Sign in / up

back to article D-Link FINALLY slams shut 'Joel's backdoor'

Better late than never: D-Link has issued the promised patch that closes an administrative backdoor in its SOHO broadband routers. When the vulnerability was first discovered, the vendor promised to patch it by the end of October. The patch has now been issued here. If an attacker set their browser user agent string to read …

COMMENTS

House rules Send corrections
This topic is closed for new posts.
  1. stizzleswick
    WTF?

    "Only turning off remote administration would protect the device."

    For a SOHO bit of kit, I (being an admin/consultant) would not even connect the router to anything except the machine I'm using for initial setup, let alone the internet, without turning off remote admin--truly small offices (and home users) quite simply don't need that bug feature. And in my personal opinion, using most D-Link offerings in a larger setting would be akin to suicide anyway.

    So... it may be a backdoor, but for anybody who knows the very first bit about security, it would be turned off anyway. Sort of like people using "passw0rd" as a password tend to have their systems hacked into more often than those who use actual passwords. Hence, very limited news value in this article from my point of view. There's a bug in a router. Not going to be the last one. It can be switched off, but most users won't. Their problem. If you don't know how to handle your own kit, hire a pro. My hourly rates are reasonable...

    0 2
    1. Sir Sham Cad
      Reply Icon

      Re: It can be switched off, but most users won't.

      They won't because often they don't know about it and don't know how even if they did. Many home users and small businesses don't even know they can log onto the router to change the settings after the install man leaves and, even if they did and did know how to logon they have the fear of buggering the whole thing sideways and taking down their home/office network or customer wifi and having to pay a pro a "reasonable hourly rate" to fix what they've knackered that was otherwise "just working".

      Remote admin should be disabled as factory default. This is my new armchair crusade!

      0 0
      1. Annihilator
        Reply Icon

        Re: It can be switched off, but most users won't.

        "Remote admin should be disabled as factory default. This is my new armchair crusade!"

        On the products in question, it is disabled by default.

        0 0
  2. Don Jefe

    Craigslist

    Joel Backdoor sounds like someone you'd find on Craigslist: 'Lonely med student looking to meet new people. If you're into broken glass and recycled hydraulic fluid hit me up. Extra points for sombreros and amputee furries'.

    1 0
  3. cracked

    It isn't _all_ DLink routers (to be fair, the small number affected/effected ... I never know ... are listed on the Sec Advisory, linked in the article).

    As for the backdoor being dropped in during development - Almost guaranteed, I would imagine. It looks like a "I'm bored of logging in and out, during our testing" addition and a Richard says, said Dev forgot to take it back out after testing had finished (not first, won't be last).

    At least they fixed it (apparently) ... A month late is better than not at all, right?

    And - as said here in comments and on the DLink Sec-Advisory - you should not have Remote Management turned on and it was not on by default ... But as also said, often and often on here, that's easy enough to say if you know what you are doing ...

    1 0
    1. Jonathan Richards 1
      Reply Icon
      Thumb Up

      OT: the small number affected/effected

      Affect is almost always a verb, Effect is almost always a noun. So something affected is being influenced: "This model of router is affected by the problem", whereas something effected is being brought into being; it's a result: "The fix was effected by applying the firmware update".

      Hope that helps.

      0 0
  4. JaitcH
    FAIL

    Someone dropped the backdoor into the device ...

    It's what CISCO does to most of it's InterNet network products and why Obama is supporting their sale - all NSA compliant.

    1 1
  5. Stretch

    Joel is sooo sacked.

    0 1
    1. Annihilator
      Reply Icon
      Thumb Down

      If Joel was a one-man dev, test, package and deployment man for firmware, then yes. However in the case of a large company like D-Link that is sodding unlikely.

      0 0
  6. Roland6 Silver badge

    And number of D-Link routers updated?

    I suspect that whilst D-Link have released a patch, very few products will actually be updated since this will require user intervention, and as others have pointed out Joe P(ublic) don't tend to mess with unfamiliar tech. particularly if it means they might loose their broadband connection.

    0 0
    1. Annihilator
      Reply Icon

      Re: And number of D-Link routers updated?

      True, but by the same token the same Joe's won't have enabled external access either. In fact they probably wouldn't have changed the default password and username either.

      0 0
  7. Mike 16

    Updates?

    Putting on my mu-metal hat (tinfoil is not effective against the latest NSA/GCHQ measures), I have to wonder if the whole thing is just "motivation" getting users to "update" to a version more friendly to "lawful intercept".

    Yes, I leave Remote Admin turned off. No, I don't believe that makes my totally safe, as there's an ocean of Javascript-embuggered websites out there that could connect from the _inside_ (LAN) if anybody in the house clicked the wrong link.

    Fact is, if "They" (NSA, GCHQ, RBN) want to do something nasty to you, they will, unless you go all Unabomber and live totally off the grid in some unheated (can't forget the IR-scanners in those drones) but

    well-insulated cabin in the woods.

    0 1
This topic is closed for new posts.

Other stories you might like