Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

D-Link Router Backdoor Vulnerability Allows Full Access To Settings

samzenpus posted about 10 months ago | from the protect-ya-neck dept.

Security 228

StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."

cancel ×

228 comments

Sorry! There are no comments related to the filter you selected.

Will this stupidity ever end? (5, Insightful)

gweihir (88907) | about 10 months ago | (#45118107)

Are these people too stupid to know that eventually, somebody _will_ analyze their firmware and find this? I think it is time to make them liable for a bit more than the device when things like these get found. Say, 10x the new value of the device to any customer that wants to give it back.

Re:Will this stupidity ever end? (5, Insightful)

DigitAl56K (805623) | about 10 months ago | (#45118167)

Well, as an ex D-Link customer, I'm glad to see someone is analyzing their firmware.

discipline (5, Funny)

Moblaster (521614) | about 10 months ago | (#45118251)

The Beatings Will Continue... Until the Firmware Improves.

Re:Will this stupidity ever end? (1)

Anonymous Coward | about 10 months ago | (#45118171)

"I think it is time to make them liable for a bit more than the device when things like these get found."

Really? I think it's getting pretty close to the point where liability is physical.

Re:Will this stupidity ever end? (5, Insightful)

Anonymous Coward | about 10 months ago | (#45118223)

How about a Prison Sentence. These ego maniacs are putting people's bank account at risk. It is no different from writing a virus. In fact it is worse.

Re:Will this stupidity ever end? (4, Interesting)

AlphaWolf_HK (692722) | about 10 months ago | (#45118681)

Who are you going to put in prison, exactly? It's possible only a small team of engineers was aware of this. Hell, may have even just been one rogue developer who nobody gave permission to put it there.

Re:Will this stupidity ever end? (4, Insightful)

Samantha Wright (1324923) | about 10 months ago | (#45118725)

I might propose targeting the software review board that didn't catch the flaws, or perhaps the management who decided such a review board was unnecessary. Security-critical hardware should have at least some QC and/or validation at the firmware code level, y'know?

Re: Will this stupidity ever end? (0)

Anonymous Coward | about 10 months ago | (#45118903)

Class action suit could bankrupt D-Link if this is proven true.

Idiot pruf (3, Insightful)

TiggertheMad (556308) | about 10 months ago | (#45119181)

As a software engineer who has worked on some larger projects, I can tell you that you are in fantasy land if you think that every line of code can be vetted without spending a small fortune on code review. Those costs might be justifiable for a project like a space shuttle guidance system, where the cost of failure is billions of dollars and multiple lives, but nobody is going to shell out that kind of budget for a sub $100 consumer router.

Re:Idiot pruf (2, Insightful)

Anonymous Coward | about 10 months ago | (#45119209)

nobody is going to shell out that kind of budget for a sub $100 consumer router.

except such routers are the first line of defense, in many cases, of such things as a space shuttle guidance system....

(don't blame me for what nasa engineers have running at home...)

Re:Idiot pruf (4, Interesting)

L4t3r4lu5 (1216702) | about 10 months ago | (#45119333)

That only applies if you think of the firmware as being worth the sale of only one router. The models listed are all consumer grade, but I'm willing to bet that because they're cheap they're also popular. Your $100 router all of a sudden is $10m in sales if 100k are sold, across those six (so far identified ) ranges. Not so hard to imagine? Now think of those who work from home over networks served by that hardware, or the SMB with only a couple of clients on the network and no need for professional switching equipment. Now it's business loss to consider, even if only downtime to fix the breach is the only loss experienced.

I can easily see something like this having the potential to cause losses not dissimilar to your "shuttle crash" scenario. It's "keys to the kingdom" external access to what should be a private network.

Finally, there's no chance in hell of even 1% of these devices receiving a firmware update. Nobody (outside of us) upgrades the firmware on their home router; They run it from factory until death, then buy another one. These devices will be vulnerable for the foreseeable future.

Re:Idiot pruf (1)

gl4ss (559668) | about 10 months ago | (#45119337)

100 bucks*10 million installations = 1 000 000 000 bucks.

just saying. anyhow, this isn't apparently open from the wan by default at least. so the people most fucked by this potentially are cafes etc semi public ap's. easiest damage scenario to come up with is just someone changing the cafes networks password. more damaging scenarios would be stuff like forwarding all the connections through somewhere else(and potential session hijinxes from that).

