D-Link Router Backdoor Vulnerability Allows Full Access To Settings

StealthHunter writes "It turned out that just by setting a browsers user-agent to 'xmlset_roodkcableoj28840ybtide' anyone can remotely bypass all authentication on D-Link routers. It seems that thttpd was modified by Alphanetworks who inserted the backdoor. Unfortunately, vulnerable routers can be easily identified by services like shodanHQ. At least these models may have vulnerable firmware: DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240."

Will this stupidity ever end?

[gweihir]

Are these people too stupid to know that eventually, somebody _will_ analyze their firmware and find this? I think it is time to make them liable for a bit more than the device when things like these get found. Say, 10x the new value of the device to any customer that wants to give it back.

Re:Will this stupidity ever end?

[DigitAl56K]

Well, as an ex D-Link customer, I'm glad to see someone is analyzing their firmware.

Re:Will this stupidity ever end?

"I think it is time to make them liable for a bit more than the device when things like these get found."

Really? I think it's getting pretty close to the point where liability is physical.

Re:Will this stupidity ever end?

How about a Prison Sentence. These ego maniacs are putting people's bank account at risk. It is no different from writing a virus. In fact it is worse.

Re:Will this stupidity ever end?

[johndoe42]

A class action lawsuit for gross negligence might do the trick.

Sometimes I think that things like this should be felonies, though. Criminal offense or not, in a sensible world this would put alphanetworks out of business.

Re:Will this stupidity ever end?

[OhANameWhatName]

10x the new value of the device to any customer that wants to give it back

Silly idea, make them liable for costs. Then the device manufacturers will be supporting the [cough] on-line content industry [cough],

Re:Will this stupidity ever end?

[thesupraman]

Are you talking about DLink or the NSA, or is the just DLinks way of complying?

Just wondering....

Re:Will this stupidity ever end?

[AlphaWolf_HK]

Who are you going to put in prison, exactly? It's possible only a small team of engineers was aware of this. Hell, may have even just been one rogue developer who nobody gave permission to put it there.

Re:Will this stupidity ever end?

[Samantha+Wright]

I might propose targeting the software review board that didn't catch the flaws, or perhaps the management who decided such a review board was unnecessary. Security-critical hardware should have at least some QC and/or validation at the firmware code level, y'know?

Re:Will this stupidity ever end?

Really, you want to push the "ignorance" excuse? That the company has no effective quality control? That they cannot guarantee their products will function as per spec?

Re: Will this stupidity ever end?

Class action suit could bankrupt D-Link if this is proven true.

Re:Will this stupidity ever end?

[moteyalpha]

The problem that I have observed is that there is no effective oversight to complex systems. The people who can deal with the complexity and create things like this work in a sort of isolation. Sometimes this happens when contractors are asked to create a system and then get paid. If they don't get paid, they leave the back door. I can guarantee that this is not the last one that is found and some are much worse than this. I was looking at the javascript linked in an earlier article and it reminded me of the "never attribute to malice ...." . When you add the possibility that espionage or criminality could be involved it gets even more complicated. I help relatives with computer problems on a daily basis and most people have trouble just figuring out how to use the damn things. They are completely vulnerable to even the simplest tech attack or SE.
I also have my own site and I see many things. I know that every day there are people knocking on doors or ports. It is another world that most people only understand as some kind of stuff done by technically afflicted people.

Re:Will this stupidity ever end?

[someone1234]

If you create a faulty product that causes property loss or death, heads must fall. In China, they just shoot the CEO in cases like this.
For that huge income they should at least pick the people who pick the people who do the quality control.

Re:Will this stupidity ever end?

[sirlark]

Actually, this makes a twisted form of sense. The DMCA and earlier wire tapping and computer fraud laws state two things iirc 1) Attempting to access a system which you do not have permission to access is illegal, and 2) subverting a security mechanism to provide unintended access is illegal. Now (1) only applies if someone uses the back door to gain access to your system, but (2) applies just because the back door exists. The stated intent is that these routers are secure (read the advertising gumph), which means the existence of the back door was a subversion of the intent for security. Someone, somewhere did this, and should be held liable. Considering the "OMFG it's on a computer" factor and the peculiarly zealous manner in which violations are normally prosecuted, I don't see why this shouldn't carry jail time, and a lot of it, as a sentence. I make this argument in support of consistency. What's good for goose is good for the gander. I don't actually agree with the sentences recommended/allowed by those acts.

Re:Will this stupidity ever end?

Who are you going to put in prison, exactly?

The fetid CEOs, of course... They make the big bucks; they can take the rancid risks.

Re:Will this stupidity ever end?

[girlintraining]

How about a Prison Sentence. These ego maniacs are putting people's bank account at risk. It is no different from writing a virus. In fact it is worse.

Sorry man, but this isn't an ego maniac. It's worse than that. 04882 is an oblique reference to the product ID used by Revell. Revell produces hobby scale models of various things. In this case... of the USS Enterprise, as seen in the worst trek movie ever -- Star Trek: Into Darkness. Which means, we're not dealing with an ego maniac: We're dealing with a guy who is utterly devoid of ego. This particular model probably sits on his desk in his cube, providing both inspiration to one 'Joel' in D-Link's software development team for a password, and simultaniously functioning as the strongest prophylactic known to man.

The good news though is that firmware released by D-Link prior to May of 2013 shouldn't be affected, unlike Joel's employment situation.

Re:Will this stupidity ever end?

[girlintraining]

In other news, this incident is excellent fodder for security researchers to use as a case in point for how knowledge of a person's habits and hobbies can provide valuable insight into potential password selections, and also that the password selection is so strongly correlated with these things, that knowing the password alone can be sufficient to uniquely identify the user!

Re:Will this stupidity ever end?

[Kythe]

The DI-524 is, what, 8 years old? The firmware for it hasn't been updated since 2006. How, then is it listed as vulnerable?

Re:Will this stupidity ever end?

[girlintraining]

The DI-524 is, what, 8 years old? The firmware for it hasn't been updated since 2006. How, then is it listed as vulnerable?

This is some guy on a blog. It's a mixture of fact and wild speculation. This isn't an official security notification on something like Bugtraq or CERT, etc. He tested the DI-100 firmware, v1.13. The FTP link he provided lists the timestamp for the file as "02/19/2013 11:09AM", not 2006.

He doesn't even have a DI-100, he just downloaded it at random. He thinks, based on "the source code of the HTML pages and some Shodan search results", that the devices listed are affected. There was no actual testing, it's just rampant speculation based on Sir Bloggy McBlogs google-fu. Now, that said, I have been doing some additional research and the company Revell is based out of Germany -- which is also where D-Link's software development team is. Revell's website indicates the model went on sale about the same time as the movie release -- May 2013. The timestamp is February. It's not enough to bust my theory that 04882 is a reference to the model... it's just possible the website is wrong, or he got one early from a friend who works at said company. It does happen; Maybe they handed them out at special screenings.

Such is the nature of speculating on these things; it's interesting, but it's nearly impossible to get positive verification of a theory.

Re:Will this stupidity ever end?

[L4t3r4lu5]

In a class action, the only winners are the lawyers.

Individually suing in small claims court is almost always the better option, if you have the time.

Re:Will this stupidity ever end?

Just like it was "rogue" developer at google who wrote and installed the systems that tracked and recorded all the IPs and routers. That "rogue" developer was able to travel all around the world and install the system in all the google cars without anyone knowing it. FU. It was planned. It was known about. It was implemented. It's interesting how all you fuckers who defended google over the years can't put 2 and 2 together. I remember everyone howling, "But there isn't anything they can do with the data!" Combine it with this, now you have a mappable attack vector system to do whatever you want with. Now I suppose you'll tell me it only affects dlink routers, that it didn't happen at every other router company. Nothing is coincidence. I'll give you a hint, it just hasn't been found yet.

Re:Will this stupidity ever end?

[cripkd]

So what's wrong with prosecuting whoever is found to be guilty? A manager that ordered this, one or more developers who introduced this, etc. It's possible you cannot properly identify the individual(s) but that doesn't mean that the law shouldn't be applied and that the usual measures cannot be taken.

Re:Will this stupidity ever end?

You treat it the same way as any group involved in crimes. Who did they put in prison from lulsec?

Re:Will this stupidity ever end?

[cripkd]

Then it all makes sense! Leave it there or we will be doomed!
Kirk traveled into the past at some point and planted this, it will most likely save the ship and its crew. They need our help!

Re:Will this stupidity ever end?

[TapeCutter]

Hell, may have even just been one rogue developer who nobody gave permission to put it there.

It's a safe bet their law team already have that at the top of the whiteboard.

Re:Will this stupidity ever end?

[NickFortune]

I suppose I'd get into trouble if I suggested forming an angry mob, storming the corporate HQ with torches and pitchforks and cleansing the evil with fire ...

