D-Link has promised to close its routers' backdoors by Hallowe'en, following revelations that many of its consumer-grade devices accept unauthenticated access to its admin Web page. As reported here yesterday, a researcher at /DEV/TTYS0 blog unpacked the firmware of a number of D-Link devices, finding that if a browser presented …
More likely it will eventually turn up in D-cember.
Re: Implemented by
Because some D-bag wasn't security conscious.
“As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.”
This is why I quit using consumer grade gear as most of the time not even the GUI will tell you the hardware version. What they should be doing, if you need to change the hardware to the point where the software won't run on it, give it a new model number. If you had a 5310 and hardware changed enough, call it the 5311. You could use the same manual but then you don't have to worry about the hardware revision as the average consumer will probably install the wrong one and brick it or if the software is smart enough, not install. Then you have a consumer that is mad because it won't update. A new model number solves these problems.
Not in a million years would they do that - it's marketing 101. Say you got a known, popular, sought after product like the Linksys WR54GL - if you need to make a relatively minor (?) change do you call it "WR55GL" and risk that people won't know that's what they should now be looking for since it's the same thing, or do you keep the well-known name and start slapping a "HW rev 1.1" sticker on the bottom...?
They could make the software run on both, if they can't, change the model number.
What happens if someone is trying to buy v1.1 of the WR55GL then? They go to a site and they could still be selling the v1.0 hardware variant as the model number is the same.
Now if D-Link would...
...Give out the code for those routers that they consider "obsolete", we would all have a win. There are several router/firewalls that are perfectly serviceable and do their job quite well.
Alas, I am dreaming.
Re: Now if D-Link would...
I don't think you want to see their crappy code....
Re: Now if D-Link would...
the firmware is arj compressed, unpack and have a look... found no sign of "xmlset_roodkcableoj28840ybtide" in my "obsolete" 10 year old DI-604 rev.E firmware v3.52
In the meantime, users should ensure there's a strong WiFi password on their kit, and should disable remote administrative access.
At any rate, users should ensure there's a strong WiFi password on their kit, and should disable remote administrative access for all of their WiFi routers, regardless of manufacturer.
While existence of a known security hole does provide urgency, there's no excuse for lax security. The likelihood is that those devices without a publicly known security hole have holes which are either unknown or already know to malicious entities.
Why the down vote? It's a perfectly reasonable suggestion about securing your router, and I'm quite sure that there are holes we don't know about - so why on earth give the scum the chance in the first place.
I honestly can't understand why a bigger fuss hasn't been made.
We are not talking about an innocent little debug feature left in, or security hole by accident... This is a feature that was named Backdoor (all be it in reverse)... it was there and intended to be there.
Sort of makes me scared and wonder how many other devices have this sort of "feature" built in.
Lets close the door ourselves!
well, the standards technical committee of an 'organisation that doesn't exist' has been co-ordinating worldwide - and I mean USA/EU/China/Russia/Aus &everywhere else - the 'lawful interception' capability of all ICT equipment since the 'nineties, through ITU, NIST & ETSI meetings. This (acceptable if targeted) lawful interception facility is seemingly abused by intelligence collection groups (doing probably illegal data hoovering of anything and everything, allegedly)
The D-Link backdoor password "xmlset_roodkcableoj28840ybtide" (edit by 04882 joel backdoor...) has just nicely let us know about this 'feature'
if you're very interested in protecting against your local telco/ICG 'tailored access' then I do not hesitate to suggest the Open Source software available at http://suricata-ids.org (Suricata is Latin for Meerkat) (other IDS's are available - but this one works)
this is originally a government funded enterprise intrusion detection system - which has grown up to become a flexible & powerful anti-malware system. Effectively, it's the new anti-virus system being that current AV software systems don't work against zero-day threats! Some assembly is required & a 4GB multi-core linux PC between your modem and your router.
if you don't understand the origin and destination of any data packet on your network then you're screwed!
