back to article Control panel backdoor found in D-Link home routers

A group of embedded-device hackers has turned up a vulnerability in D-Link consumer-grade products that provides unauthenticated access to the units' admin interfaces. The backdoor means an attacker could take over all of the user-controllable functions of the popular home routers, which includes the DIR-100, DI-524, DI-524UP …

COMMENTS

This topic is closed for new posts.
  1. Vociferous

    D-Link is, surprisingly, Taiwanese.

    Which makes this backdoor a bit puzzling.

    1. Destroy All Monsters Silver badge
      Paris Hilton

      D-Link and G-String level security

      Why though?

      1. Vociferous

        Re: D-Link and G-String level security

        Well, I suppose it depends on who put the backdoor there, but the only country in the world Taiwan is interested in spying on is China, and somehow I doubt they sell many routers to China.

      2. Anonymous Blowhard

        Re: D-Link and G-String level security

        re. Why

        I go for cock-up rather than conspiracy; it's probably a feature for D-Link's own diagnostic/management software. It's still alarmingly stupid though.

    2. Anonymous Coward
      Anonymous Coward

      Fail

      Having scanned the entire street and my route to work I have failed to find a D-Link device. This is most unfortunate as I really wanted to test this theory.

      1. Peter Gathercole Silver badge

        Re: Fail

        These are all pretty old devices. I have a DI-524 on my network (and a DI-604 lying around somewhere spare), and they both have firmware issues that really mean that anybody still using them must have a masochistic streak, or not care (which may include the majority of users, unfortunately).

        There has not been a firmware update for something like 8 or 9 years, and it is not possible to set the date on them (either manualy or by pointing it at an SNTP server) to any date after December 2008 if I remember correctly. I would expect that most people would have tossed theirs whenever they updated their broadband package.

        Just in case anybody was tempted to try hacking into mine, I'm not using the WAN side at all, merely using it as a WiFi router on one of my wireless zones behind my Linux firewall.

      2. Anonymous Coward
        Anonymous Coward

        Re: Fail

        Having scanned the entire street and my route to work I have failed to find a D-Link device. This is most unfortunate as I really wanted to test this theory.

        Based on the mean time to failure of D-Link devices, you'll be lucky to find one of the older models with this flaw.

  2. Richard Boyce
    Joke

    Has anyone yet claimed that the people who published this are aiding terrorism for revealing t̶h̶e̶i̶r this back door?

    1. gtech

      No, read the user agent string backwards. It's the name and employee ID of the coder who implemented the backdoor. Interestingly enough the CTO has the same first name.

  3. JimC

    It would be nice to think

    That the default config disables management access via the WAN port anyway, but I suppose that's too much to hope for.

    1. Charles 9

      Re: It would be nice to think

      It does, usually. Thing is, is that enough or can this be triggered even with remote management turned off?

    2. PirateKing

      Re: It would be nice to think

      on the 604, and the 614+ the default setting for the WAN port is remote management is OFF

    3. Yet Another Anonymous coward Silver badge

      Re: It would be nice to think

      /yes on the router with the deliberate back door the same firmware says the remote admin is off

  4. Anonymous Coward
    Unhappy

    Depressing

    And hardly uncommon.

    Does anyone have a link to a list of network gear which has been found to have this sort of idiocy plumbed in? It's getting hard to keep track.

    1. channel extended
      Pirate

      Re: Depressing

      I too would like such a link.

      Many of the routers in my area are older and I would like to help my neighbors. ;)

      1. Down not across

        Re: Depressing

        "Many of the routers in my area are older and I would like to help my neighbors. ;)"

        ...help? As in relieve of some excess unused bandwith?

      2. Anonymous Coward
        Anonymous Coward

        Re: Depressing

        Isn't the Shodan search engine (mentioned in the article) what you're looking for?

    2. John Smith 19 Gold badge
      Joke

      Re: Depressing

      "Does anyone have a link to a list of network gear which has been found to have this sort of idiocy plumbed in? It's getting hard to keep track."

      There is.

      The link begins www.nsa.gov......

  5. Andrew Jones 2

    Words..... there are.... no words!

    WTF?!

    How was this ever considered to be a good idea?

    1. Gav

      Debugging

      It's clearly a debugging addition that someone forgot to remove.

      Big mistake, but while in development things like can be very useful and a good idea. What isn't a good idea is forgetting it's there. You should comment your code appropriately and do a global find to identify these things long before they reach production.

      1. Roland6 Silver badge

        Re: Debugging

        Strange way to implement a debugging addition.

        "You should comment your code appropriately and do a global find"

        Much better to get into the habit of using compiler macro's so that dev/debug code forms part of the source code narrative.