Re:Will this stupidity ever end?

[someone1234]

WIth proper corporate liability, there wouldn't be need for any angry mob. I didn't suggest any lynching, i suggest proper laws.

Re:Will this stupidity ever end?

[AmiMoJo]

It sounds more like the backdoor was put in deliberately, probably to aid support staff who were fed of up trying to explain how to type "192.168.1.1" into the address box instead of Bing. This way they can just find your IP address and then go in via the backdoor to sort any problems out, about 90% of which will be wifi congestion on the default channel (11).

Re:Will this stupidity ever end?

[Opportunist]

The CEO. If you don't know what's going on in your company, you're criminally negligent anyway.

Maybe that would make them at least interested in knowing just what their company makes. I somehow have the feeling D-Link's CEO's response would be "Firmware? What firmware, I thought we're making hardware here!"

Re:Will this stupidity ever end?

[Opportunist]

Then you better have some way to prove it. Else, I still want the head of your boss. Because he is in the end responsible for what's happening in his company.

He who makes the decisions shall be held responsible for them.

Re:Will this stupidity ever end?

[Opportunist]

Congrats. You found a sensible use for the DMCA.

That can only lead to its change to make sure it must never be applied that way.

Re:Will this stupidity ever end?

[AliasMarlowe]

Read the user agent backwards, as indicated in the blog: "edit by 04882 joel back door". Stupidity indeed, even leaving a name.
Luckily, my D-Link router is not vulnerable to this attack (maybe the attack just needs to be tweaked). It's stacked behind a non-D-Link router, just in case.

Re:Will this stupidity ever end?

[mcgrew]

The law is only for little people. Who went to prison when Sony rooted and vandalized thousands of computers with their XCP malware? Nobody. You have to hack a rich person's or organization's computers to go to jail. You and I don't count.

Re:Will this stupidity ever end?

[NickFortune]

I didn't suggest any lynching

Didn't intend to suggest that you did. Shooting CEOs in the head outside of the rule of law is a bad thing. I think we can safely agree on that.

i suggest proper laws.

In all seriousness, that's always a better solution than mob violence. I just sometimes worry that mob violence is going to happen faster than proper laws.

Re:Will this stupidity ever end?

[mcgrew]

Class action isn't about customers winning, it's purpose is to teach the company a lesson.

Re:Will this stupidity ever end?

[leuk_he]

But now it looks like there are no laws to prevent this kind of thing. Faulty software: noone to blame only to be found by reverse engineering. If this was a serious offence, somebody could look into it and find the person /boss responsible. Handle it like some kind of car brake failure, where the producer has to do a callback.

Re:Will this stupidity ever end?

[thelexx]

"The CEO. If you don't know what's going on in your company, you're criminally negligent anyway."

Unless you're Jon Corzine.

Re:Will this stupidity ever end?

[TerryJordon]

DLINK can KMA... They havent innovated their interface in more than a decade.. They are as bad as netgear and Linksys now. DLinks used to be rock solid.. I admit i still have a 625 around somewhere.. Im all about belkin now.. Some will argue but these are the routers of this era if you ask me.. Time for all the old money network boys to get a wake up call

Re:Will this stupidity ever end?

[kestasjk]

Oh yeah, hell hath no fury like a D-Link customer scorned; when they find out their cheap disposable routers have a flaw in them they'll need to send in the army.

Re:Will this stupidity ever end?

[NickFortune]

Sending in the army against D-Link does seem a little excessive, now that you mention it. If only the problem of corporate malfeasance applied to a wider context than just D-Link ...

Re:Will this stupidity ever end?

[kestasjk]

From d-link.com executive team page: "Born in 1952, Roger Kao graduated from Tamkang University with a degree in Electrical Engineering. He went on to earn his Master’s Degree in Electrical Engineering and Computer Science from National Chiao Tung University where he also served as an Associate Professor."

Really though if you don't know whether third party software embedded in a few of your huge range of products contains a hidden backdoor when a rarely used feature is activated what kind of CEO are you?

Re:Will this stupidity ever end?

It sounds more like the backdoor was put in deliberately, probably to aid support staff who were fed of up trying to explain how to type "192.168.1.1" into the address box instead of Bing. This way they can just find your IP address and then go in via the backdoor to sort any problems out

RTFA. As strongly suggested (but not outright stated) in TFS, this bypasses authentication only.

If you have your home router set to permit normal, authenticated WAN access to the control interface, then yes, this now permits anonymous access by either a helpful tech or a malicious attacker.

If, on the other hand, you have the slightest shred of sanity, you just don't permit WAN access, and if you need to reconfigure your router from outside the LAN, you'll set up a ssh tunnel (or other VPN method with strong authentication) to get into the LAN, rather than relying on the router's authentication. In this case, being able to bypass authentication does the helpful tech no good, since he can't access the control page in the first place!

Re:Will this stupidity ever end?

You treat it the same way as any group involved in crimes. Who did they put in prison from lulsec?

The primary difference being that the lulz guys broke a variety of laws, where D-Link has broken none. The best you can hope for is some kind of "product fitness" or "false advertising" type of angle.

But while you're wasting your time and money, I'll just sit here with remote admin disabled (the default setting) and not worry about how someone who has already compromised my internal network might be able to further compromise my router.

Re:Will this stupidity ever end?

[SuricouRaven]

Because the 'guilty' will inevitable turn out to be the assistant backup deputy programmer.

"Credit travels upwards, blame travels downwards. That's just the way it works." - PHB

Re: Will this stupidity ever end?

[kilfarsnar]

Then they'd serve as a warning to others.

Re:Will this stupidity ever end?

The DA will RICO the CEO's ass all the way to Federal PMITA Prison hell and back!

Re:Will this stupidity ever end?

[fisted]

Betteridge's law of headlines applies equally well to subjects of posts on /.

Re:Will this stupidity ever end?

Are you also behind 7 routers?

Re:Will this stupidity ever end?

You have the wrong premise. Class actions aren't about getting recompense for the victims. They're about punishing corporations in the most effective way possible, by hitting them financially on a large scale. If the damage award is large enough, the corporation will learn the only lesson it understands: it's cheaper to comply with expectations of quality than to cut costs by using criminally negligent solutions. Class actions are such a threat to corporate livelihood that they've recently gone out of their way to get the possibility of such litigation removed via license agreements, and the courts have stupidly upheld such agreements as legally enforceable, taking away the only effective check on corporate abuse because people like you believed the tripe that all these lawsuits are 'frivolous' and voted to make them easier to prevent or throw out, giving the corporations a free pass.

Also, if you consider the context of this story, which is about low-cost home routers, you would have understood that the cost of filing and conducting a small claims case probably exceeds the worth of the product in question. You generally can't go for punitive damages in small claims. Your idea is flat-out stupid.

Re:Will this stupidity ever end?

Oh great, so they can have to pay me a measly $100. No, I'd rather they get hit with a class action lawsuit and have to pay out more like millions.

Re:Will this stupidity ever end?

I'd bet 04882 is a defect number or change request too, so they know internally exactly who did it and why and when

Re:Will this stupidity ever end?

[mstefanro]

You cannot just put people in prison for taking dumb shortcuts in programming, that's ridiculous. The purpose of
the backdoor was to be able to internally use some features supported by the web interface without reimplementing them.
They decided that the code that needs those features should just query the router's own web interface, but that required
a password, so they just added a secret user-agent to bypass it internally.

Also, you cannot realistically believe that this puts any banking transaction at risk. Those are usually protected
by SSL, not your router. And access to your home network is usually preventing by using wireless security
such as WPA2, not by having a password to your wireless' web interface. Almost no user has a non-default
non-guessable router ui password anyway.

Re:Will this stupidity ever end?

[mstefanro]

is usually prevented*

Re:Will this stupidity ever end?

[Forever+Wondering]

One of the comments in the original article ["Julian"] claims to have the router and have verified it.

It's not hard to verify it. Create a perl/python/whatever program [on a PC] that mimics the "User-Agent:" string and tries to do something that would be password challenged otherwise. If it succeeds, the access method exists [and is exploitable--from the local LAN if nowhere else].

What isn't clear is whether the User-Agent: hack can be used from the router's public IP address vs. just 192.168.x.y [local LAN] or even if 192.168.x.y can be used.

Someone else posted that the hack is used by firmware programs running inside the router to change configuration [which is legitimate for them to do] by sending the browser inside the router the request. So, it seems the intent of this was less of a backdoor (e.g. where D-Link et. al. could remotely take control of the router) and more of a way for the router to do its job.

The fact that the User-Agent: string is a funky, password-like string vs "internal_legitimate_request" indicates that the code author knew it could be exposed to the public/LAN IP addresses and tried to [weakly] mitigate this. The weakness is akin to disassembling code for a shared secret key.

