Yeah, sure...
More likely it will eventually turn up in D-cember.
(Sorry)
D-Link has promised to close its routers' backdoors by Hallowe'en, following revelations that many of its consumer-grade devices accept unauthenticated access to its admin Web page. As reported here yesterday, a researcher at /DEV/TTYS0 blog unpacked the firmware of a number of D-Link devices, finding that if a browser …
“As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.”
This is why I quit using consumer grade gear as most of the time not even the GUI will tell you the hardware version. What they should be doing, if you need to change the hardware to the point where the software won't run on it, give it a new model number. If you had a 5310 and hardware changed enough, call it the 5311. You could use the same manual but then you don't have to worry about the hardware revision as the average consumer will probably install the wrong one and brick it or if the software is smart enough, not install. Then you have a consumer that is mad because it won't update. A new model number solves these problems.
Not in a million years would they do that - it's marketing 101. Say you got a known, popular, sought after product like the Linksys WR54GL - if you need to make a relatively minor (?) change do you call it "WR55GL" and risk that people won't know that's what they should now be looking for since it's the same thing, or do you keep the well-known name and start slapping a "HW rev 1.1" sticker on the bottom...?
In the meantime, users should ensure there's a strong WiFi password on their kit, and should disable remote administrative access.
should read:
At any rate, users should ensure there's a strong WiFi password on their kit, and should disable remote administrative access for all of their WiFi routers, regardless of manufacturer.
While existence of a known security hole does provide urgency, there's no excuse for lax security. The likelihood is that those devices without a publicly known security hole have holes which are either unknown or already know to malicious entities.
I honestly can't understand why a bigger fuss hasn't been made.
We are not talking about an innocent little debug feature left in, or security hole by accident... This is a feature that was named Backdoor (all be it in reverse)... it was there and intended to be there.
Sort of makes me scared and wonder how many other devices have this sort of "feature" built in.
well, the standards technical committee of an 'organisation that doesn't exist' has been co-ordinating worldwide - and I mean USA/EU/China/Russia/Aus &everywhere else - the 'lawful interception' capability of all ICT equipment since the 'nineties, through ITU, NIST & ETSI meetings. This (acceptable if targeted) lawful interception facility is seemingly abused by intelligence collection groups (doing probably illegal data hoovering of anything and everything, allegedly)
The D-Link backdoor password "xmlset_roodkcableoj28840ybtide" (edit by 04882 joel backdoor...) has just nicely let us know about this 'feature'
if you're very interested in protecting against your local telco/ICG 'tailored access' then I do not hesitate to suggest the Open Source software available at http://suricata-ids.org (Suricata is Latin for Meerkat) (other IDS's are available - but this one works)
this is originally a government funded enterprise intrusion detection system - which has grown up to become a flexible & powerful anti-malware system. Effectively, it's the new anti-virus system being that current AV software systems don't work against zero-day threats! Some assembly is required & a 4GB multi-core linux PC between your modem and your router.
if you don't understand the origin and destination of any data packet on your network then you're screwed!
Suricata install guide here - http://www.tecmint.com/suricata-a-network-intrusion-detection-prevention-system
and a Google Security Onion guide + IDS here (based on Xubuntu 12.04) https://code.google.com/p/security-onion/wiki/Installation
"ONLY if you're STUPID enough to enable the administrative interface on the WAN side."
I think you mean:
Only if you're naive enough to believe that turning off the WAN admin access on your router (of whatever brand) really does disable WAN access.
After all, who knows where the next backdoor is and, even if it's a locked door, who has a set of keys?
I'm off to the supermarket to stock up on tinfoil...
I've come across many (small) businesses/offices with D-Link kit kicking around and WiFi site survey's of large enterprises throwing up 'private' ADSL connections with consumer grade kit attached...
But yes, I expect very few 'consumers' to upgrade their devices. But then given that D-Link have access to many devices through this undocumented feature perhaps the question we should be asking, should D-Link do the update for them?
> The verification process needs to be open to peer review and there needs to be a simple mechanism for users to check that what they install is what got verified
You just summarised the raison d'etre for open source software (or firmware). If you have a verified copy of peer-reviewed source code [md5sum?], and if you compile it with a compiler you trust, and if you install the object code, then you have "verified backdoor free software" on your device.
The peer review is clearly the bit that can't be glossed over, though, as we saw in the story about the 'uid = 0' clause in a repository version of Linux's wait4 code.
Working on a fix! Why? Just how long does it take to change the code so that the authentication fails? They seem to be taking long enough to put in a less obvious backdoor with the authentication strings no longer clearly visible in the binary. No trust without a FULL source code release.
But this might just be a case of a lazy programmer, who needed access to some data that required authentication and decided (because he/she had an oh so important deadline) that it was just easier to take a shortcut... and of course now they need the time to actually analyze the problem and create a proper solution...
Looking at the D-Link download page, there are firmware images already available for models DIR-m, where m > 300.
The backdoor was apparently in the v 1.01 firmware of my D-615, which I have just upgraded to v4.14 from an image made in April 2013. I suspect that the backdoor made it into production in v1.01 by mistake, and that subsequent updates were made from a 'clean' source.
In a novel touch, there is now (optionally) a CAPTCHA-style verification for a login to the GUI interface, in addition to the password.
What is all this rubbish about it being consumer tech, and some enterprises (silly billy's) rigging it up in their big mega enterprise buildings.
- The fact it's a home / home office router has nothing at all to do with it being backdoored. It's the one the dude had handy, so it's the one he tested.
This backdoor could have been in any given router, and similar ones are in others. There seems to be an idea here that just because it's a home router, well that's what you get, c'mon.