Feeds

back to article D-Link FINALLY slams shut 'Joel's backdoor'

Better late than never: D-Link has issued the promised patch that closes an administrative backdoor in its SOHO broadband routers. When the vulnerability was first discovered, the vendor promised to patch it by the end of October. The patch has now been issued here. If an attacker set their browser user agent string to read …

COMMENTS

This topic is closed for new posts.
WTF?

"Only turning off remote administration would protect the device."

For a SOHO bit of kit, I (being an admin/consultant) would not even connect the router to anything except the machine I'm using for initial setup, let alone the internet, without turning off remote admin--truly small offices (and home users) quite simply don't need that bug feature. And in my personal opinion, using most D-Link offerings in a larger setting would be akin to suicide anyway.

So... it may be a backdoor, but for anybody who knows the very first bit about security, it would be turned off anyway. Sort of like people using "passw0rd" as a password tend to have their systems hacked into more often than those who use actual passwords. Hence, very limited news value in this article from my point of view. There's a bug in a router. Not going to be the last one. It can be switched off, but most users won't. Their problem. If you don't know how to handle your own kit, hire a pro. My hourly rates are reasonable...

0
2
Bronze badge

Re: It can be switched off, but most users won't.

They won't because often they don't know about it and don't know how even if they did. Many home users and small businesses don't even know they can log onto the router to change the settings after the install man leaves and, even if they did and did know how to logon they have the fear of buggering the whole thing sideways and taking down their home/office network or customer wifi and having to pay a pro a "reasonable hourly rate" to fix what they've knackered that was otherwise "just working".

Remote admin should be disabled as factory default. This is my new armchair crusade!

0
0
Silver badge

Re: It can be switched off, but most users won't.

"Remote admin should be disabled as factory default. This is my new armchair crusade!"

On the products in question, it is disabled by default.

0
0
Silver badge

Craigslist

Joel Backdoor sounds like someone you'd find on Craigslist: 'Lonely med student looking to meet new people. If you're into broken glass and recycled hydraulic fluid hit me up. Extra points for sombreros and amputee furries'.

1
0

It isn't _all_ DLink routers (to be fair, the small number affected/effected ... I never know ... are listed on the Sec Advisory, linked in the article).

As for the backdoor being dropped in during development - Almost guaranteed, I would imagine. It looks like a "I'm bored of logging in and out, during our testing" addition and a Richard says, said Dev forgot to take it back out after testing had finished (not first, won't be last).

At least they fixed it (apparently) ... A month late is better than not at all, right?

And - as said here in comments and on the DLink Sec-Advisory - you should not have Remote Management turned on and it was not on by default ... But as also said, often and often on here, that's easy enough to say if you know what you are doing ...

1
0
Bronze badge
Thumb Up

OT: the small number affected/effected

Affect is almost always a verb, Effect is almost always a noun. So something affected is being influenced: "This model of router is affected by the problem", whereas something effected is being brought into being; it's a result: "The fix was effected by applying the firmware update".

Hope that helps.

0
0
Silver badge
FAIL

Someone dropped the backdoor into the device ...

It's what CISCO does to most of it's InterNet network products and why Obama is supporting their sale - all NSA compliant.

1
1
Bronze badge

Joel is sooo sacked.

0
1
Silver badge
Thumb Down

If Joel was a one-man dev, test, package and deployment man for firmware, then yes. However in the case of a large company like D-Link that is sodding unlikely.

0
0
Bronze badge

And number of D-Link routers updated?

I suspect that whilst D-Link have released a patch, very few products will actually be updated since this will require user intervention, and as others have pointed out Joe P(ublic) don't tend to mess with unfamiliar tech. particularly if it means they might loose their broadband connection.

0
0
Silver badge

Re: And number of D-Link routers updated?

True, but by the same token the same Joe's won't have enabled external access either. In fact they probably wouldn't have changed the default password and username either.

0
0

Updates?

Putting on my mu-metal hat (tinfoil is not effective against the latest NSA/GCHQ measures), I have to wonder if the whole thing is just "motivation" getting users to "update" to a version more friendly to "lawful intercept".

Yes, I leave Remote Admin turned off. No, I don't believe that makes my totally safe, as there's an ocean of Javascript-embuggered websites out there that could connect from the _inside_ (LAN) if anybody in the house clicked the wrong link.

Fact is, if "They" (NSA, GCHQ, RBN) want to do something nasty to you, they will, unless you go all Unabomber and live totally off the grid in some unheated (can't forget the IR-scanners in those drones) but

well-insulated cabin in the woods.

0
1
This topic is closed for new posts.