A better way might be to add an additional restriction that such internal requests must also be from a known internal source (e.g. an AF_UNIX [vs. AF_INET] socket that presumeably could not be faked from an external source). But, this would take more time-to-code, sophistication, code space. Perhaps deemed not worth it for a $100 router.

Re:Will this stupidity ever end?

[bingoUV]

Ok, just skimmed through TFA. But using the wireless's web interface, one could add DNS entries, or enable guest account.

Alice grants Bob casual temporary access to her router, by typing the password herself on Bob's device. Malice that Bob can carry out using this "hack" :

1. add DNS entries to take Alice to other websites than she intends to visit. HTTPS certificate might protect Alice, but most people don't understand anything about them and proceed by ignoring all warnings. Doesn't help that important websites change certificates without advance warning - gmail recently changed with only a blog post long ago about it. This trains people to ignore certificate change warnings.

2. Possibly enables guest account without telling Alice, and Alice doesn't monitor all the APs in the area or router settings all the time to check if guest account is enabled. Now the temporary access Alice gave to Bob becomes a permanent access whenever he is in the area. If he is a neighbour, Bob saves on ISP costs.

Re:Will this stupidity ever end?

[bingoUV]

Yes. But after a US court deemed it legal for a "consumer" to sign away his own fundamental right of participating in a class action lawsuit as a EULA term, class action might lose all relevance soon.

The issue that a failed class action suit results in no more class action suits allowed for the subject, makes it easy for a company "sponsored" underhanded weak class action suit against itself. When this is duly dismissed, being intentionally weak, company is safe from class action suits.

Companies have learnt the lesson that gaming the system, like they have, is their best defence.

Re:Will this stupidity ever end?

[mstefanro]

My point was that to get access to the web interface in the first place you need the wireless key. That is the thing preventing people from getting into your home network. Should they manage to get that key and infiltrate into your network, getting access to your router's web ui is almost always easy (almost no-one changes the default password or changes it to some bruteforceable one). And if one knows the network key, he can sniff the packets of everyone else as long as he catch their handshake with the AP (should work for WEP/WPA-PSK/WPA2-PSK, but not Enterprise stuff). I am pretty sure he can also perform DNS spoofing and MITM by impersonating the router and broadcasting a more powerful signal (if you know the network key, there is not much that someone else on the network can do to distinguish you from their real router). That being said, I don't see an attacker as gaining too much of an advantage by knowing your web ui password in most of the cases.

Re:Will this stupidity ever end?

Seriously, if you’re using a D-Link router you are clearly not that concerned about security in the first place ???

Get a life, spend some cash and get yourself a proper router from a market leading manufacturer!

Re:Will this stupidity ever end?

Blah blah bla...

I just tried this backdoor on couple devices from the Shodan list. Most of them are not accesible anymore = already hacked/bricked. ~5% still alive and 90% of them I could access without username/password. In one device log I saw computer IPs from active connections added to DMZ, that means someone is already hacking computers behind router. On another device I was able to browse contents (through ftp) of USB flash connected to router.

IMO this backdoor is extremely wild and someone is already running scripts to "own" these routers for example by changing HTTP port to some custom and known only to him. After some time we will see some router botnet attacks...

Re:Will this stupidity ever end?

[Goaway]

Did you stop to consider who you are really helping with that attitude?

Re: Will this stupidity ever end?

Would you say the justice system is better or worse than it was 1000 years ago? If better, do you think it got here by succumbing to negativist attitudes like yours?

Re:Will this stupidity ever end?

You mean planting a malicious backdoor into consumers' routers doesn't break any laws? If not, then your laws need to be changed.

Why would I be wasting my time and money? I don't use crap brands like D-Link and never have. This entire thing is a non-concern for me.

And?

[no-body]

Can the manufacturer be made liable for damages? Not sure what the are smoking there...

Re:And?

Any chance this is how my competitor (another small business) always seems to be dogging my ass and just undercutting me by a little bit? We used a DI-624 up until a couple of years ago...

Re:And?

no i was selling info to them. signed your employee

Re:And?

[icebike]

Well are you running an administration service on an open Internet facing port?

Your router won't get a chance to read the user agent string if you don't allowed an inward connection.
Then all you have to worry about is your insiders.

Re:And?

I always have my employees signed. I think you're missing a comma.

Re:And?

[kestasjk]

And even if they could access his router you would hope confidential business info would be encrypted anyway.. If he was transmitting commercially valuable info unencrypted via his modem and his competitors resorted to spying they could just listen in on the cable leaving the building.

Thank Goodness...

[clm1970]

That the consumer is always so proactive with updates that they'll upgrade their router the instant a fix is released.......NOT.

Re:Thank Goodness...

[fuzzyfuzzyfungus]

That the consumer is always so proactive with updates that they'll upgrade their router the instant a fix is released.......NOT.

"A quick Google for the “xmlset_roodkcableoj28840ybtide” string turns up only a single Russian forum post from a few years ago, which notes that this is an “interesting line” inside the /bin/webs binary. I’d have to agree."

Even if they do, it sounds like they'll be almost four years late.

Re:Thank Goodness...

The consumer better upgrade damn it! That back door has been obsolete for years. The new user-agent is 'xmlset_roodkcableoj28840ybtide.1' and nobody like having to maintain code to check for two back doors.

Re:Thank Goodness...

Geez, if you're so worried, why don't you just go ahead and update them by yourself. It's not like you couldn't ;-)

Re:Thank Goodness...

[complete+loony]

So it looks like this was a deliberate addition so that the router's internal tools could use http requests to change config. Why didn't they just check for incoming requests from localhost? Surely that would have been simple and safe enough? So instead they create something that they *know* is a backdoor.

Re:Thank Goodness...

[gnupun]

"A quick Google for the âoexmlset_roodkcableoj28840ybtideâ string turns up only a single Russian forum post from a few years ago, which notes that this is an âoeinteresting lineâ inside the /bin/webs binary. Iâ(TM)d have to agree."

Is it this page? They even disassembled the firmware where the string is used.

Re:Thank Goodness...

If only I could believe that every update is to benefit the customer ....

Ref: recently videocard that got its capabilities clipped, devices that suddenly loose some of their capabilities, and ofcourse good-old WGA.
 
... Nope, I don't think so.

Re:Thank Goodness...

Noop. That is a russian version of the text posted in the original article. In the first line it clearly refer back to the original article of Creg at devttys0.com, as such it cann't be what Creg is refering to. The disassambly seeems to be copied from Creg.

I find it beneficial to read the original article before embarking on a Google spree based on slashdot comments.

Re:Thank Goodness...

[david672orford]

Is it this page? They even disassembled the firmware where the string is used.

No, the habraabr page is dated yesterday. It is about the same blog posting that we are discussing here.

NSA

NotSurprisingAnymore

Backwards: edit by 04882 Joel backdoor

And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Re:Backwards: edit by 04882 Joel backdoor

[ibsteve2u]

And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Somebody found it profitable enough to make an effort to stifle the spread of knowledge about the backdoor?

"Profit" can be anything of value, of course.

Re:Backwards: edit by 04882 Joel backdoor

[ibsteve2u]

And the post points out (in 2010) that if you reverse the string it was "edit by 04882 Joel Backdoor" so it was clearly a backdoor.

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Somebody found it profitable enough to make an effort to stifle the spread of knowledge about the backdoor? "Profit" can be anything of value, of course.

lolll..and those seeking to "profit" can be individuals or groups of individuals like theft rings, political factions, religious entities, corporations, and states...

Re:Backwards: edit by 04882 Joel backdoor

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

Seriously? That's not a scandal, that's the way the world works. People that LOOK for stuff like that want to keep those exploits to themselves because they want to USE THEM. If you reveal the damn thing, it'll get patched.

Not many people want to do all the work of looking through binaries figuring out obscure shit like this just for fun.

Re:Backwards: edit by 04882 Joel backdoor

The big scandal here is how can a backdoor be known since 2010 and not revealed??!!!

E_PARSE: semantics clash. Please address by completing the following:
#define known
#define not_revealed

edited by 04882 Joel backdoor

[austerestyle]

Read backwards it reads the same as the comment subject. Is this the guy behind it? http://www.joesdata.com/executive/Joel_Liu_421313008.html Assuming good will, it seems like debugging code left in the final firmware release.

Re:edited by 04882 Joel backdoor

You cracked it. Affected users should find Joel and ask him to personally refund their purchase.

Re:edited by 04882 Joel backdoor

No, they should ask that of D-Link. If their process depends on nobody involved commiting any mistakes their process is broken.

Re:edited by 04882 Joel backdoor

' If their process depends on nobody involved commiting any mistakes' = a bit exaggerated.

This is an administrative level backdoor left in by alpha networks, subsequently not discovered and removed by the oem.
Because they outsourced that to, wait for it, alpha networks on this project. They trusted it, they didn't discover a reason not to.
Sure, it's negligent for a security minded process, but for a consumer product "get it out the door" process? It's SOP.