Re:Will this stupidity ever end? (0)

Anonymous Coward | about 10 months ago | (#45118781)

Really, you want to push the "ignorance" excuse? That the company has no effective quality control? That they cannot guarantee their products will function as per spec?

Re:Will this stupidity ever end? (1)

someone1234 (830754) | about 10 months ago | (#45118949)

If you create a faulty product that causes property loss or death, heads must fall. In China, they just shoot the CEO in cases like this.
For that huge income they should at least pick the people who pick the people who do the quality control.

Re:Will this stupidity ever end? (1)

Anonymous Coward | about 10 months ago | (#45119001)

Who are you going to put in prison, exactly?

The fetid CEOs, of course... They make the big bucks; they can take the rancid risks.

Re:Will this stupidity ever end? (0)

Anonymous Coward | about 10 months ago | (#45119379)

Just like it was "rogue" developer at google who wrote and installed the systems that tracked and recorded all the IPs and routers. That "rogue" developer was able to travel all around the world and install the system in all the google cars without anyone knowing it. FU. It was planned. It was known about. It was implemented. It's interesting how all you fuckers who defended google over the years can't put 2 and 2 together. I remember everyone howling, "But there isn't anything they can do with the data!" Combine it with this, now you have a mappable attack vector system to do whatever you want with. Now I suppose you'll tell me it only affects dlink routers, that it didn't happen at every other router company. Nothing is coincidence. I'll give you a hint, it just hasn't been found yet.

Re:Will this stupidity ever end? (1)

cripkd (709136) | about 10 months ago | (#45119439)

So what's wrong with prosecuting whoever is found to be guilty? A manager that ordered this, one or more developers who introduced this, etc. It's possible you cannot properly identify the individual(s) but that doesn't mean that the law shouldn't be applied and that the usual measures cannot be taken.

Re:Will this stupidity ever end? (0)

Anonymous Coward | about 10 months ago | (#45119487)

You treat it the same way as any group involved in crimes. Who did they put in prison from lulsec?

Re:Will this stupidity ever end? (3, Insightful)

TapeCutter (624760) | about 10 months ago | (#45119641)

Hell, may have even just been one rogue developer who nobody gave permission to put it there.

It's a safe bet their law team already have that at the top of the whiteboard.

Re:Will this stupidity ever end? (4, Interesting)

sirlark (1676276) | about 10 months ago | (#45118969)

Actually, this makes a twisted form of sense. The DMCA and earlier wire tapping and computer fraud laws state two things iirc 1) Attempting to access a system which you do not have permission to access is illegal, and 2) subverting a security mechanism to provide unintended access is illegal. Now (1) only applies if someone uses the back door to gain access to your system, but (2) applies just because the back door exists. The stated intent is that these routers are secure (read the advertising gumph), which means the existence of the back door was a subversion of the intent for security. Someone, somewhere did this, and should be held liable. Considering the "OMFG it's on a computer" factor and the peculiarly zealous manner in which violations are normally prosecuted, I don't see why this shouldn't carry jail time, and a lot of it, as a sentence. I make this argument in support of consistency. What's good for goose is good for the gander. I don't actually agree with the sentences recommended/allowed by those acts.

Re:Will this stupidity ever end? (3, Insightful)

girlintraining (1395911) | about 10 months ago | (#45119023)

How about a Prison Sentence. These ego maniacs are putting people's bank account at risk. It is no different from writing a virus. In fact it is worse.

Sorry man, but this isn't an ego maniac. It's worse than that. 04882 is an oblique reference to the product ID used by Revell. Revell produces hobby scale models of various things. In this case... of the USS Enterprise, as seen in the worst trek movie ever -- Star Trek: Into Darkness. Which means, we're not dealing with an ego maniac: We're dealing with a guy who is utterly devoid of ego. This particular model probably sits on his desk in his cube, providing both inspiration to one 'Joel' in D-Link's software development team for a password, and simultaniously functioning as the strongest prophylactic known to man.

The good news though is that firmware released by D-Link prior to May of 2013 shouldn't be affected, unlike Joel's employment situation.

Re:Will this stupidity ever end? (2)

girlintraining (1395911) | about 10 months ago | (#45119049)

In other news, this incident is excellent fodder for security researchers to use as a case in point for how knowledge of a person's habits and hobbies can provide valuable insight into potential password selections, and also that the password selection is so strongly correlated with these things, that knowing the password alone can be sufficient to uniquely identify the user!

Re:Will this stupidity ever end? (1)

Kythe (4779) | about 10 months ago | (#45119083)

The DI-524 is, what, 8 years old? The firmware for it hasn't been updated since 2006. How, then is it listed as vulnerable?