  6. poopypants

    Security through obscurity

    I guess they thought that nobody would find it. Quite a brave assumption.

    1. Anonymous Coward
      Anonymous Coward

      Re: Security through obscurity

      Downvoted. I've made it my mission to eliminate abuse of terms that doesn't mean anything and contains common misconception, especially when no security is even intended in this case.

      1. Wzrd1 Silver badge

        Re: Security through obscurity

        True enough.

        This is more a case of security through stupidity.

      2. poopypants

        @AC (Re: Security through obscurity)

        ob·scure adjective \äb-ˈskyu̇r, əb-\

        : not well-known : not known to most people

        : difficult to understand : likely to be understood by only a few people

        : difficult or impossible to know completely and with certainty

        se·cure adjective \si-ˈkyu̇r\

        : protected from danger or harm

        : providing protection from danger or harm

        It appears that I am technically correct. The best kind of correct.

      3. Anonymous Coward
        Anonymous Coward

        Re: Security through obscurity

        “… eliminate abuse of terms that doesn't mean anything and contains common misconception …”

        I’ve made it my mission to eliminate bad grammar.

    2. WhoaWhoa

      Re: Security through obscurity

      Isn't most security via obscurity?

      - My 50-character, random character password is obscure enough that you probably won't crack it.

      - Ditto my SHA key.

      - Ditto my fingerprint.

      That security guy at the gate, though, with a Magnum 44... nothing obscure about him.

  7. JeffyPoooh
    Pint

    None so blind, etc.

    So there's factory firmware that provides a backdoor, and the advice given here is to ensure that remote management access via the WAN port is disabled... ...according to the GUI on that very same suspicious firmware.

    Seriously?

    1. pixl97

      Re: None so blind, etc.

      Getting rid of the device would be the best first step, but not everybody will be able to act upon that measure in a timely fashion. Disabling remote admin would at least stop a completely unsolicited probe from owning you. The unit could still be attacked via XSS very easily.

    2. Yag

      Re: None so blind, etc.

      Well, it's not like you cannot test by yourself if the remote management access via WAN port is indeed disabled...

      1. Anonymous Coward
        Anonymous Coward

        Re: None so blind, etc.

        Having actually read the original report, the backdoor was partially found through skill and partially a bit of luck. Who knows what else is in the code? If you can't trust the coder, then you can't trust the code.

        Testing cannot reveal everything. It'd be like brute forcing. It ain't gonna work.

        Open source is one viable option.

        Do I need to explain everything?

    3. doronron

      Found in 2010, Backward "Edit by 04882 Joel Backdoor"

      Well its clearly a malicious backdoor, "Joel" even calls it a backdoor.

      http://forum.codenet.ru/q58748/

      It seems to have been known/exploitable since 2010. At this point a full recall of D-Link kit and a lawsuit are required.

      xmlset_roodkcableoj28840ybtide backwards is:

      editby04882joelbackdoor_teslmx

    4. Alan Brown Silver badge

      Re: None so blind, etc.

      "So there's factory firmware that provides a backdoor"

      It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair.

      Having said that, the sheer number of unconfigured routers I see on wifi isn't confidence inspiriing. There are still a lot of old pieces of kit out there even if more recent stuff has a random key or forces the user to set one.

      1. Miek
        Linux

        Re: None so blind, etc.

        "It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair." -- Or simply a JTag programmers kit.

      2. Charles 9

        Re: None so blind, etc.

        "It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair."

        With something like this, the usuall fallback is the factory reset, which is supposed to reset the firmware back to default settings (which are written in the manual with the caveat that you're supposed to CHANGE it once you're in). Failing that, there's also usually the emergency flashing mode, which should allow for the flashing of ANY firmware in a local setting. If even that fails, then there's likely something fundamentally wrong with it and it will need physical attention in any event.

    5. Gav

      Re: None so blind, etc.

      Does anyone ever allow admin access by WAN? It's usually off by default and anyone turning it on is taking on a needless degree of risk I wouldn't accept.

      If you want to access admin on the router, physically connect a cable. It's not so hard.

  8. Anonymous Coward
    Anonymous Coward

    For those who can.

    Install dd-wrt on their router. You will be glad you did. Sad you need to though.

    1. hollymcr

      Re: For those who can.

      Why would anyone downvote a recommendation to install dd-wrt when the manufacturer supplied firmware has a major security flaw for which there's no current fix (other than replacing the firmware with something better)?

      1. jonathan1

        Re: For those who can.

        Why are people down voting you for pointing out that fact...The internet is a funny place.

        Up-voted you just to balance it out.