Re:edited by 04882 Joel backdoor

[_merlin]

It might have nothing to do with anyone called Joel. When I was far younger and quite bored, I graffiti'd "Patrick Tang was here" (in a place where a Patrick Tang had been). Patrick Tang had nothing to do with the use of his name, but when he discovered it, he went to considerable effort to obscure it, believing he would likely be blamed.

Re:edited by 04882 Joel backdoor

[jamesh]

All this time we were running around blaming the NSA, when it was Joel all along!

Re:edited by 04882 Joel backdoor

[girlintraining]

s this the guy behind it? http://www.joesdata.com/executive/Joel_Liu_421313008.html Assuming good will, it seems like debugging code left in the final firmware release.

Regardless of how strong the evidence may be, uniquely identifying someone on the internet is dangerous and may even expose you to a slander/libel/defamation case. You may recall not long ago the witch hunt on reddit for the Boston Bomber. Over a dozen 'suspects' were named and shamed on the forums, none of whom turned out to be the actual person. Those people's lives crumbled into dust after, and police had to devote valuable resources at the time to protecting those individuals from vigilantes. Don't go the extra step of naming someone -- no matter how confident you are, the odds are very high that you're wrong. I know you think you're being edgy, smart, whatever and showing off your google-fu here, but you've actually rather accomplished the reverse -- you've demonstrated a reckless abandon and an inability to consider the consequences of your actions, or at least favoring momentary glory and recognition at the expense of another. Neither scores high marks in internet ethics.

On the internet, a loaded finger is a bigger threat than a loaded gun.

Re:edited by 04882 Joel backdoor

I wouldn't go name calling based on that. Maybe the creator of backdoor was being "funny" for using CTO's name for backdoor.

Re:edited by 04882 Joel backdoor

No. It may have been added as a way to meet something he requested though:

Joel: I need this fucking working tomorrow! get cranking!
ImbecileCodeMonkeyJr: yesssi!

IdioticCodeMonkeySr: I have a brilliant idea!

Re:edited by 04882 Joel backdoor

THANKS! You said better than me what needed to be said.

Re:edited by 04882 Joel backdoor

> On the internet, a loaded finger is a bigger threat than a loaded gun.

Ok, I'll stop picking my nose.

Re:edited by 04882 Joel backdoor

Was he born on April 8th 1982 I wonder?

Re:edited by 04882 Joel backdoor

[LoRdTAW]

Maybe he was an MST3K fan and had a fondness for the invention exchange.

Re:edited by 04882 Joel backdoor

>those people's lives crumbled into dust afterwards

Citation needed. Certainly, it was extremely bad at the time, but I find it hard to believe that anyone would be harassing them even a week later.

Re:edited by 04882 Joel backdoor

[austerestyle]

For the record I never accused him of actually being behind it, I just posed a question.

Doesn't work on DD-WRT.

Yay.

Re:Doesn't work on DD-WRT.

[SpzToid]

DD-WRT has always shipped with a default password, which is something like 'admin'. That is the Very First thing to be changed upon login, after a firmware flash, so what is your point?

Is this the article you were referring to?: http://tech.slashdot.org/story/13/03/15/1234217/backdoor-found-in-tp-link-routers

Perhaps your memory is faulty, but like this D-LINK situation in the news today, replacing the firmware will solve the problem. DD-WRT is the answer in this case, not the problem. If I'm missing something AC, your citation is requested.

Re: Doesn't work on DD-WRT.

The answer is OpenWRT not some pseudo-open-source project.

Wow

[Frosty+Piss]

I'm always amazed to read about things like this because most engineers are not morons. Why would they do it? How could they not know it would be discovered?

The Black Hats have probably known about this for a long time...

Re:Wow

[AHuxley]

What must the self excuse list be like?
It was a rushed job.
It was another department.
It was outsourced.
So many product lines. So much work.
The supervisor wants features for a global market, other product lines are for security.....

Re:Wow

[Tanktalus]

If "most engineers are not morons" then we wouldn't need Bobby Tables as an example when explaining simple security issues to them.

Re:Wow

[theshowmecanuck]

At first glance it looks like an interesting link.

Re:Wow

[theshowmecanuck]

Not sure how this is a troll. Telling people the link looks like it could be interesting. I guess whoever it was doesn't speak English.

Re:Wow

[Opportunist]

Most engineers are not morons.

Sadly, not everyone writing code is an engineer. You get a fair lot of people considering themselves "programmers" these days because they can slap together a few objects in a RAD tool (without having the foggiest clue what happens behind those shiny icons they click on), copy/paste some code from various example pages and finally run whatever mess that creates through the compiler often enough 'til it finally compiles. Add some shotgun debugging and you know why code is in the sorry state it is in today.

Re:Wow

[mcgrew]

For two "troll" downmods in a post that merely states the opinion that a page about how to secure against SQL injection either someone hates your sig and thought it was part of the comment, or you're the victim of a mod bomber.

Some people shouldn't be allowed to moderate.

Re: Wow

I see a lot of badly done statistical analysis. As it go up the chain it generally improves. For example, I don't think IBM is going to have a guy projecting staffing needs a year ahead will be the same guy who knocks up an occasional pivot table for his team. Does Time magazine have some random DevianTart do their covers in between Sonic re-colors? Well, I hope not anyway. You think that reasonably successful companies are tending towards copy and paste merchants in shipping products, or do you maybe have a slightly jaded and exagerated sense of despair for coding in general?

Have you noticed as well that streets are not as safe as they used to be? I hope for your sake you're over 50. If not your way ahead of your time.

Re:Wow

[Frosty+Piss]

If "most engineers are not morons" then we wouldn't need Bobby Tables as an example when explaining simple security issues to them.

In general, the people that write that kind of terrible SQL are not engineers, they are "web developers". There is a difference.

Re:Wow

You, sir, are a moron.

Re:Wow

[Tanktalus]

Yes. But you were the one to use the term "engineer" to refer to the guys who wrote the firmware for these routers. I was merely using it colloquially, in the same way you did.

I thought it was too strong of a word, but I decided that "engineer" was not the focus point of your original post. This one seems to have confirmed that.

Basically, the people who write this stuff wouldn't be what I'd normally call an engineer. But they do show why we need the Bobby Tables site (among others).

Re:Wow

Most engineers have their minds corrupted by MONEY. Of course they had some sort of rigorous training. But then, they have a private life where money matters and they have a boss who knows how to put pressure onto them. They hear the corporate bullshit, which is also essentially MONEY. Slowly but surely that corrupts the mind and makes them incapable of rigorous thinking.

Plus, "software engineers" are mostly amateuers without a proper CS training. How do you expect them to think in rigorous terms ?

Then, history is littered with seemingly capable and resourceful people who couldn't act rigorously either. Think of Admiral Dönitz and General Fellgiebel. They smelled something with the Naval Enigma (and the Italians hinted very strongly), but instead of a REAL fix, they used the half-hearted measure of adding a single rotor. Tens of thousands of their fellow seaman/service members went to the bottom of the Atlantic, because these people fucked up.

Real security also demands BRUTAL HONESTY, even in the face of a general. Most people don't have the balls for that kind of thing. You must be able to call him an idiot and face all the pieces of crap then coming from his mouth, if you want to work towards actual security.

Re:Wow

Too much rant detected on "Sentence 1."
Reading aborted!

Many routers subject to UPnP vulnerability anyway

[DigitAl56K]

PDF link, published earlier this year, shows how many manufacturers use a stack with a UPnP vuln that gives root, even from the WAN side:

http://www.defensecode.com/public/DefenseCode_Broadcom_Security_Advisory.pdf

Point is, you probably weren't as safe as you thought you were, even before this new disclosure.

I think a huge problem with consumer-grade wifi routers today is that as manufacturers race to support new models with new wifi standards and new competitive feature sets, older models quickly become abandonware. There's very little guarantee around firmware updates for critical vulnerabilities, and end users are mostly oblivious to being at risk. By the time you pick up that $80 model from the store it's probably borderline EOL already.

Did the NSA have a hand in this too?

[BoRegardless]

How to bury your company's reputation with one password.

Re:Did the NSA have a hand in this too?

[Frosty+Piss]

How to bury your company's reputation with one password.

D-link's rep was buried long ago.

Re:Did the NSA have a hand in this too?

[OhANameWhatName]

D-link's rep was buried long ago.

I'd tend to say that D-link's rep is long-lived and very consistent.

Re:Did the NSA have a hand in this too?

I'm gonna dress as a D-link router for Halloween, then.

discipline

[Moblaster]

The Beatings Will Continue... Until the Firmware Improves.

