Backdoor Account Found in D-Link DIR-620 Routers

Catalin Cimpanu, writing for BleepingComputer: Security researchers have found a backdoor account in the firmware of D-Link DIR-620 routers that allows hackers to take over any device reachable via the Internet. Discovered by Kaspersky Lab researchers, this backdoor grants an attacker access to the device's web panel, and there's no way in which device owners can disable this secret account. The only way to protect devices from getting hacked is to avoid having the router expose its admin panel on the WAN interface, and hence, reachable from anywhere on the Internet.

OpenWRT/LEDE is the only solution

[Jimbo+God+of+Unix]

This is why I will never buy or recommend any router that cannot be flashed/used with OpenWRT/LEDE.

Re:OpenWRT/LEDE is the only solution

[bondsbw]

He didn't say that

Actually he did. Before you can secure the router, you have to buy the router. Before you buy the router, you have to decide whether it meets your criteria. By providing his criteria, he indicated his first step.

Re:OpenWRT/LEDE is the only solution

[ArchieBunker]

Calm down man you get any more angry and that Fedora is going to fly off. Your argument died with Heartbleed. Open source that nobody looked at.

Re:OpenWRT/LEDE is the only solution

[fred6666]

I just installed openwrt/LEDE 17.01.4 on a TP-Link Archer C7 v2. I downloaded the file, used the web page to upload it and waited. How could it be any easier?

I then configured the router using the LuCI web interface which is better than most stock router web interface.

Re:OpenWRT/LEDE is the only solution

Once it was checked, the news was out quickly, and fixes not far behind. Contrast that with propriety security flaw handling.

Re:OpenWRT/LEDE is the only solution

[gweihir]

Just continue to be stupid. It is no use arguing with people like you, you have all the answers and no clue. There is just no basis to explain actual reality to you, you are utterly disconnected.

You're telling them about our backdoors?

[JoeyRox]

https://www.youtube.com/watch?v=s1A4B9AzFNU#t=1m26s

Re:You're telling them about our backdoors?

[p0larity]

Aww, the big softie.

Disable WAN access you say?

[squiggleslash]

I don't know how many people actually enable WAN access to begin with. And it's off by default.

But, regardless, that's probably not the major problem. The major problem comes if your own network is compromised, say, by an IoT device. Then it potentially has a password to your router.

That seems to me to be likely a much bigger problem.

Re:Disable WAN access you say?

[houghi]

On the one hand I could turn of the IoT stuff as they add nothing really. On the other hand it is just my toaster and it runs Linux, so it is secure, right?

Re:Disable WAN access you say?

[sheph]

There's typically two levels. There's the level for the user, and then there's the administrative level that's for your service provider. It's how they magically push updates to your equipment, and I'm not sure you can turn that off.

Re:Disable WAN access you say?

[squiggleslash]

The DIR-620 is a consumer Wi-Fi router, I actually have one somewhere although it's not in use. It's not something you'd get from an ISP, who would generally want something with either a DSL or cable modem built in, otherwise they'd have to give you two boxes and risk you screwing up the configuration between the two somehow.

I can say it's pretty insecure to begin with, default username 'admin', no password, with nothing to encourage you to set a password.

Re:Disable WAN access you say?

[viperidaenz]

Service providers don't use the web admin interface
https://en.wikipedia.org/wiki/...

Re:Disable WAN access you say?

[Agripa]

otherwise they'd have to give you two boxes and risk you screwing up the configuration between the two somehow.

lol. Really? The casual user's cablemodem gives out an ethernet port, which you connect your own router to, which will work out of the box in every case as new routers are already set to DHCP. If you're like me and have a business, then the cablemodem will give you multiple ports, which will behave the same way. I have static IP addresses, so the configuration becomes a little (just a little) more involved, but "screwing up the configuration" is not on the agenda.

The ISP gives you one box by preference and if you are lucky, it operates in straight passthrough in one form or another requiring a customer to use their own router which the ISP cannot deal with. And then there are ISPs like AT&T which expect you to use their modem/router and passthrough mode is crippled so you never get full functionality if you use your own router.