        1. Anonymous Coward
          Anonymous Coward

          Re: For those who can.

          I could understand the downvote if the OP was like guys often are, saying something like, "Any moron who doesn't put dd-wrt on his router deserves to get hacked anyway!", which is a really arrogant attitude - but he just recommended it "for those who can", which is entirely reasonable. Do the people who develop that firmware have any enemies? :P

        2. mad physicist Fiona

          Re: For those who can.

          Why are people down voting you for pointing out that fact...The internet is a funny place.

          So, the recommendation is to brick these routers by installing a firmware they are not capable of running? A sledgehammer is a quicker and functionally identical method of "fixing" this issue.

          Although not responsible for the original downvote I get tired to this relentless "DD-WRT is great" bullshit. In particular this idea that a $50 consumer grade device becomes a $1000 enterprise router with a change of firmware - "See, it does everything that this more expensive router does".

          Apart from simple performance of course - packet throughput is frequently less than 1% of the more expensive device. It's frequently much worse than even the original firmware - those extra functions don't come for free but take extra processing time. This is leaving aside that third party firmwares, DD-WRT especially, usually aim for device coverage as opposed getting it to work properly on any single device. That frequently means a less powerful wifi signal if the antennae is not optimally configured. How many open source developers wanting a cheap, capable router have access to an EMI testing lab? That'd be none of them.

          Yes, DD-WRT has it's place but all too often it is advocated in an axiomatic fashion by the relentless fiddlers. Like here for instance where the router does not support it. Too often it simply devolves to the point of "See, look what I've done, aren't I clever?" when the reality is no extra functions were needed so it is actually "I've made my router slower and less powerful to show how clever I am".

          1. This post has been deleted by its author

          2. NogginTheNog
            Thumb Up

            Re: For those who can.

            Post of the week, if not the month!

          3. Anonymous Coward
            Anonymous Coward

            Re: For those who can.

            > Too often it simply devolves to the point of "See, look what I've done, aren't I clever?" when the reality is no extra functions were needed so it is actually "I've made my router slower and less powerful to show how clever I am".

            Well, it also means you have a router running open source software in all likelihood devoid of xmlset_roodkcableoj28840ybtide-style backdoors. And you can even check - if you're mighty competent and have too much time on your hands - or at least build from source yourself (if you don't trust the blob).

            You can most certainly trust the community's source code review more than any company's.

            That's where I see the value anyway.

    2. Sporkinum

      Re: For those who can.

      Those routers don't have dd-wrt support.

  9. ecofeco Silver badge

    What? You mean it's not...

    Admin, 12345, anymore?

    1. Rumournz
      FAIL

      Re: What? You mean it's not...

      No, it's Admin / Admin, still (set one up for a friend the other week)

      still the same as the default from 2000 :(

      1. ecofeco Silver badge
        Alert

        Re: What? You mean it's not...

        "No, it's Admin / Admin,"

        Holy crap! Still?

        Holy crap!

  10. Anonymous Coward
    Anonymous Coward

    Who uses Dlink devices anyway?

    Probably even fewer in future.

  11. At0micAndy

    It is for reasons like this, exactly like this, that I live 4.8 miles from the neighbours, I don't use wifi, and have two separate wired networks in the house. On one, connected to the internet, i have diskless pc, a boot disk, a printer and a scanner. I boot from the disk and print anything i want to transfer to my other network. My other network is fully wired, has pc's, printers, scanners, and anything i want to transfer from the one network to the other I print on one system and scan into the other.

    Oh, wait, perhaps I don't, maybe i just steal a neighbours wifi using a similar backdoor to the mentioned in this article. I love the prevalence of BT supplied H/W in the UK :-)

    Backdoors have been around for a very long time, for some odd reason they seem to get little reportage, perhaps that is because of hidden influence?

  12. Anonymous Coward
    Anonymous Coward

    And this is why they made DD-WRT....

    1. Only buy a router that allows DD-WRT to be installed

    2. Install it.

    3. Feel annoyingly smug!

    1. HMB

      If I Was a Security Agency

      I would have ensured a back door existed in an incredibly common driver binary for DD-WRT and received endless amusement watching people installing it to escape the other firmware I nobbled some time ago.

      Is your router secure?

      We'll see.

  13. DropBear
    Holmes

    Regarding that string...

    ...I trust y'all have noticed that read backwards, it reads "edit by 04882 joel backdoor", yes? Okay then.

  14. Mystic Megabyte
    FAIL

    Edimax

    I've mentioned it before but it's worth repeating that my Edimax router came with Telnet and FTP ports open by default.. Luckily I had created a long pass phrase but you have to enable SPI to close the ports.