Tomato, DD-WRT, or OpenWrt

[seifried]

Because friends don't let friends run crappy firmware with back doors/known problems.

http://www.linuxpromagazine.com/Issues/2010/119/Security-Lessons-Linux-WAP/(tagID)/337

Re:Tomato, DD-WRT, or OpenWrt

[Chemisor]

Flashing custom firmware onto the router is tricky and dangerous. It is very easy to end up bricking it, even if you follow the instructions to the letter. Until the situation improves, I wouldn't recommend doing it unless you are an experienced geek and are prepared to buy a new router.

Re:Tomato, DD-WRT, or OpenWrt

Yeah but all of those firmwares are rarely updated these days.

Forks and variations of TomatoUSB are about the only ones actively developed and I would barely call them "active".

Anyone know why this is by the way? Are people using other systems/routers or what?

the mantra

1. ``i am not secure, but i want to be.''
2. ``ignorance will not make me more secure''
3. ``no product available will make me completely secure''
4. ``if i cannot understand the entirety of my system, i can make no claims to it's security''
5. ``just because knowledge is denied, does not mean that knowledge is protected.''
6. ``i am not secure, but i want to be.''

Re:the mantra

[Opportunist]

"Security is a process, not a product" would already be enough for most managers to remember.

Security is nothing you can buy. No black box you put in the corner and be done with it. Security is something you have to do.

Re:the mantra

And your mantra is actually kind of shitty. Mathematically Proven Security would be the REAL FIX for all these issues. One day, we will have this.

Think of

+ Mathematically proven correct kernel
+ Mathematically proven correct compiler
+ Mathematically proven correct CPU

and so on. INRIA is working on this kind of thing. Also Uni Dresden and the Australians and their L4 kernel.

Re:the mantra

[Opportunist]

And once we have the processing power to actually DO it we might make me obsolete.

Somehow, though, I don't see me having to switch professions any time soon...

Good thing mine is safe

Not because I'm not using one of the models listed, but because mine shits itself when you actually try to get it to do something. But yeah, if you get a wireless router, definitely install one of the open source firmwares for it.

Nice

[lapm]

Just goes to show that unless you read the code yourself or reverse engineer it yourself, you just cant be sure whats there. Now they found one. Waiting more news in other manufacturer and models in 3... 2... 1...

Re:Nice

The US military have by now DOZENS of exploits for EVERY MAJOR IT DEVICE/SOFTWARE. They stockpile it to be used for future conflicts and strategic reconnaissance.

"Cyber warfare" and the "Cyber domain" is a very real thing. Stuxnet was like the flight of the Wright Brothers, but they already have something like and airforce of P51s, B17s, P47s of Cyber War sitting in their database. Ridicule the "cyber thing" at your own peril.

If they wanted, they could shut off probably 50% of all computers and phones worldwide in a matter of minutes, as most of these are connected to the internets. Firewalls don't stop them, as they have exploits for those, too.

xmlset_roodkcableoj28840ybtide

[Alsee]

Heay!
That's the combination on my luggage!

-

Re:xmlset_roodkcableoj28840ybtide

[qazxswedc]

Don't worry. D-Link went from suck to blow a long time ago.

Not the DIR-655 so far...

[amxcoder]

At least the DIR-655 isn't part of this. I started getting worried for moment... I have and like that little router... It also sounds like this isn't a problem as long as remote management isn't turned on... (which is kinda a dumb idea anyway unless you really need to remotely change your router settings). The DIR-655 is a good router other than that, but unfortunately isn't compatible with DD-WRT or some of the open source firmware out there. Wish it was, but the last time I checked, these firmware releases were not available for the 655.

Re:Not the DIR-655 so far...

[immaterial]

I had a dir-655 years ago and I ran Tomato on it. I'd be surprised if there weren't a DD-WRT build for it by now too.

Re:Not the DIR-655 so far...

[sjames]

And you never get hit with a drive-by that tries the back door from the LAN side.

Re:Not the DIR-655 so far...

Are you being serious or sarcastic? I'm curious.

Re:Not the DIR-655 so far...

[Verunks]

I have a dir-655 as well and it doesn't support tomato or any other custom firmwares as far as I know

The home router market is a an ongoing disaster

[mtaht]

It's not just simple backdoors like the dlink one that are a problem.

There is a systemic complete and total regard for basic tenets of security in nearly the entire home router/cpe market.

Start with crypto - no hwrng and a known "less than ideal" version of /dev/random to feed your "secure" wpa and ssh sessions.

Worse:

There is no privilege separation in most routers, which was ok when they were single function devices - BUT: not ok, when vulnerability via services like samba can be used to root most of the top 10 current home routers:

http://securityevaluators.com/content/case-studies/routers/soho_service_hacks.jsp

Once an attacker p0wns your home gateway they can change your dns to malicious sites, as dnschanger did:

http://www.dcwg.org/

or have it participate in botnets, or inflict further attacks on unsuspecting devices both inside and outside your firewall, or sniff your traffic - there is no security when your front door is left wide open.

What nearly every home router and cpe manufacturer is shipping is **rotware**, running 4-7 year old kernels with known CVEs, and 10 year old versions of critical services like dnsmasq. You'd think that new 802.11ac devices available for this christmas might have some modern software on it, but just to pick out a recent example - the "new" netgear nighthawk router runs Linux 2.6.36.4 and dnsmasq 2.15, according to their R7000 gpl code drop -

http://kb.netgear.com/app/answers/detail/a_id/2649

Brand new hardware - 4+ and 10 year old software respectively.

It's unfair of me to pick on Netgear, every router I've looked at this christmas season has some major issues.

Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware. And I wish the manufacturers (and ISPs, AND users, and governments) understood that, and there was (in particular) a sustainable model for continuous updates and upgrades as effective as android's in this market. I don't care if it came from taxation, isp fees, or built into the price of the device - would you willingly leave your networks' front door open if you understood the consequences?

Rotten routers with closed source code, and no maintenance, are a huge security risk, and they are holding back the ipv6 transition, (and nearly all current models have bufferbloat, besides)

How can the dysfunctional edge of the Internet be fixed?

Re:The home router market is a an ongoing disaster

How about starting a PAC or superpac and give most of the money to the EFF's lawyers who seem to have lots of pointy teeth. The rest can be used to buy some congressman as is usually done apparently, but they don't require much.

Re:The home router market is a an ongoing disaster

"Right now, the only current hope for decent security in home routers is in open, modern, and maintained firmware"

Nah. The only lonely hope fer descentified home security routers is to build sum yerself. It aren't that hard. What hillbilly don't got a beige box layin' about and a spare NIC? Need juz... uh... count 'em: | | <- Dis manny Etherport whatsits to build a maximam security gateway. I tighted two screws (righty tighty, leftie loosie), got dem dere PCI card hooked up. Putted in a CD, wot axed a few questimations, and done.

Oh, but dis is dat dere big brained slashamadoodle folks. Fergiven ma pardon. Ain tryin' ta make yah look dum 'er nuffin. Ya'll cityfolks done figgered dis shit aout.

Juz liek ta bitch an' moan is all, eh?

's like gramppy says: Yah can lead a geek ta a solution, butcha go ta jail if ya drown 'em in it.

Re:The home router market is a an ongoing disaster

[fnj]

the "new" netgear nighthawk router runs Linux 2.6.36.4

And every DOD approved server is running RHEL6 which is 2.6.32. The kernel version doesn't tell you shit unless you know what patches have been added.

Re:The home router market is a an ongoing disaster

[semi-extrinsic]

Please mod parent up. First post I've seen in a while that deserves both +1 Informative and +1 Funny.

Re:The home router market is a an ongoing disaster

[wvmarle]

My router is about 10 years old now, still working. Supports WPA-PSK, so it has all the features I need it to have.

However afaik no way to update the firmware. Which of course is >10 years old now. And even if I could... well it's hanging on a wall, and it's doing its job - it's a device, and not something that's high on my priority list to check for vulnerabilities.

I guess my best chance to keep safe is the fact that's so old and some obscure brand it's not a known target for would-be attackers.

Re:The home router market is a an ongoing disaster

If you really think the *government* has an interest in secure IT for private users, you probably also believe they want everyone own a SIGABA machine. Btw, did you know that nuclear power stations are actually powered by unicorns ?

Re:The home router market is a an ongoing disaster

China and NSA already got all your trade secrets. Now you can leave it as it is.

Re:The home router market is a an ongoing disaster

You can blame Broadcom and other chipsets and device vendor that only release certain versions of linux drivers and most wireless drivers in BLOB.
It is not like you can mix and match kernel version drivers freely without running into troubles. Worse type of errors are the silent ones. DD-WRT is still on 2.4 kernel.

This is also in embedded world for mass market where the requirement are different than desktop or servers as they try to fit a lot of functionality into tiny amount of memory.

As for router in question for this backdoor. It is an ancient WIRED router. Open source project didn't bother to work on them as they have too little memory: FLASH probably in 256kB or 512kB (at most) and may be 4-8MB of RAM.

