, there's also usually the emergency flashing mode, which should allow for the flashing of ANY firmware in a local setting. If even that fails, then there's likely something fundamentally wrong with it and it will need physical attention in any event.

0
0
Bronze badge

For those who can.

Install dd-wrt on their router. You will be glad you did. Sad you need to though.

15
3

Re: For those who can.

Why would anyone downvote a recommendation to install dd-wrt when the manufacturer supplied firmware has a major security flaw for which there's no current fix (other than replacing the firmware with something better)?

8
5

Re: For those who can.

Why are people down voting you for pointing out that fact...The internet is a funny place.

Up-voted you just to balance it out.

2
1
Anonymous Coward

Re: For those who can.

I could understand the downvote if the OP was like guys often are, saying something like, "Any moron who doesn't put dd-wrt on his router deserves to get hacked anyway!", which is a really arrogant attitude - but he just recommended it "for those who can", which is entirely reasonable. Do the people who develop that firmware have any enemies? :P

1
1

Re: For those who can.

Those routers don't have dd-wrt support.

2
0

Re: For those who can.

Why are people down voting you for pointing out that fact...The internet is a funny place.

So, the recommendation is to brick these routers by installing a firmware they are not capable of running? A sledgehammer is a quicker and functionally identical method of "fixing" this issue.

Although not responsible for the original downvote I get tired to this relentless "DD-WRT is great" bullshit. In particular this idea that a $50 consumer grade device becomes a $1000 enterprise router with a change of firmware - "See, it does everything that this more expensive router does".

Apart from simple performance of course - packet throughput is frequently less than 1% of the more expensive device. It's frequently much worse than even the original firmware - those extra functions don't come for free but take extra processing time. This is leaving aside that third party firmwares, DD-WRT especially, usually aim for device coverage as opposed getting it to work properly on any single device. That frequently means a less powerful wifi signal if the antennae is not optimally configured. How many open source developers wanting a cheap, capable router have access to an EMI testing lab? That'd be none of them.

Yes, DD-WRT has it's place but all too often it is advocated in an axiomatic fashion by the relentless fiddlers. Like here for instance where the router does not support it. Too often it simply devolves to the point of "See, look what I've done, aren't I clever?" when the reality is no extra functions were needed so it is actually "I've made my router slower and less powerful to show how clever I am".

6
0

This post has been deleted by its author

Bronze badge
Thumb Up

Re: For those who can.

Post of the week, if not the month!

0
0
Anonymous Coward

Re: For those who can.

> Too often it simply devolves to the point of "See, look what I've done, aren't I clever?" when the reality is no extra functions were needed so it is actually "I've made my router slower and less powerful to show how clever I am".

Well, it also means you have a router running open source software in all likelihood devoid of xmlset_roodkcableoj28840ybtide-style backdoors. And you can even check - if you're mighty competent and have too much time on your hands - or at least build from source yourself (if you don't trust the blob).

You can most certainly trust the community's source code review more than any company's.

That's where I see the value anyway.

0
0
Silver badge

What? You mean it's not...

Admin, 12345, anymore?

1
0
FAIL

Re: What? You mean it's not...

No, it's Admin / Admin, still (set one up for a friend the other week)

still the same as the default from 2000 :(

1
0
Silver badge
Alert

Re: What? You mean it's not...

"No, it's Admin / Admin,"

Holy crap! Still?

Holy crap!

0
1
Anonymous Coward

Who uses Dlink devices anyway?

Probably even fewer in future.

1
1

It is for reasons like this, exactly like this, that I live 4.8 miles from the neighbours, I don't use wifi, and have two separate wired networks in the house. On one, connected to the internet, i have diskless pc, a boot disk, a printer and a scanner. I boot from the disk and print anything i want to transfer to my other network. My other network is fully wired, has pc's, printers, scanners, and anything i want to transfer from the one network to the other I print on one system and scan into the other.

Oh, wait, perhaps I don't, maybe i just steal a neighbours wifi using a similar backdoor to the mentioned in this article. I love the prevalence of BT supplied H/W in the UK :-)

Backdoors have been around for a very long time, for some odd reason they seem to get little reportage, perhaps that is because of hidden influence?

2
0

Page:

This topic is closed for new posts.