Re:Will this stupidity ever end? (5, Interesting)

girlintraining (1395911) | about 10 months ago | (#45119141)

The DI-524 is, what, 8 years old? The firmware for it hasn't been updated since 2006. How, then is it listed as vulnerable?

This is some guy on a blog. It's a mixture of fact and wild speculation. This isn't an official security notification on something like Bugtraq or CERT, etc. He tested the DI-100 firmware, v1.13. The FTP link he provided lists the timestamp for the file as "02/19/2013 11:09AM", not 2006.

He doesn't even have a DI-100, he just downloaded it at random. He thinks, based on "the source code of the HTML pages and some Shodan search results", that the devices listed are affected. There was no actual testing, it's just rampant speculation based on Sir Bloggy McBlogs google-fu. Now, that said, I have been doing some additional research and the company Revell is based out of Germany -- which is also where D-Link's software development team is. Revell's website indicates the model went on sale about the same time as the movie release -- May 2013. The timestamp is February. It's not enough to bust my theory that 04882 is a reference to the model... it's just possible the website is wrong, or he got one early from a friend who works at said company. It does happen; Maybe they handed them out at special screenings.

Such is the nature of speculating on these things; it's interesting, but it's nearly impossible to get positive verification of a theory.

Re:Will this stupidity ever end? (1)

cripkd (709136) | about 10 months ago | (#45119635)

Then it all makes sense! Leave it there or we will be doomed!
Kirk traveled into the past at some point and planted this, it will most likely save the ship and its crew. They need our help!

Wow (2)

Frosty Piss (770223) | about 10 months ago | (#45118231)

I'm always amazed to read about things like this because most engineers are not morons. Why would they do it? How could they not know it would be discovered?

The Black Hats have probably known about this for a long time...

Re:Wow (1)

AHuxley (892839) | about 10 months ago | (#45118559)

What must the self excuse list be like?
It was a rushed job.
It was another department.
It was outsourced.
So many product lines. So much work.
The supervisor wants features for a global market, other product lines are for security.....

Re:Wow (2)

Tanktalus (794810) | about 10 months ago | (#45118729)

If "most engineers are not morons" then we wouldn't need Bobby Tables [bobby-tables.com] as an example when explaining simple security issues to them.

Re:Wow (2)

theshowmecanuck (703852) | about 10 months ago | (#45118819)

At first glance it looks like an interesting link.

Re:Will this stupidity ever end? (4, Interesting)

johndoe42 (179131) | about 10 months ago | (#45118277)

A class action lawsuit for gross negligence might do the trick.

Sometimes I think that things like this should be felonies, though. Criminal offense or not, in a sensible world this would put alphanetworks out of business.

Re:Will this stupidity ever end? (3)

L4t3r4lu5 (1216702) | about 10 months ago | (#45119373)

In a class action, the only winners are the lawyers.

Individually suing in small claims court is almost always the better option, if you have the time.

Re:Will this stupidity ever end? (1)

OhANameWhatName (2688401) | about 10 months ago | (#45118335)

10x the new value of the device to any customer that wants to give it back

Silly idea, make them liable for costs. Then the device manufacturers will be supporting the [cough] on-line content industry [cough],

Re:Will this stupidity ever end? (1)

thesupraman (179040) | about 10 months ago | (#45118621)

Are you talking about DLink or the NSA, or is the just DLinks way of complying?

Just wondering....

Re:Will this stupidity ever end? (3, Interesting)

moteyalpha (1228680) | about 10 months ago | (#45118939)

The problem that I have observed is that there is no effective oversight to complex systems. The people who can deal with the complexity and create things like this work in a sort of isolation. Sometimes this happens when contractors are asked to create a system and then get paid. If they don't get paid, they leave the back door. I can guarantee that this is not the last one that is found and some are much worse than this. I was looking at the javascript linked in an earlier article and it reminded me of the "never attribute to malice ...." . When you add the possibility that espionage or criminality could be involved it gets even more complicated. I help relatives with computer problems on a daily basis and most people have trouble just figuring out how to use the damn things. They are completely vulnerable to even the simplest tech attack or SE.
I also have my own site and I see many things. I know that every day there are people knocking on doors or ports. It is another world that most people only understand as some kind of stuff done by technically afflicted people.

And? (1)

no-body (127863) | about 10 months ago | (#45118121)

Can the manufacturer be made liable for damages? Not sure what the are smoking there...