I like how AT&T would update the firmware on their router resetting all configuration to reenable things like the WiFi and breaking all security. I never used their Wifi and always had my x86 FreeBSD router between their router and my LAN despite how they crippled this mode of operation by blocking protocols and limiting connections.

Re:Disable WAN access you say?

[squiggleslash]

It sounds like you didn't understand what we're talking about. The person I was responding to thought that the DIR-620 might be the type of device ISPs give out. I said it isn't because it's just a router. ISPs don't generally give out routers unless they also have a cable modem or DSL modem built in.

You seem to be reading that backwards as "ISPs don't give out DSL modems or cable modems unless they have a router built in" which is (obviously!) not the case. ISPs will provide customers with bare modems, but they won't give their customers routers, unless they're also modems. Some obscure ISP you've never heard of that was really cool to you one time excepting, of course.

The point is that ISPs wouldn't send their customers DIR-620s, and so would never have cause to need remote admin access to one enabled.

Re:Disable WAN access you say?

[p0larity]

Somebody didn't even read the article summary.

Right in it they say Russian ISPs actually did give it out.

Re:Disable WAN access you say?

[p0larity]

I'll save you the trouble:

Not that many devices left around to exploit

The good news is that D-Link DIR-620 devices are older router models and there aren't that many around to exploit.

Most of these devices were deployed by Russian, CIS, and Eastern European ISPs as on-premise equipment provided to broadband customers.

The vast majority of these devices are located in Russia, and Kaspersky said it already contacted ISPs to inform them of the issue.

Shodan searches for these devices reveal less than 100 DIR-620 routers available online, showing that most ISPs have headed Kaspersky's warnings and restricted access to these devices on their networks.

Re:Why would you expose the admin interface to WAN

[mi]

There is no good reason to ever do this.

Tweaking the router remotely for your elderly parents or other friends is a valid use-case... Yes, you can — and I do — achieve that by ssh-ing into a Unix computer behind the router, and then use a tunnel to talk to the router's LAN interface. But that may be too complex for most people, wouldn't you agree?

Don't by ANY router that...

[bobbied]

Cannot be flashed with third party firmware. I use OpenWRT and DD-WRT and I *refuse* to buy any consumer router that doesn't have at least a porting effort to one of these third party firmware packages.

It's not a perfect solution, but it's one heck of a lot better than just trusting the manufacturer to do the right thing and fix their security issues in a timely manner.

Re:Don't by ANY router that...

[bobbied]

That's cute that you believe flashing a firmware with something else is an absolute guarantee of security.

To quote my original post:

It's not a perfect solution, but it's one heck of a lot better than just trusting the manufacturer ...

Having issues with reading comprehension? I think so.

Re:Don't by ANY router that...

[gweihir]

Indeed. And while not perfect, you get updates and patches long-term and you can do thinks yourself if you like.

Re:Don't by ANY router that...

[gweihir]

The "only commercial software is good software" morons cannot even think. You expect them to be able to comprehend written language? That is wayyy beyond what they can do. At best, they can do keyword matching.

Re:Don't by ANY router that...

[Solandri]

I browse with an extension that shows the flag of the country a site is hosted at in the URL bar. I was always nervous about using DD-WRT because for years the site was hosted in China (they changed hosts to Switzerland recently). So you shouldn't automatically trust third party firmware either. And if you're really paranoid you should be downloading source and compiling the firmware yourself. If you can trust that the source code is clean. (For those curious, OpenWRT is hosted in Germany.

Re:Don't by ANY router that...

[Agripa]

That's cute that you believe flashing a firmware with something else is an absolute guarantee of security.

It is better than the alternative of using the stock firmware but not as good as using something like Linux or FreeBSD on your own x86 or possibly now ARM hardware.

Not the first time

[klingens]

Why would anyone still buy anything from D-Link or e.g. Cisco?