Not like it hasn't happened before

Found thuis out about my stock wrt54g a while ago:

http://www.securityfocus.com/archive/1/442452/30/0/threaded

You don't even need any special password/user-agent/... If you know the setting you want to change, it's only a simple post request and you are done.

A big problem

[AndrewStephens]

This is NOT a small, obscure problem for users of DLINK routers. Although it does not open up Wifi access or anything like that, having access to the configuration panel of your router is bad news even from inside the network. I can't think of anyway to automatically exploit it via a browser (XSS-style) but a small executable (or trusted Java applet, for instance) could do it.

Additionally, I wonder how many small establishments are offering free wifi using DLINK equipment. Those networks are now vulnerable.

If I was a bad(er) guy, the first thing I would change would be the DNS settings. Forcing all computers behind the router to use a DNS I control opens up all sorts of interesting ways to mess with people.

Re:A big problem

[viperidaenz]

Apparently IE might let you change the user agent
http://stackoverflow.com/questions/6995311/how-can-i-spoof-the-user-agent-of-a-javascript-get-request
You'd just need to work in some cross domain exploit somehow... or have a subdomain of your website resolve to 192.168.1.1

Re:A big problem

[AndrewStephens]

... or have a subdomain of your website resolve to 192.168.1.1

I never thought of this, that's pretty sneaky.

Re:A big problem

[elp]

This is not the first time D-Link have been caught doing stuff like this, and the DNS attack is exactly what happens when the bad guys find out.
This was a big issue here in South Africa a few months ago. Telkom (the local state owned incompetent telco) were selling approved DLink modems with helpful extra admin accounts (username: support password: support was one I saw) which suddenly started redirecting traffic to interesting locations.

Re:A big problem

[SethJohnson]

Certainly, DNS would be a pretty quick way to abuse all devices on the other side of the router. It might be detected when the owner verifies the settings themselves or watches their own network traffic and observes the DNS lookups hitting the wrong destination. It's likely that this would have set off red flags before now. Many anti-malware packages check for DNS redirections, for example.

Being able to manipulate the router's config interface would allow an external entity the ability to upload a new firmware to the router. The new firmware would offer the attacker switches to flip at will that would enable packet sniffing of all traffic and man-in-the-middle SSL attacks. Organized crime / NSA (redundant to mention both, I know) seek no deeper capabilities than this.

You bring up a great point of smaller establishments running WiFi on D-Link equipment. Perhaps their SSID's should be modified to read, "HACKED BY NSA - DO NOT USE!"

Re:A big problem

I wonder how the anti-malware checks the router's resolver is checking somewhere crazy.

Re:A big problem

[bill_mcgonigle]

I never thought of this, that's pretty sneaky.

Ditto on that!

Re:A big problem

[DarwinSurvivor]

I didn't see anything in that link that says anyone has actually gotten it to work.

Well that explains a lot

My home DSL (Billion) does DNS lookup *extremely* slowly. Often timing out.
I noticed also that Yandex (the email service I switched to when I abandoned US email), has a different certificate. It had a Yandex Extrernal CA one, then a Global Trust one.

So your post explains a lot. I'll contact my ISP.

Yes they did, TAO

Read it and weep:
http://www.washingtonpost.com/world/national-security/us-spy-agencies-mounted-231-offensive-cyber-operations-in-2011-documents-show/2013/08/30/d090a6ae-119e-11e3-b4cb-fd7ce041d814_story_1.html

"Much more often, an implant is coded entirely in software by an NSA group called Tailored Access Operations (TAO). As its name suggests, TAO builds attack tools that are custom-fitted to their targets. "

"Tailored Access Operations has software templates to break into common brands and models of “routers, switches and firewalls from multiple product vendor lines,” according to one document describing its work."

So on the one hand they're supposed to defend US networks from attack, while on the other hand they have detailed knowledge of these backdoors and use them for their own use while keeping them secret.

So yes, the NSA did have a hand in it, at the minimum it kept it secret while exploiting it.

Re:Yes they did, TAO

[mcgrew]

You guys find a backdoor in a Chinese product and say it's the NSA?? If these were Cisco routers I'd agree, but I don't see the NSA putting back doors in Chinese firmware. I'd say it's so the Chinese government can spy on their citizens. You don't really think the USA is alone in building a surveillance state, do you?

Re:Yes they did, TAO

You guys find a backdoor in a Chinese product and say it's the NSA?? If these were Cisco routers I'd agree, but I don't see the NSA putting back doors in Chinese firmware. I'd say it's so the Chinese government can spy on their citizens. You don't really think the USA is alone in building a surveillance state, do you?

Most of Cisco's hardware is manufactured (and supported) in China.

Re: F*** you NSA

Or they put it there in the first place...

How will that help the "cyber infrastructure" if they put in backdoors exploitable by anyone...?

Well, what do you expect

[muecksteiner]

In most of the companies that do such gear, the chap(s) in charge of actually developing and making them are treated as disposable cost factors. Who are under constant threat of being outsourced to some third world country. And the products they develop are basically abandoned once the next release hits the shelves, otherwise the incentives to buy new stuff would not be as high.

All the while the Cxx who "supervise" them (and who in a lot of cases couldn't even configure the products the company makes, let alone really care) walk away with more or less obscene bonuses. You know, just to show the little guys who is boss, and so.

Not a big surprise, then, that the developers apparently don't put their entire energy in making the best possible product. Would you, in their stead?

Re:Well, what do you expect

You realize that alphanetworks is an offshore oem responsible for developing products from board to software right? ...They're located in taiwan and anyone who has ever worked with them before knows that they are of the 'do it quick, who cares how' sort.

Re:Well, what do you expect

"Would you, in their stead?"

I guess that depends on if you are a professional who takes pride in your production?

My take on that is that if I'm doing a job I will do that to my best abilities regardless of pay etc. If I don't like what I'm being paid,or who I'm working for, I look for a different job. Otherwise I'm selling myself out. Violate my own integrity because of some shmoe? No, I don't think so!

Not that I can't understand why people do, it's easy to loose sight of things when you are in the trenches. Which is why it's important to surround yourself with able people who have a tendency to feel they can afford keeping an eye on the mountain, so to speak. This way if you would loose your way and you talk to them they would remind you.

Re:Well, what do you expect

Come on, real security takes a lot of effort. Most developers know quite well where some smelly stuff hides, but they are under massive pressue to "deliver 17 new features until November". They tell management, but those don't give a fuck. You either become an IT whore and ignore these issues or your pimp will quickly throw you out of the brothel. Of course they call it "corporation".

I once worked for a banking crypto company and despite all their bla-bla they were not at all commited to fixing security issues. We had some sort of home-grown SSL with 128 bit security, but some bozos thought they should use srand/rand() as a "Session Password". The manager in charge did not even grasp the problem in the beginning. These days I tend to ignore security issues, as most people are offended by myself pointing out their absolutely shitty pseudo-security contraptions.

Welcome to "free enterprise".

Take them to court

And make sure you end this company's existence.

updating contacts

[roscocoltran]

D-Link should update their firmware: Joel left the company a long time ago. And you should never hard-code usernames in a firmware, only group names. This is basic stuff.

Idiot pruf

[TiggertheMad]

As a software engineer who has worked on some larger projects, I can tell you that you are in fantasy land if you think that every line of code can be vetted without spending a small fortune on code review. Those costs might be justifiable for a project like a space shuttle guidance system, where the cost of failure is billions of dollars and multiple lives, but nobody is going to shell out that kind of budget for a sub $100 consumer router.

Re:Idiot pruf

nobody is going to shell out that kind of budget for a sub $100 consumer router.

except such routers are the first line of defense, in many cases, of such things as a space shuttle guidance system....

(don't blame me for what nasa engineers have running at home...)

Re:Idiot pruf

[L4t3r4lu5]

That only applies if you think of the firmware as being worth the sale of only one router. The models listed are all consumer grade, but I'm willing to bet that because they're cheap they're also popular. Your $100 router all of a sudden is $10m in sales if 100k are sold, across those six (so far identified ) ranges. Not so hard to imagine? Now think of those who work from home over networks served by that hardware, or the SMB with only a couple of clients on the network and no need for professional switching equipment. Now it's business loss to consider, even if only downtime to fix the breach is the only loss experienced.

I can easily see something like this having the potential to cause losses not dissimilar to your "shuttle crash" scenario. It's "keys to the kingdom" external access to what should be a private network.

Finally, there's no chance in hell of even 1% of these devices receiving a firmware update. Nobody (outside of us) upgrades the firmware on their home router; They run it from factory until death, then buy another one. These devices will be vulnerable for the foreseeable future.