Re:And? (1)

Anonymous Coward | about 10 months ago | (#45118289)

Any chance this is how my competitor (another small business) always seems to be dogging my ass and just undercutting me by a little bit? We used a DI-624 up until a couple of years ago...

Re:And? (0)

Anonymous Coward | about 10 months ago | (#45118443)

no i was selling info to them. signed your employee

Re:And? (2)

icebike (68054) | about 10 months ago | (#45118671)

Well are you running an administration service on an open Internet facing port?

Your router won't get a chance to read the user agent string if you don't allowed an inward connection.
Then all you have to worry about is your insiders.

Thank Goodness... (1)

clm1970 (1728766) | about 10 months ago | (#45118125)

That the consumer is always so proactive with updates that they'll upgrade their router the instant a fix is released.......NOT.

Re:Thank Goodness... (4, Interesting)

fuzzyfuzzyfungus (1223518) | about 10 months ago | (#45118153)

That the consumer is always so proactive with updates that they'll upgrade their router the instant a fix is released.......NOT.

"A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree."

Even if they do, it sounds like they'll be almost four years late.

Backwards: edit by 04882 Joel backdoor (5, Interesting)

Anonymous Coward | about 10 months ago | (#45118189)

And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Re:Backwards: edit by 04882 Joel backdoor (1, Insightful)

ibsteve2u (1184603) | about 10 months ago | (#45118255)

And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Somebody found it profitable enough to make an effort to stifle the spread of knowledge about the backdoor?

"Profit" can be anything of value, of course.

Re:Backwards: edit by 04882 Joel backdoor (0)

ibsteve2u (1184603) | about 10 months ago | (#45118267)

And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Somebody found it profitable enough to make an effort to stifle the spread of knowledge about the backdoor? "Profit" can be anything of value, of course.

lolll..and those seeking to "profit" can be individuals or groups of individuals like theft rings, political factions, religious entities, corporations, and states...

F*** you NSA (-1)

Anonymous Coward | about 10 months ago | (#45118303)

Either they saw the used and decided to use it themselves.
Or they were so busy with their own agendas they simply didn't notice it.

Either malicious of incompetent, but certainly unconstitutional.

Enough reason to shut the f**ers down. This was mentioned on a russian hacking forum in 2010 and I don't believe all those thousands of analysts in the NSA didn't read it.

Re: F*** you NSA (0)

Anonymous Coward | about 10 months ago | (#45118773)

Or they put it there in the first place...

How will that help the "cyber infrastructure" if they put in backdoors exploitable by anyone...?

Re:Backwards: edit by 04882 Joel backdoor (5, Insightful)

Anonymous Coward | about 10 months ago | (#45118419)

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Seriously? That's not a scandal, that's the way the world works. People that LOOK for stuff like that want to keep those exploits to themselves because they want to USE THEM. If you reveal the damn thing, it'll get patched.

Not many people want to do all the work of looking through binaries figuring out obscure shit like this just for fun.

Re:Backwards: edit by 04882 Joel backdoor (0)

Anonymous Coward | about 10 months ago | (#45119793)

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

E_PARSE: semantics clash. Please address by completing the following:
#define known
#define not_revealed

Re:Thank Goodness... (2)

complete loony (663508) | about 10 months ago | (#45118821)

So it looks like this was a deliberate addition so that the router's internal tools could use http requests to change config. Why didn't they just check for incoming requests from localhost? Surely that would have been simple and safe enough? So instead they create something that they *know* is a backdoor.

Re:Thank Goodness... (1)

gnupun (752725) | about 10 months ago | (#45118841)

"A quick Google for the âoexmlset_roodkcableoj28840ybtideâ string turns up only a single Russian forum post from a few years ago, which notes that this is an âoeinteresting lineâ inside the /bin/webs binary. Iâ(TM)d have to agree."

Is it this page? [habrahabr.ru] They even disassembled the firmware where the string is used.

Re:Thank Goodness... (0)

Anonymous Coward | about 10 months ago | (#45118197)

The consumer better upgrade damn it! That back door has been obsolete for years. The new user-agent is 'xmlset_roodkcableoj28840ybtide.1' and nobody like having to maintain code to check for two back doors.

Re:Thank Goodness... (1)

Anonymous Coward | about 10 months ago | (#45118281)

Geez, if you're so worried, why don't you just go ahead and update them by yourself. It's not like you couldn't ;-)

Re:Thank Goodness... (0)

Anonymous Coward | about 10 months ago | (#45119075)

If only I could believe that every update is to benefit the customer ....