With their stuff, backdoors are not the exception but mandatory feature for every device they sell. 2013, 2016, now.
https://www.theregister.co.uk/... DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240" maybe more.
https://thehackernews.com/2016... DWR-932 B

So, sure once maybe it's an error or oversight. But the number of backdoors with pretty much all router manufacturers, from low end cheapo consumer D-Link to usurious Cisco plated with gold stuff, shows it's not an oversight but pretty much deliberate. Both manufacturers are only examples here. All of them have similar holes several times over the last few years, repeatedly. Or they are too incompetent to be allowed to design and then sell anything to the public.

Re:Not the first time

[gweihir]

D-Link is a nice base to flash OpenWRT on. No other sane use.

Re:Not the first time

[Agripa]

Why would anyone still buy anything from D-Link or e.g. Cisco?

Damn if I know.

I gave up on D-Link more than 10 years ago when they reneged on firmware updates for Wifi security which they said they would support and then their routers just died one after another within a span of months. Since then I have been using the same Slot 1 x86 based FreeBSD router which is going on 20 years old now and has failed once ... when the ice machine upstairs sprung a leak and dripped water into it. And that only knocked it out of operation for 24 hours and 15 minutes of downtime since I had a spare Pentium4 to replace it temporarily; FreeBSD did not even blink at the hardware change.

Re:Why would you expose the admin interface to WAN

Too complex for most people - yes
Too complex for someone who can be trusted to remotely tweak a router - no

Router found on backdoor

[goombah99]

At this point, I think it's fair to say that it was a backdoor that also had a router. Indeed I suspect the router was probably found left on the backdoor.

and D-Link wont update the firmware?

[FudRucker]

they rather you go buy a new D-Link Router, if i had one of these routers i would be sure to buy another brand, but if D-Link quickly made a new firmware and patched my router it would give me confidence in D-Link's attention to detail and would gladly make my next router a D-Link product, (something to think about D-Link people)

Re:and D-Link wont update the firmware?

[UnknowingFool]

To be fair to D-Link, that's a really old router that according to the article less than 100 are still being used. But D-Link did say that an update would be provided if an enterprise customer requested it.

Re:and D-Link wont update the firmware?

[Agripa]

they rather you go buy a new D-Link Router, if i had one of these routers i would be sure to buy another brand, but if D-Link quickly made a new firmware and patched my router it would give me confidence in D-Link's attention to detail and would gladly make my next router a D-Link product, (something to think about D-Link people)

I am still waiting on the firmware update for my DI-624s with D-Link's promised Wifi security updates. I am sure they will release them any day now; it has only been 15 years.

OpenBSD DIY

[DaMattster]

I basically just use an old Dell and threw OpenBSD on it. I have something that is really functional and secure.

Re:OpenBSD DIY

[Agripa]

Hmm, the only problem is that an old Dell uses ten times more power than a little ARM based router. Something like a $30 Raspberry Pi with Raspbian may be a better idea for a home router.

More generic old x86 hardware does a little better. Underclock the processor, make sure power management is enabled, and replace the mass storage with solid state storage.

The problem with ARM is finding something which has 2 or more *real* Ethernet ports for a reasonable price and none of them will have ECC memory. Low end x86 which can include ECC is a lot more flexible and still economical even for power.

The Marvell Espressobin looks interesting given its low price. Ha! It even has OpenWrt support but I do not see any FreeBSD.

So done w/ commercial routers

[sremick]

And this is why I finished with commercial router firmware.

First Tomato, then dd-wrt, now pfSense on custom hardware.

Re:So done w/ commercial routers

[gweihir]

As anybody else with a clue is doing as well.

Re:So done w/ commercial routers

[afidel]

I have a clue, I have managed enterprise class routers and firewalls and been using Linux since 1995, I use a Netgear router at home. Their no cost integration with OpenDNS for content filtering and anti-malware protection is better than any opersource solution I have found. They also continue to provide security updates for years after the device is no longer for sale (previous model was ~8 years old when I replaced it for better WiFi performance, it had had a firmware update about 3 months before I retired it for a CVE).

Which open router software?

[sconeu]

I'd like to replace my vendor supplied router with one running open software.

I'm just not sure which is considered the most current, or the pros and cons of the various distros.
* DD-WRT
* OpenWRT
* Lede
* Tomato (is that even still around)?
etc...