Re:Idiot pruf

[gl4ss]

100 bucks*10 million installations = 1 000 000 000 bucks.

just saying. anyhow, this isn't apparently open from the wan by default at least. so the people most fucked by this potentially are cafes etc semi public ap's. easiest damage scenario to come up with is just someone changing the cafes networks password. more damaging scenarios would be stuff like forwarding all the connections through somewhere else(and potential session hijinxes from that).

Re:Idiot pruf

[Bengie]

You don't need to vet every line of code, you just don't need idiot programmers. Most security issues you see are because of a lazy or uneducated programmer that skipped freshman programming. Programmers need to become security conscience and understand how their code fits into entire systems, or in this case, some @#$%ing common sense.

Re:Idiot pruf

[drinkypoo]

Forcing code vetting would change the economics of the industry. Companies would produce less models of router (for example) and they would produce a single model for longer. This would be good for everyone but the shareholders.

Re:Idiot pruf

[kestasjk]

Yes government should get involved in the design of routers, and write laws about software code vetting. After all the huge extra costs would be absorbed by the shareholders, not us.

If you have a serious amount of money riding on your $100 modem/router/wifi being secure from within your own network then no amount of legislation is going to help you.

Re:Idiot pruf

[Gr8Apes]

You definitely don't need to vet every line of code, as long as you build a small vetted security framework. For something like a router, I'd expect that's how they're put together, although I know better.

Re:Idiot pruf

[drinkypoo]

If you have a serious amount of money riding on your $100 modem/router/wifi being secure from within your own network then no amount of legislation is going to help you.

It doesn't matter how much money you have riding on your $100 router, it's serious if it's all your money. Which for many people is just a few hundred dollars in a bank account (if that!) which they need to feed their family. But if they don't participate in the internet, then they're not a member of modern society and their situation may well worsen. How much do you propose someone in this situation spend on a home router? Remember, your arrogance will be recorded for posterity.

Re:Idiot pruf

Minor nitpick, you are not a "software engineer", you are a "software developer" or "programmer". The term engineer is reserved for disciplines requiring strict standards and provable output (i.e. real world math and physics based structure). Software developers are no more engineers than your local garbage man is a "sanitation engineer".

Otherwise your post quite insightful.

Re:Idiot pruf

[kestasjk]

I'd be more worried about your level of reading comprehension being recorded for posterity.. "If you have a serious amount of money riding on your $100 modem/router/wifi being secure from within your own network then no amount of legislation is going to help you."

• This bug is only exploitable if you enable WAN administration
• All internet traffic involving money / confidential data should be (and pretty much always is) encrypted
• If you are sending important unencrypted data over the wire you can just listen to the wire
• Do you really want to pay for the routers you buy to go through a bureaucratic process to establish whether the software (including third party software) has been thoroughly tested? Should that include the component parts like the processors, thttpd, linux? What would that legislation look like? How would it be enforced for overseas companies?

You'd probably get equally indignant if such legislation actually passed based on your knee-jerk reaction and US router prices shot up. ("But what about the starving family with only $100 budgeted for their router?")

Re:Idiot pruf

[filthpickle]

Nobody (outside of us) upgrades the firmware on their home router; They run it from factory until death, then buy another one. These devices will be vulnerable for the foreseeable future.

It wouldn't matter if they did. They aren't gonna patch the firmware for any of the affected routers anyway.

Re:Idiot pruf

[frootcakeuk]

"Nobody (outside of us) upgrades the firmware on their home router; They run it from factory until death, then buy another one."

You had a really good point till you said this. What a load of shit!

Re: Idiot pruf

[SplatMan_DK]

Hmmm. Wrong.

Malicious code in a browser session could also be a serious problem. A compromised browser could alter the routers DNS to a malicious one for example, essentially giving the attacker an attack vector for any and all clients on the LAN side.

In fact I will be surprised if we don't see this kind if attack soon. Browsers and their plugins contain vulnerabilities. It's only a matter of time before someone uses that to compromise the entire LAN side through BS backdoor as these.

- Jesper

Re:Idiot pruf

[JohnFen]

As a software engineer working on a large consumer product, I can attest that every single line of code coming from our team goes through code review. It does increase short term costs a bit (but not prohibitively), but results in great net savings over the long haul as most defects are found before shipping, when code fixes are cheap. Finding and fixing the same defects after shipping is horrendously expensive and results in angry customers.

Re: Idiot pruf

[kestasjk]

You'd need to exploit the browser in such a way that you can POST to the modem with a custom user agent set, that'd be a pretty serious exploit, and I'd be more worried about that. You could then use the modem to try and trick around with DNS to get on other machines, but it'd be hard to do transparently. It would all have to be pretty well tailored.

Anyway I'm not saying this isn't a security hole that needs to be fixed, but that the idea that this shows the need for increased regulation is nonsense.

Re:Idiot pruf

[doti]

Or maybe you just, you know, open source the damn thing.

"All software should be Free"?

Re:Idiot pruf

[Obfuscant]

This would be good for everyone but the shareholders.

Good for the shareholders, too. It costs money to design and produce new versions of product with each new set of bells and whistles.

An issue that most companies seem to forget is brand loyalty. Even when such loyalty is as simple as "I had brand X model Y for several years and now it has failed. I need a new one. I'd buy the same thing because I am used to it and know how it works, but I can't because the company doesn't make it anymore." There are uncounted times I've gone through this process, having to go find a replacement device for something I've used and has worked well for a long time, eventually deciding on a different brand because I was forced to.

Re:Idiot pruf

As a software engineer I can tell you that code review costs a small fortune because it's being done WRONG at an alarming scale. For example the bulk of use-after-free bugs are so fucking detectable by automated processes that it's not even funny. And no I'm not talking about unrefined fuzzing but real concrete static analysis. Yet they're so common. Clearly code review isn't happening or is being done wrong.

Heck most code reviewers would improve productivity by simply enabling compiler warnings and compiling the code. But no, the stupid fucks do all that checking by sifting through the code by hand. No wonder it's so inefficient. They spend so much time trying to find the bugs that should be caught via automation that they miss the bigger high level problems like back-doors.

If you're not using lots of tools to review code, you're doing it wrong. Yes, the best tools will cost you a few coins but that's no excuse to use none at all. There are plenty of free ones that are infinitely better than the nothing you're currently using. Reasonable and cost effective code review is more attanable than ever before. Anyone who tells you otherwise is doing it wrong.

Closely related, anyone who tells you that unit tests are ineffective because they can't catch everything... well they need to be fired and have their toenails adjusted with a pair of pliers. Have a nice day.

Re:Idiot pruf

What A LOAD OF SHIT. Software Engineering has very real, cold, hard scientific principles. Namely, Computer Science. Airbus, Boeing, Bosch and NASA have proven that you can build extremely safe and secure software systems. YOUR LITTLE SHITTY LIFE depends on that Bosch ABS/ESP brake probably every single day and even more when it is wet or cold. Even more does your life depend on software when you ride that A320 to that business meeting. There is ONLY SOFTWARE between the pilot and the electric actuators. ONLY SOFTWARE between you and your god reclaiming your life.

So, just keep your liar's mouth SHUT.

Re:Idiot pruf

[lennier]

Yes government should get involved in the design of routers, and write laws about software code vetting.

Yes. They should.

That is, if you want your router to be fit for the purpose for which it was sold rather than be a dangerous toy that gets your home network rooted and your bank account drained, your files seized, your webcam activated and used to take compromising photos which are then used for extortion...

Plus, your personal network becomes my problem if it gets rooted and used to launch botnet attacks at me. Computer network security is a public security issue, and that's a valid role for government.

Re:Idiot pruf

[mstefanro]

I think it is? http://tsd.dlink.com.tw/downloads2008detailgo.asp
Someone commented on another website with this link: https://gist.github.com/ccpz/6960941 which shows
the backdoor string being defined in some config.

Re:Idiot pruf

[DarwinSurvivor]

Maybe if your coders didn't do all of their compiling with the warnings turned off in the first place the code reviews would go faster...

Re:Idiot pruf

as a software engineer who has worked on many projects i find it highly more likely that multiple people within the organization knew about this and used it for convenient internal purposes, rather than one person secretly planted it.

so it's not a matter of vetting code, it's a matter of a culture of laziness and stupidity. I type my own passwords on my own machines in my house dozens and dozens of times a day, it's how they were designed, it's how the security works, I don't understand why people have this urge to keep disabling things.

Re:Idiot pruf

[doti]

I found no source code in these links.

Why bother?

[Bert64]

Why do all these router vendors even bother producing their own nonstandard firmware?
Most of the hardware is based around a small set of common chipsets anyway, so why not use an existing firmware such as dd-wrt or openwrt.

Re:Why bother?

[wvmarle]

Branding. Same reason Samsung has all but forked Android. If they don't, there is no difference any more between various devices.

Re:Why bother?

I wouldn't really say forked as much as I would say "given a new lick of paint".