Ref: recently videocard that got its capabilities clipped, devices that suddenly loose some of their capabilities, and ofcourse good-old WGA.
 
... Nope, I don't think so.

NSA (0)

Anonymous Coward | about 10 months ago | (#45118135)

NotSurprisingAnymore

edited by 04882 Joel backdoor (4, Interesting)

austerestyle (3396553) | about 10 months ago | (#45118211)

Read backwards it reads the same as the comment subject. Is this the guy behind it? http://www.joesdata.com/executive/Joel_Liu_421313008.html [joesdata.com] Assuming good will, it seems like debugging code left in the final firmware release.

Re:edited by 04882 Joel backdoor (0)

Anonymous Coward | about 10 months ago | (#45118349)

You cracked it. Affected users should find Joel and ask him to personally refund their purchase.

Re:edited by 04882 Joel backdoor (0)

Anonymous Coward | about 10 months ago | (#45118417)

No, they should ask that of D-Link. If their process depends on nobody involved commiting any mistakes their process is broken.

Re:edited by 04882 Joel backdoor (1)

Anonymous Coward | about 10 months ago | (#45118525)

' If their process depends on nobody involved commiting any mistakes' = a bit exaggerated.

This is an administrative level backdoor left in by alpha networks, subsequently not discovered and removed by the oem.
Because they outsourced that to, wait for it, alpha networks on this project. They trusted it, they didn't discover a reason not to.
Sure, it's negligent for a security minded process, but for a consumer product "get it out the door" process? It's SOP.

Re:edited by 04882 Joel backdoor (4, Insightful)

_merlin (160982) | about 10 months ago | (#45118877)

It might have nothing to do with anyone called Joel. When I was far younger and quite bored, I graffiti'd "Patrick Tang was here" (in a place where a Patrick Tang had been). Patrick Tang had nothing to do with the use of his name, but when he discovered it, he went to considerable effort to obscure it, believing he would likely be blamed.

Re:edited by 04882 Joel backdoor (4, Funny)

jamesh (87723) | about 10 months ago | (#45118955)

All this time we were running around blaming the NSA, when it was Joel all along!

Re:edited by 04882 Joel backdoor (5, Insightful)

girlintraining (1395911) | about 10 months ago | (#45119093)

s this the guy behind it? http://www.joesdata.com/executive/Joel_Liu_421313008.html [joesdata.com] Assuming good will, it seems like debugging code left in the final firmware release.

Regardless of how strong the evidence may be, uniquely identifying someone on the internet is dangerous and may even expose you to a slander/libel/defamation case. You may recall not long ago the witch hunt on reddit for the Boston Bomber. Over a dozen 'suspects' were named and shamed on the forums, none of whom turned out to be the actual person. Those people's lives crumbled into dust after, and police had to devote valuable resources at the time to protecting those individuals from vigilantes. Don't go the extra step of naming someone -- no matter how confident you are, the odds are very high that you're wrong. I know you think you're being edgy, smart, whatever and showing off your google-fu here, but you've actually rather accomplished the reverse -- you've demonstrated a reckless abandon and an inability to consider the consequences of your actions, or at least favoring momentary glory and recognition at the expense of another. Neither scores high marks in internet ethics.

On the internet, a loaded finger is a bigger threat than a loaded gun.

Re:edited by 04882 Joel backdoor (1)

Anonymous Coward | about 10 months ago | (#45119147)

I wouldn't go name calling based on that. Maybe the creator of backdoor was being "funny" for using CTO's name for backdoor.

Doesn't work on DD-WRT. (0)

Anonymous Coward | about 10 months ago | (#45118227)

Yay.

Re:Doesn't work on DD-WRT. (-1)

Anonymous Coward | about 10 months ago | (#45118511)

Sure, but doesn't DD-WRT ship with exposed SSH with a blank or obvious root password? That's just as bad.

I remember that fact from a slashdot-posted article a while back about a guy who wrote a python script which self-propagated and port-scanned the entire internet within a few weeks.

It's up to the user to close that manually.

Re:Doesn't work on DD-WRT. (1)

SpzToid (869795) | about 10 months ago | (#45118657)

DD-WRT has always shipped with a default password, which is something like 'admin'. That is the Very First thing to be changed upon login, after a firmware flash, so what is your point?