Suggestions? (Maybe I should make this an Ask Slashdot?)

Re:Which open router software?

[gweihir]

First, check for patch history to see what is currently maintained. And then select the one of the remaining ones were you like the interface best.

Re:Which open router software?

[sconeu]

That's a good option, but I'm looking for Wifi too... want to use *MY* wifi rather than the ISP's, in case they decide to do fun stuff like turning my wifi into a hotspot...

Re:Which open router software?

[pnutjam]

Merlin works well if your running an Asus device.

Re:Which open router software?

[Voyager529]

DD-WRT is generally pretty solid and is available on a far greater number of routers.

Tomato is my personal favorite, not the least of which because it does ad blocking at the router level and is a bit better with VLANs than DD-WRT.

OpenWRT isn't my favorite, but it's gotten a lot better recently. I was particularly happy that it's available for some Cisco Meraki hardware. The least intuitive of the three IMO, but it does the job in lots of cases.

All of them have upstream updates from within the past three months, so no one is particularly slacking. availability on particular hardware is a case-by-case basis, so that's the bigger factor. In addition, my recollection is that none of the current consumer router vendors have been very good with open-sourcing the drivers for their AC chipsets. Odds are pretty good that you'll notice a performance dip in wireless if you're using onboard. You can resolve that by using separate access points (for which I'll recommend Ubiquiti, or even the latest crop of TP-Link APs have been surprisingly solid), but you will end up running into the same issues with aftermarket firmware on the APs unless you only care about running OSS at the router level.

Re:Which open router software?

[Agripa]

That's a good option, but I'm looking for Wifi too... want to use *MY* wifi rather than the ISP's, in case they decide to do fun stuff like turning my wifi into a hotspot...

There are some FreeBSD friendly Wifi adapters but much better for both features and RF propagation is to use dedicated indoor access points like something from Ubiquiti.

Re:Why would you expose the admin interface to WAN

[WinstonWolfIT]

If I were to help my parents out with their router, I'd simply remote in to one of their computers and proceed. There is absolutely no way I'd ever expose critical infrastructure to the wild wild web.

Re:Why would you expose the admin interface to WAN

[itsme1234]

Too complex for someone who can be trusted to remotely tweak a router - no

And what is your suggestion for the case mentioned by the GP "for your elderly parents or other friends"? As somebody suggested earlier "just use an old Dell and threw OpenBSD on it"? Let them have a full computer just so you can tunnel through the router to it and then access from it the router interface? There's always a compromise between security and convenience and really in this case it isn't the worst compromise possible to just let the router interface available. I bet there are out there many more ancient windows boxes that haven't been patched for many years, fully exposed to internet than these routers.

Re: Backdoor found in 20 year old router

[c6gunner]

I knew a guy who was running one 2 years ago. Far bigger problem than any built in account was that he had the WiFi set up to use WEP, since that was the standard back when he first configured it.

Re:Why would you expose the admin interface to WAN

[gweihir]

Cheaper than possible developers at work. They think this is the thing to do for easy debugging and, since nobody will ever find that password (right?), it can just be left in. Yes, morons on that level do not only exist, there are a lot of them in the industry.

DD-WRT is pretty darned secure

[thomst]

ArchieBunker demanded:

Have you done an audit of the code yourself? Are you sure anyone else has? Would you know what to look for?

I use DD-WRT exclusively on all my routers.

It's 100% open source, and there are several people who are still actively developing it. In addition, there's a lot of security-savvy users who closely examine and pen-test each release.

In 2008, a pair of backdoor IP addresses were discovered in the code (placed there by one of the developers, at a customer's request). Both were accessible only from the NAT side of the router, and both were removed within an hour of being reported ...

Re:DD-WRT is pretty darned secure

[fred6666]

Too bad their last stable release (V24 SP1) is from 9 years ago. They are almost done with the SP2!

And by 100% open source, you mean is heavily dependent on closed source drivers obtained from broadcom under NDA?
With outdated info on their wiki on how to build the source?

Re:DD-WRT is pretty darned secure

[thomst]

fred6666 sneered:

Too bad their last stable release (V24 SP1) is from 9 years ago. They are almost done with the SP2!