Admittedly they added features on top that completely change the way you can interact with Android, which I prefer massively.
I mean, who DOESN'T want Multi-tasking capabilities? Right now general Android is a toy OS at best, not even kidding (same with all the other crappy phone OSes like it), it is awful, multi-tasking actually makes it useful beyond playing some crap games or browsing Faceboke.
Then there is the S Pen, admittedly the model I have has a weird detection error on the middle left side and somewhere around 25% down on the right side, but those are minor, but god damn, S Pen is so incredibly useful.

Around 65-70% of the reason I even got the Samsung tablet was due to multi-tasking and the S Pen so I could use it as a graphics tablet as well.
I can just sit there with VNC open as well as S Note in dual view working between them easily.
I've even been thinking of writing an S Pen based keyboard, specifically for it because I haven't found a single decent keyboard besides that Hackers Keyboard, everything else is absolute trash for any reasonable use in anything text-heavy that, yet again, isn't stupid Facebook tards posting terrible updates about how they suck at everything. Gotta put smileys in my keyboard for all the fb ppls XD. FUCK.

But yes, I actually dislike the general Android community for lashing against Samsung for trying to actually, you know, MAKE THINGS EASIER AND BETTER.
I hope eventually they get some good code behind the window manager that can force any application in to a window and deal with the interaction issues externally so applications themselves don't need to add any support to it directly, that would be great, then it truly has become just a facelift rather than an attempt to force others in to using Samsung specific interfaces. (any good developer would only add support for it and not just support it solely anyway)

Re:Why bother?

[Bert64]

Which is in most cases just stupid...
Most of the branded versions of android (and other similar systems) that i've seen have been considerably worse than the stock version, especially the carrier branded versions.
OEM versions of windows are just as bad too.

By creating a branded version you are differentiating yourself as being inferior, thats not a good "difference" at all as in many cases people will actively seek out devices which don't have the branded software versions.

Re:Why bother?

[wvmarle]

Most of the branded versions of android (and other similar systems) that i've seen have been considerably worse than the stock version, especially the carrier branded versions.

Samsung must be up to something good consider the popularity of their devices, combined with their more and more customised software. At least they're way more popular than Apple now. And besides, the stock version is not necessarily the best possible.

And "carrier branded" versions? Sorry, never encountered that, must be something unique to your country (USA probably, can't think of anywhere else that'd happen).

Re:Why bother?

[fatphil]

> And "carrier branded" versions? Sorry, never encountered that, must be something unique to your country

So you've never heard of little countries like the UK, France, and Japan?

Re:Why bother?

The router is a WIRED router and made BEFORE dd-wrt or openwrt, so unless you have a time machine... These routers have 256kB or 512kB of FLASH which you can barely bootup uclinux and not do anything interesting. Open source project gave up on them and only embedded OS vendor supports them.

Besides the chipset vendors usually provide a reference design and SDK for their parts. If it is not already supporting a linux kernel there, you are SOL.

Re:Many routers subject to UPnP vulnerability anyw

[wvmarle]

It seems like they have about as many remote vulnerabilities as your run-of-the-mill Windows installation.

Maybe we should follow the same advice as is given to protect Windows from remote attackers: don't connect it directly to the Internet; put it behind a hardware firewall, opening only the ports you need. Like http port 80.

Oh, wait...

belkin router

[sumitjadhav137]

does belkin router have same issues...

Anything for some more clicks.

I have no problem with information being freely disseminated, but it's sickening to see a front page story that doesn't require the slightest shred of attention or interest before it begins shedding the exact specifics of vulnerabilities that still apply to real people. Congratulations, Slashdot, you're worse than Kotaku. Because while they may post inflammatory and nonsensical bile to get their views, you're happily and wholeheartedly fucking people with these routers by not only publicizing these vulnerabilities, but making them front-page, expanded news.

Is this where I get to feel smug?

[ameline]

Apple's AirPort line of routers is one of the few consumer grade families of network gear that are not abandonware -- updates are provided fairly regularly. I believe that under the covers they're running VxWorks with a custom IP stack from Apple. As far as I know, there are no back-doors or security problems with them. (I would not be at all surprised to find out that the NSA has infiltrated one -- they are designed and the firware is written in the USA.) I've been using them for years -- they're very reliable -- never need to be rebooted, and they perform well. Yes, they cost a little more, but then it looks like you get what you pay for. -- Ian.

Re:Is this where I get to feel smug?

[kestasjk]

Yup Apple's wifi kit would never allow unfiltered IPv6 traffic into your internal network by default, or expose filenames of attached disk drives to unauthenticated users.

You should definitely be feeling pretty smug.

Re:Is this where I get to feel smug?

Seriously? You can't do better than a link from 2007?
Apple's Airport line must be pretty sweet stuff. :-)

Re:Is this where I get to feel smug?

[kestasjk]

How about this one from a month ago?

You can also compare Apple's 2095 vulnerabilities for 97 products to D-Link's 43 vulnerabilities for 40 products.

So "wear protection". This IS Slashdot...

[couchslug]

Many folks are installing pfSense etc on thin clients (plentiful on Ebay and dirt cheap). Choose whatever distro you like then have at it. Rolling your own goes back to floppy-based Linux routers and is old news.

Cisco

The Beatings Will Continue... Until the Firmware Improves.

Who owns D-Link ?

Cisco.

That answers your question.

Re:Cisco

[cjjjer]

Remind me never to pick you as a team-mate for Trivial Pursuit.

Note to self

Remember to throw away all 4 dlinks at the office.

Re:Note to self

[Skapare]

Send them to me. Please include the power supply.

Re:Note to self

[bill_mcgonigle]

Remember to throw away all 4 dlinks at the office.

Hey, your life gets easier no matter the rationale.

I've been real happy picking up refurbs of the WNDR3800 and running OpenWRT (latest release) on them.

Gigabit switch and they handle VLAN's really well so for $50 delivered by Prime, it's hard to ask for more.

opkg install luci-ssl
opkg remove wpad-mini
opkg install wpad

and you have secure access and WPA2-Enterprise (freeradius w/ samba works). Just remember that the switch ports are labeled backwards by Netgear...

Speaking of backdoors and untrusted code, I wound up using these to VLAN the home network, so I could put all of the non-open-source systems on their own 'Guest' VLAN, and let them have Internet but not access to the LAN where personal documents are stored. Who the heck knows what's running on the Roku firmware, but now with VLAN's, who the heck cares? (and the kids can still watch their cartoons).

NCEES certifies software engineers too, more prova

[raymorris]

Minor nitpick - you're thoroughly mistaken. The National Council of Examiners for Engineering and Surveying has standards for certifying software engineers just like any other branch of engineering.

"The term engineer is reserved for disciplines requiring strict standards and provable output"

Perhaps you're unaware that software can be much more provable than concrete or steel. Dlink could have had strict standards that would have prevented this problem. Few developers employ engineering methods properly, and few developers create software that is known to be reliable.

Most people building software are not engineers, just as most people building houses are not engineers and most people building machines are not engineers. Go back to your Engineering 101 book and look up the definition of "engineering". It's 100% applicable to the design of software systems. People simply fail to apply it where they should, in many cases.

The fact that I can build a shed without an engineering degree doesn't mean civil engineering doesn't exist, and simple software doesn't mean there's no such thing as properly engineered software systems.

Different model checked not to be vulnerable

I checked DIR-605L firmware 1.12; seems NOT to have this particular backdoor. Not trying to bruteforce different useragents though.

Re:Different model checked not to be vulnerable

[akeeneye]

My DIR-601 with firmware 1.02NA does not appear to have this backdoor. I installed the firmware from the D-link website a few weeks ago and it was the latest available at that time.

erratasec.com is already scanning the net...

These guys are already scanning the entire internet to find these boxes. I've seen numerous requests across geographies originating from their IP address.
https://ip.robtex.com/209.126.230.72.html#whois

The obvious fix for this class of problem is ...

[Skapare]

... to not put any software or firmware on it at all. That way people just hire the kid down the street to load free software on it (or do it yourself).

Guess its a good thing it died

The wireless function on my DI-542 died a couple years ago. Maybe it was the NSA trying to upgrade the firmware...

I can't really believe anyone is still running those things.

Didn't work 8-(

I have a DI-524 (old, never updated).

Tried with a direct about:config line (must be created) in FF... didn't work. Tried with User Agent Switcher extension... didn't work.

In all occasions, access to the router is challenged with a user/password dialogue. Maybe it would have worked with the default (empty, AFAIR) password.

Just for the record, I use WPA2.

It would be a real shame...

[BrentNewland]

if someone made a virus that automatically flashes vulnerable router firmware with DD-WRT with tor turned on.

wget and curl

[SgtChaireBourne]

It's even easier to verify. You don't need to write your own program, though that would be fun. You can use curl or wget. Both support using custom User-Agent strings. One or the other will come pre-installed by default on your system, unless it is that Other OS.