Is this the article you were referring to?: http://tech.slashdot.org/story/13/03/15/1234217/backdoor-found-in-tp-link-routers [slashdot.org]

Perhaps your memory is faulty, but like this D-LINK situation in the news today, replacing the firmware will solve the problem. DD-WRT is the answer in this case, not the problem. If I'm missing something AC, your citation is requested.

Re: Doesn't work on DD-WRT. (0)

Anonymous Coward | about 10 months ago | (#45119707)

The answer is OpenWRT not some pseudo-open-source project.

Many routers subject to UPnP vulnerability anyway (5, Insightful)

DigitAl56K (805623) | about 10 months ago | (#45118235)

PDF link, published earlier this year, shows how many manufacturers use a stack with a UPnP vuln that gives root, even from the WAN side:

http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf [defensecode.com]

Point is, you probably weren't as safe as you thought you were, even before this new disclosure.

I think a huge problem with consumer-grade wifi routers today is that as manufacturers race to support new models with new wifi standards and new competitive feature sets, older models quickly become abandonware. There's very little guarantee around firmware updates for critical vulnerabilities, and end users are mostly oblivious to being at risk. By the time you pick up that $80 model from the store it's probably borderline EOL already.

Did the NSA have a hand in this too? (1)

BoRegardless (721219) | about 10 months ago | (#45118237)

How to bury your company's reputation with one password.

Re:Did the NSA have a hand in this too? (3, Insightful)

Frosty Piss (770223) | about 10 months ago | (#45118283)

How to bury your company's reputation with one password.

D-link's rep was buried long ago.

Re:Did the NSA have a hand in this too? (2)

OhANameWhatName (2688401) | about 10 months ago | (#45118405)

D-link's rep was buried long ago.

I'd tend to say that D-link's rep is long-lived and very consistent.

Yes they did, TAO (4, Insightful)

Anonymous Coward | about 10 months ago | (#45118757)

Read it and weep:
http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story_1.html

"Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. "

"Tailored Access Operations has software templates to break into common brands and models of “routers, switches and firewalls from multiple product vendor lines,” according to one document describing its work."

So on the one hand they're supposed to defend US networks from attack, while on the other hand they have detailed knowledge of these backdoors and use them for their own use while keeping them secret.

So yes, the NSA did have a hand in it, at the minimum it kept it secret while exploiting it.

the mantra (0)

Anonymous Coward | about 10 months ago | (#45118379)

1. ``i am not secure, but i want to be.''
2. ``ignorance will not make me more secure''
3. ``no product available will make me completely secure''
4. ``if i cannot understand the entirety of my system, i can make no claims to it's security''
5. ``just because knowledge is denied, does not mean that knowledge is protected.''
6. ``i am not secure, but i want to be.''

Good thing mine is safe (0)

Anonymous Coward | about 10 months ago | (#45118387)

Not because I'm not using one of the models listed, but because mine shits itself when you actually try to get it to do something. But yeah, if you get a wireless router, definitely install one of the open source firmwares for it.

Nice (1)

lapm (750202) | about 10 months ago | (#45118397)

Just goes to show that unless you read the code yourself or reverse engineer it yourself, you just cant be sure whats there. Now they found one. Waiting more news in other manufacturer and models in 3... 2... 1...

xmlset_roodkcableoj28840ybtide (4, Funny)

Alsee (515537) | about 10 months ago | (#45118411)

Heay!
That's the combination on my luggage!

-

Re:xmlset_roodkcableoj28840ybtide (2)

qazxswedc (821424) | about 10 months ago | (#45118735)

Don't worry. D-Link went from suck to blow a long time ago.

moD 0p (-1)

Anonymous Coward | about 10 months ago | (#45118437)

tired a8gUments

Not the DIR-655 so far... (1)

amxcoder (1466081) | about 10 months ago | (#45118439)

At least the DIR-655 isn't part of this. I started getting worried for moment... I have and like that little router... It also sounds like this isn't a problem as long as remote management isn't turned on... (which is kinda a dumb idea anyway unless you really need to remotely change your router settings). The DIR-655 is a good router other than that, but unfortunately isn't compatible with DD-WRT or some of the open source firmware out there. Wish it was, but the last time I checked, these firmware releases were not available for the 655.

Re:Not the DIR-655 so far... (1)

immaterial (1520413) | about 10 months ago | (#45118647)

I had a dir-655 years ago and I ran Tomato on it. I'd be surprised if there weren't a DD-WRT build for it by now too.