Suricata install guide here - http://www.tecmint.com/suricata-a-network-intrusion-detection-prevention-system
and a Google Security Onion guide + IDS here (based on Xubuntu 12.04) https://code.google.com/p/security-onion/wiki/Installation
ONLY if you're STUPID enough to enable the administrative interface on the WAN side.
It's like a door that can be opened without a key (unlocked), alas there is no handle on the outside, so you can only open it from the inside. It IS relevant if they can get on your wifi though...
"ONLY if you're STUPID enough to enable the administrative interface on the WAN side."
I think you mean:
Only if you're naive enough to believe that turning off the WAN admin access on your router (of whatever brand) really does disable WAN access.
After all, who knows where the next backdoor is and, even if it's a locked door, who has a set of keys?
I'm off to the supermarket to stock up on tinfoil...
Re: Lets close the door ourselves!
"The D-Link backdoor password "xmlset_roodkcableoj28840ybtide" (edit by 04882 joel backdoor...) has just nicely let us know about this 'feature'"
It is not a password. It is a user agent header.
And how many consumers install firmware updates on their embedded devices? How many even know what firmware is?
Re: Consumers @AC
I've come across many (small) businesses/offices with D-Link kit kicking around and WiFi site survey's of large enterprises throwing up 'private' ADSL connections with consumer grade kit attached...
But yes, I expect very few 'consumers' to upgrade their devices. But then given that D-Link have access to many devices through this undocumented feature perhaps the question we should be asking, should D-Link do the update for them?
I sense there is a market opportunity here for manufacturers to promote secure kit with verified backdoor free software.
The verification process needs to be open to peer review and there needs to be a simple mechanism for users to check that what they install is what got verified.
That would be open source, then
> The verification process needs to be open to peer review and there needs to be a simple mechanism for users to check that what they install is what got verified
You just summarised the raison d'etre for open source software (or firmware). If you have a verified copy of peer-reviewed source code [md5sum?], and if you compile it with a compiler you trust, and if you install the object code, then you have "verified backdoor free software" on your device.
The peer review is clearly the bit that can't be glossed over, though, as we saw in the story about the 'uid = 0' clause in a repository version of Linux's wait4 code.
How long does it take?
Working on a fix! Why? Just how long does it take to change the code so that the authentication fails? They seem to be taking long enough to put in a less obvious backdoor with the authentication strings no longer clearly visible in the binary. No trust without a FULL source code release.
Re: How long does it take?
But this might just be a case of a lazy programmer, who needed access to some data that required authentication and decided (because he/she had an oh so important deadline) that it was just easier to take a shortcut... and of course now they need the time to actually analyze the problem and create a proper solution...
Re: How long does it take?
Looking at the D-Link download page, there are firmware images already available for models DIR-m, where m > 300.
The backdoor was apparently in the v 1.01 firmware of my D-615, which I have just upgraded to v4.14 from an image made in April 2013. I suspect that the backdoor made it into production in v1.01 by mistake, and that subsequent updates were made from a 'clean' source.
In a novel touch, there is now (optionally) a CAPTCHA-style verification for a login to the GUI interface, in addition to the password.
D-plane boss, D-plane!
(I can't believe how long ago it was when that show was on, I feel old)
Better be quick before d-germans get here
What is all this rubbish about it being consumer tech, and some enterprises (silly billy's) rigging it up in their big mega enterprise buildings.
- The fact it's a home / home office router has nothing at all to do with it being backdoored. It's the one the dude had handy, so it's the one he tested.
This backdoor could have been in any given router, and similar ones are in others. There seems to be an idea here that just because it's a home router, well that's what you get, c'mon.
- 'Windows 9' LEAK: Microsoft's playing catchup with Linux
- Review A SCORCHIO fatboy SSD: Samsung SSD850 PRO 3D V-NAND
- Was Earth once covered in HELLFIRE? No – more like a wet Sunday night in Iceland
- Breaking Fad 4K-ing excellent TV is on its way ... in its own sweet time, natch
- Every billionaire needs a PANZER TANK, right? STOP THERE, Paul Allen