And by 100% open source, you mean is heavily dependent on closed source drivers obtained from broadcom under NDA? With outdated info on their wiki on how to build the source?

As the AC who posted after your comment pointed out, there are beta releases all the time - many of which are by BrainSlayer (who was the principal architect for V24 SPI, and is the principal architect for SP2, as well). For popular routers (i.e. - inexpensive and relatively powerful ones), there are often 2 or 3 betas per month. So who the hell cares about the "stable" release of SP2, when Kong's v3.0-r33675M (which I use on all 3 of my ASUS RT-56U's) is reliable, stable, has all relevant security issues patched, and supports more functions than most users will ever need?

(BTW - I agree with that guy about ignoring the router database, too. It's full of misinformation and outdated releases that no sane admin would choose to install on an Internet-exposed router. Newbies to DD-WRT should search the forums for advice on the best forks and versions to install for their particular make and model, instead.)

As for the Broadcom code, again, openwrt uses a set of reverse-engineered drivers, and it is a freakin' nightmare to configure. DD-WRT is straighforward. I don't give a flying fuck at a rolling donut that the comm driver is proprietary. I care that it works.

I will grant your point that, for Broadcom-based routers (including mine), the DD-WRT drivers are proprietary. I just don't care - and the fact that the DD-WRT developers choose to use them, rather than replace them with the reverse-engineered versions speaks volumes about how efficient, stable, and reliable they believe the open-source ones are ...

Re:DD-WRT is pretty darned secure

[fred6666]

As the AC who posted after your comment pointed out, there are beta releases all the time - many of which are by BrainSlayer (who was the principal architect for V24 SPI, and is the principal architect for SP2, as well). For popular routers (i.e. - inexpensive and relatively powerful ones), there are often 2 or 3 betas per month. So who the hell cares about the "stable" release of SP2, when Kong's v3.0-r33675M (which I use on all 3 of my ASUS RT-56U's) is reliable, stable, has all relevant security issues patched, and supports more functions than most users will ever need?

(BTW - I agree with that guy about ignoring the router database, too. It's full of misinformation and outdated releases that no sane admin would choose to install on an Internet-exposed router. Newbies to DD-WRT should search the forums for advice on the best forks and versions to install for their particular make and model, instead.)

Sounds like a very badly managed project from one man in his mom's basement. Why should newbies have to search on forums and use a fork? What's wrong with the main branch? Why don't they fix it?
I wouldn't trust DD-WRT with security updates if I have to use a beta fork.

As for the Broadcom code, again, openwrt uses a set of reverse-engineered drivers, and it is a freakin' nightmare to configure.

You probably haven't used openwrt in the past 8 years or so. It's very easy to configure with a web-based UI like any other router.
It's also much easier to configure if you want to build from source and choose which package to include.
But you are right that broadcom-based devices should be avoided with openwrt.

DD-WRT is straighforward. I don't give a flying fuck at a rolling donut that the comm driver is proprietary.

Well just don't say that DD-WRT is 100% open source and this will be fine with me.

I care that it works.

I will grant your point that, for Broadcom-based routers (including mine), the DD-WRT drivers are proprietary. I just don't care - and the fact that the DD-WRT developers choose to use them, rather than replace them with the reverse-engineered versions speaks volumes about how efficient, stable, and reliable they believe the open-source ones are ...

They don't just choose to use the proprietary drivers, it's worst than that. You can't just go to broadcom web site and download them. They are given to DD-WRT under NDA. I believe part of the driver must be recompiled for each kernel. It also forces DD-WRT to maintain several kernel branches and with the limited staff they have, I am sure they can't maintain security updates in all of them. I am not even sure I'd trust them more than D-Link on security.

Re:Why would you expose the admin interface to WAN

[Fallen+Kell]

Yes, but most of those ancient windows systems are behind routers and firewalls which prevents them from being readily accessed from the internet. However, having the firewall/router accessible from the internet just exposed all those systems behind it...