Re:Not the DIR-655 so far... (1)

Verunks (1000826) | about 10 months ago | (#45119339)

I have a dir-655 as well and it doesn't support tomato or any other custom firmwares as far as I know

Re:Not the DIR-655 so far... (1)

sjames (1099) | about 10 months ago | (#45118871)

And you never get hit with a drive-by that tries the back door from the LAN side.

Re:Not the DIR-655 so far... (0)

Anonymous Coward | about 10 months ago | (#45119179)

Are you being serious or sarcastic? I'm curious.

The home router market is a an ongoing disaster (5, Interesting)

mtaht (603670) | about 10 months ago | (#45118463)

It's not just simple backdoors like the dlink one that are a problem.

There is a systemic complete and total regard for basic tenets of security in nearly the entire home router/cpe market.

Start with crypto - no hwrng and a known "less than ideal" version of /dev/random to feed your "secure" wpa and ssh sessions.

Worse:

There is no privilege separation in most routers, which was ok when they were single function devices - BUT: not ok, when vulnerability via services like samba can be used to root most of the top 10 current home routers:

http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp [securityevaluators.com]

Once an attacker p0wns your home gateway they can change your dns to malicious sites, as dnschanger did:

http://www.dcwg.org/ [dcwg.org]

or have it participate in botnets, or inflict further attacks on unsuspecting devices both inside and outside your firewall, or sniff your traffic - there is no security when your front door is left wide open.

What nearly every home router and cpe manufacturer is shipping is **rotware**, running 4-7 year old kernels with known CVEs, and 10 year old versions of critical services like dnsmasq. You'd think that new 802.11ac devices available for this christmas might have some modern software on it, but just to pick out a recent example - the "new" netgear nighthawk router runs Linux 2.6.36.4 and dnsmasq 2.15, according to their R7000 gpl code drop -

http://kb.netgear.com/app/answers/detail/a_id/2649 [netgear.com]

Brand new hardware - 4+ and 10 year old software respectively.

It's unfair of me to pick on Netgear, every router I've looked at this christmas season has some major issues.

Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware. And I wish the manufacturers (and ISPs, AND users, and governments) understood that, and there was (in particular) a sustainable model for continuous updates and upgrades as effective as android's in this market. I don't care if it came from taxation, isp fees, or built into the price of the device - would you willingly leave your networks' front door open if you understood the consequences?

Rotten routers with closed source code, and no maintenance, are a huge security risk, and they are holding back the ipv6 transition, (and nearly all current models have bufferbloat, besides)

How can the dysfunctional edge of the Internet be fixed?

Well that explains a lot (0)

Anonymous Coward | about 10 months ago | (#45118565)

My home DSL (Billion) does DNS lookup *extremely* slowly. Often timing out.
I noticed also that Yandex (the email service I switched to when I abandoned US email), has a different certificate. It had a Yandex Extrernal CA one, then a Global Trust one.

So your post explains a lot. I'll contact my ISP.

Re:The home router market is a an ongoing disaster (0)

Anonymous Coward | about 10 months ago | (#45118581)

How about starting a PAC or superpac and give most of the money to the EFF's lawyers who seem to have lots of pointy teeth. The rest can be used to buy some congressman as is usually done apparently, but they don't require much.

Re:The home router market is a an ongoing disaster (3, Interesting)

Anonymous Coward | about 10 months ago | (#45118817)

"Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware"

Nah. The only lonely hope fer descentified home security routers is to build sum yerself. It aren't that hard. What hillbilly don't got a beige box layin' about and a spare NIC? Need juz... uh... count 'em: | | <- Dis manny Etherport whatsits to build a maximam security gateway. I tighted two screws (righty tighty, leftie loosie), got dem dere PCI card hooked up. Putted in a CD, wot axed a few questimations, and done.

Oh, but dis is dat dere big brained slashamadoodle folks. Fergiven ma pardon. Ain tryin' ta make yah look dum 'er nuffin. Ya'll cityfolks done figgered dis shit aout. [wikipedia.org]

Juz liek ta bitch an' moan is all, eh?

's like gramppy says: Yah can lead a geek ta a solution, butcha go ta jail if ya drown 'em in it.

Re:The home router market is a an ongoing disaster (1)

semi-extrinsic (1997002) | about 10 months ago | (#45119065)

Please mod parent up. First post I've seen in a while that deserves both +1 Informative and +1 Funny.

Re:The home router market is a an ongoing disaster (1)

fnj (64210) | about 10 months ago | (#45118873)

the "new" netgear nighthawk router runs Linux 2.6.36.4

And every DOD approved server is running RHEL6 which is 2.6.32. The kernel version doesn't tell you shit unless you know what patches have been added.