    1. Anonymous Coward
      Anonymous Coward

      Re: Edimax

      "I've mentioned it before but it's worth repeating..."

      Oh sorry - I must have missed that post - thanks for letting me know. Silly me for not reading and remembering all your posts!

  15. Parax

    Who Else?

    So who has control a of a zombie army of BT home hubs?

    I've been asking the router question for years, seems I'm now getting answers..

  16. Arachnoid

    Press to connect

    Well since the BT device is supplied with the ever so friendly press to connect button which has been shown to be a digger size security hole all in itself,you should be fine getting a wifi connection,

  17. John H Woods Silver badge

    Sale of Goods Act ...

    ... although these things are normally litigated in the US, does anyone have any insight into whether the existence of a deliberately introduced massive security flaw (into a device whose function is partly to implement security between the WAN and the LAN) could count as the goods being unfit for purpose in the UK? Any law students fancy a go at a UK test case?

  18. tempemeaty

    Perhaps all of them are compremised ?

    At this point I'm beginning to wonder if all consumer routers by all brands have some kind of hidden back doors and/or serious security holes. Perhaps we are just at the beginning of that discovery and realization.

  19. Vimes

    http://www.pcworld.com/article/2054500/backdoor-found-in-dlink-router-firmware-code.html

    So this has been known about for three years?

    1. DropBear

      Erm, there's a "subtle" difference between "everybody / the relevant security circles knew about it" and "a couple of Russian hackers on an obscure forum knew about it"...

      1. Caesarius
        Thumb Up

        @DropBear

        I can't see that it was really known three years ago. Translating the last few lines of the Russian post gives:

        And there is an interesting line in the elf-binaries Web server:

        xmlset_roodkcableoj28840ybtide

        (Try reading it backwards)

        To sum up - friends, colleagues, tell me where to find the list of users / passwords?

        So it looks as though he had not followed up the lead, at least not publicly ;-)

    2. Destroy All Monsters Silver badge

      A web search turned up the suspicious user agent string in a post on a Russian forum three years ago, Heffner wrote, which means somebody has known about it for a while.

      All your D-Link base are belong to us.

  20. Anonymous Coward
    Anonymous Coward

    What's the BT backdoor? Link me up so I can test it in my network.

    1. Black Rat

      Post your IP address, somebody will contact you.. :}

      1. Vic
        Joke

        > Post your IP address, somebody will contact you

        OK - it's 127.0.0.1.

        Thanks for your help!

        Vic.

  21. Hans 1

    How long does it take to crack the wifi passcode ? Thought so - device 0wned even if you disable WAN admin access ... you keep the Asian script kiddies out, not your neighbour ... ;-)

    1. Charles 9

      Given that most of these devices DO support WPA2, which supports AES as well as TKIP. These have not been compromised and most of the talk about WPA2-PSK cracking has been in the same old problems: weak passwords. As for the WPS button, which IS handy so I don't have to carry wound my standard-limit WPA key around, especially to devices where entering the key is difficult, I just make sure to use it carefully so that the device is most likely to be seen first, and I check my client tables afterwards in case of intruders.

  22. Fihart

    Older D-Links had a flaw.

    Accidentally breached a neighbour's WPA protected router. I was using Netgear wireless adapter's interface and clicked on the neighbour's SSID and suddenly was in. Backtracked and discovered that if I flipped the Netgear interface between WPA and no security the neighbour's router was accessible. I could, if I wanted, use their internet and change settings in their D-Link (as it turned out to be) router.

    This was a couple of years ago and the ISP has stopped issuing that D-Link model.

  23. Irongut

    “At this point, there's no defence against the backdoor, so users are advised to disable WAN-port access to the administrative interfaces of affected products.”

    WAN access to the admin interface should always be disabled in all routers everywhere.

    There is no valid reason for having it enabled.

    1. Charles 9

      Many have noted that is IS disabled by default on most of the routers. I know it was disabled on my DIR-615 (since replaced with a new dual-band ac router).

  24. Arachnoid

    As for the WPS button

    Hmmm the article I recall stated you could log on to the wifi regardless of if the key was pressed as the software in question scans for a relevant key for the system,

  25. The FunkeyGibbon
    Terminator

    SHODAN

    "Welcome to my world, insect."

  26. Mad Chaz

    Not really surprised. If at least d-link followed wifi standard properly, it would be a huge improvement. The number of dlink routers I've seen that "work fine on the old laptop", but for some reason the latest shinny laptop or tablet they got just can't connect to it would be funny if it wasn't so sad.

This topic is closed for new posts.

Other stories you might like