Web-Facing Control Panels

[Shadyman]

"The only way to protect devices from getting hacked is to avoid having the router expose its admin panel on the WAN interface"

Why would you willingly expose even the most secure login page to the net if you didn't have to? Between bruteforce, backdoor accounts, overflow errors, URL manipulation, and yes, even the dreaded default password,

tl;dr: Why do you have your admin panel WAN-accessible in the first place? -_-

Re:Web-Facing Control Panels

[pnutjam]

All of those can be mitigated without too much work. Let's no cower under our beds like NRA members.

Re:Web-Facing Control Panels

[Agripa]

Why would you willingly expose even the most secure login page to the net if you didn't have to? Between bruteforce, backdoor accounts, overflow errors, URL manipulation, and yes, even the dreaded default password,

If you trust the hardware and software, which I would not for any commercial or consumer stuff, then you might expose a secure login to the router so that the firewall rules can be modified to allow incoming connections only from your current IP.

And that is why Kaspersky is outlawed in the USA

[johanw]

They are too good at finding US backdoors in US products.

Re:Why would you expose the admin interface to WAN

[mi]

I'd simply remote in to one of their computers and proceed

So, you are fine exposing "one of their computers" to the "wild wild web", but not the router itself?.. Because routers are somehow uniquely exploitable?

Re:Why would you expose the admin interface to WAN

[itsme1234]

Most of those "fully exposed to internet" systems are "behind routers and firewalls"?

Re: Backdoor found in 20 year old router

[c6gunner]

He wasn't in a rural area; he was in a heavily populated city. From his house I could pick up more than 20 other APs.

There are numerous known weaknesses in WPA, but it's nowhere near as insecure as WEP. I've never seen a WEP AP which couldn't be broken into in a matter of minutes. The amount of time it would take with WPA can vary wildly depending on numerous factors but will typically be much longer.

But we don't trust Kaspersky!

[brunes69]

Kaspersky is a shill of the Russian government right?

We don't trust anything they say!

Re:Why would you expose the admin interface to WAN

[WinstonWolfIT]

I was expecting this level of paranoia. A 30-minute session in a program I won't mention because neckbeards annoy me, problem solved, and program closed, is better than exposing a router 24/7.

So, what's the login ?

[Kopp]

I happen to have an old DIR 620 Router of which I'm locked out ....

Re:Why would you expose the admin interface to WAN

[mi]

Whatever program you are using, neckbeard, talking to whatever computer, if you want to tweak a device without moving your dimply behind into very close physical proximity of the device in question, you must allow remote access of some sort — that is, as you put it, expose something to the "wild wild web". That's a given and unavoidable risk inherent in the requirement.

The entire conversation is about mitigating this risk — such as by using a more secure protocol or a more reliable device.

My preference is ssh-ing into a FreeBSD computer behind the router — because I trust ssh and FreeBSD more than I trust router-makers. Most people, yourself included by all appearances, use Windows at home, and I struggle trying to understand, why you'd prefer trusting Windows over the router firmware...

Whatever your personal preference, the use-case I described remains valid.

Re:Why would you expose the admin interface to WAN

[WinstonWolfIT]

Holy Messiah, it's not complicated. Mum connects to a hosted service, I connect to same hosted service. The security of this hosted service is orders of magnitude beyond what I could do on my own. And, again, 30 minutes later we're DISCONNECTED.

Re:Why would you expose the admin interface to WAN

[mi]

The security of this hosted service is orders of magnitude beyond what I could do on my own

It is also a magnet for hackers and subpoenas... It also costs you money, or privacy, or both.

It is perfectly legitimate to not want any third parties involved...

Finally, if you are willing to have your mom involved in the tweaking process at all, instead of training her to use this 3rd-party, you can teach her to enable the WAN-access feature of the router — and disable it 30 minutes later.

Re:Why would you expose the admin interface to WAN

[WinstonWolfIT]

Fuck off. And while you're fucking off, shave that stupid neck.

Re:Why would you expose the admin interface to WAN

[mi]

Seldom is one's online-debate victory quite as complete, as this one is today... You made it adversarial, and then lost.

Not only are you bad at anything IT, you are, evidently, a bad person as well.