Re:The home router market is a an ongoing disaster (-1)

Anonymous Coward | about 10 months ago | (#45118909)

Once an attacker p0wns your home gateway

Just FUCK Off.

Not like it hasn't happened before (0)

Anonymous Coward | about 10 months ago | (#45118481)

Found thuis out about my stock wrt54g a while ago:

http://www.securityfocus.com/archive/1/442452/30/0/threaded

You don't even need any special password/user-agent/... If you know the setting you want to change, it's only a simple post request and you are done.

A big problem (3, Insightful)

AndrewStephens (815287) | about 10 months ago | (#45118513)

This is NOT a small, obscure problem for users of DLINK routers. Although it does not open up Wifi access or anything like that, having access to the configuration panel of your router is bad news even from inside the network. I can't think of anyway to automatically exploit it via a browser (XSS-style) but a small executable (or trusted Java applet, for instance) could do it.

Additionally, I wonder how many small establishments are offering free wifi using DLINK equipment. Those networks are now vulnerable.

If I was a bad(er) guy, the first thing I would change would be the DNS settings. Forcing all computers behind the router to use a DNS I control opens up all sorts of interesting ways to mess with people.

Re:A big problem (5, Informative)

viperidaenz (2515578) | about 10 months ago | (#45118587)

Apparently IE might let you change the user agent
http://stackoverflow.com/questions/6995311/how-can-i-spoof-the-user-agent-of-a-javascript-get-request [stackoverflow.com]
You'd just need to work in some cross domain exploit somehow... or have a subdomain of your website resolve to 192.168.1.1

Re:A big problem (1)

AndrewStephens (815287) | about 10 months ago | (#45118669)

... or have a subdomain of your website resolve to 192.168.1.1

I never thought of this, that's pretty sneaky.

Re:A big problem (2)

elp (45629) | about 10 months ago | (#45118923)

This is not the first time D-Link have been caught doing stuff like this, and the DNS attack is exactly what happens when the bad guys find out.
This was a big issue here in South Africa a few months ago. Telkom (the local state owned incompetent telco) were selling approved DLink modems with helpful extra admin accounts (username: support password: support was one I saw) which suddenly started redirecting traffic to interesting locations [mybroadband.co.za] .

Re:A big problem (4, Interesting)

SethJohnson (112166) | about 10 months ago | (#45118929)

Certainly, DNS would be a pretty quick way to abuse all devices on the other side of the router. It might be detected when the owner verifies the settings themselves or watches their own network traffic and observes the DNS lookups hitting the wrong destination. It's likely that this would have set off red flags before now. Many anti-malware packages check for DNS redirections, for example.

Being able to manipulate the router's config interface would allow an external entity the ability to upload a new firmware to the router. The new firmware would offer the attacker switches to flip at will that would enable packet sniffing of all traffic and man-in-the-middle SSL attacks. Organized crime / NSA (redundant to mention both, I know) seek no deeper capabilities than this.

You bring up a great point of smaller establishments running WiFi on D-Link equipment. Perhaps their SSID's should be modified to read, "HACKED BY NSA - DO NOT USE!"

Well, what do you expect (2)

muecksteiner (102093) | about 10 months ago | (#45118799)

In most of the companies that do such gear, the chap(s) in charge of actually developing and making them are treated as disposable cost factors. Who are under constant threat of being outsourced to some third world country. And the products they develop are basically abandoned once the next release hits the shelves, otherwise the incentives to buy new stuff would not be as high.

All the while the Cxx who "supervise" them (and who in a lot of cases couldn't even configure the products the company makes, let alone really care) walk away with more or less obscene bonuses. You know, just to show the little guys who is boss, and so.

Not a big surprise, then, that the developers apparently don't put their entire energy in making the best possible product. Would you, in their stead?

Take them to court (0)

Anonymous Coward | about 10 months ago | (#45119085)

And make sure you end this company's existence.

updating contacts (2)

roscocoltran (1014187) | about 10 months ago | (#45119167)

D-Link should update their firmware: Joel left the company a long time ago. And you should never hard-code usernames in a firmware, only group names. This is basic stuff.

Why bother? (2)

Bert64 (520050) | about 10 months ago | (#45119547)

Why do all these router vendors even bother producing their own nonstandard firmware?
Most of the hardware is based around a small set of common chipsets anyway, so why not use an existing firmware such as dd-wrt or openwrt.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>