D-Link is, surprisingly, Taiwanese.
Which makes this backdoor a bit puzzling.
A group of embedded-device hackers has turned up a vulnerability in D-Link consumer-grade products that provides unauthenticated access to the units' admin interfaces. The backdoor means an attacker could take over all of the user-controllable functions of the popular home routers, which includes the DIR-100, DI-524, DI-524UP …
These are all pretty old devices. I have a DI-524 on my network (and a DI-604 lying around somewhere spare), and they both have firmware issues that really mean that anybody still using them must have a masochistic streak, or not care (which may include the majority of users, unfortunately).
There has not been a firmware update for something like 8 or 9 years, and it is not possible to set the date on them (either manualy or by pointing it at an SNTP server) to any date after December 2008 if I remember correctly. I would expect that most people would have tossed theirs whenever they updated their broadband package.
Just in case anybody was tempted to try hacking into mine, I'm not using the WAN side at all, merely using it as a WiFi router on one of my wireless zones behind my Linux firewall.
It's clearly a debugging addition that someone forgot to remove.
Big mistake, but while in development things like can be very useful and a good idea. What isn't a good idea is forgetting it's there. You should comment your code appropriately and do a global find to identify these things long before they reach production.
ob·scure adjective \äb-ˈskyu̇r, əb-\
: not well-known : not known to most people
: difficult to understand : likely to be understood by only a few people
: difficult or impossible to know completely and with certainty
se·cure adjective \si-ˈkyu̇r\
: protected from danger or harm
: providing protection from danger or harm
It appears that I am technically correct. The best kind of correct.
Getting rid of the device would be the best first step, but not everybody will be able to act upon that measure in a timely fashion. Disabling remote admin would at least stop a completely unsolicited probe from owning you. The unit could still be attacked via XSS very easily.
Having actually read the original report, the backdoor was partially found through skill and partially a bit of luck. Who knows what else is in the code? If you can't trust the coder, then you can't trust the code.
Testing cannot reveal everything. It'd be like brute forcing. It ain't gonna work.
Open source is one viable option.
Do I need to explain everything?
Well its clearly a malicious backdoor, "Joel" even calls it a backdoor.
http://forum.codenet.ru/q58748/
It seems to have been known/exploitable since 2010. At this point a full recall of D-Link kit and a lawsuit are required.
xmlset_roodkcableoj28840ybtide backwards is:
editby04882joelbackdoor_teslmx
"So there's factory firmware that provides a backdoor"
It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair.
Having said that, the sheer number of unconfigured routers I see on wifi isn't confidence inspiriing. There are still a lot of old pieces of kit out there even if more recent stuff has a random key or forces the user to set one.
"It's pretty much accepted that every piece of embedded kit has some secret sauce to allow the makers to intervene when everything is badly screwed up, although usually it's in the form of some soopersekret login/pass pair."
With something like this, the usuall fallback is the factory reset, which is supposed to reset the firmware back to default settings (which are written in the manual with the caveat that you're supposed to CHANGE it once you're in). Failing that, there's also usually the emergency flashing mode, which should allow for the flashing of ANY firmware in a local setting. If even that fails, then there's likely something fundamentally wrong with it and it will need physical attention in any event.
I could understand the downvote if the OP was like guys often are, saying something like, "Any moron who doesn't put dd-wrt on his router deserves to get hacked anyway!", which is a really arrogant attitude - but he just recommended it "for those who can", which is entirely reasonable. Do the people who develop that firmware have any enemies? :P
Why are people down voting you for pointing out that fact...The internet is a funny place.
So, the recommendation is to brick these routers by installing a firmware they are not capable of running? A sledgehammer is a quicker and functionally identical method of "fixing" this issue.
Although not responsible for the original downvote I get tired to this relentless "DD-WRT is great" bullshit. In particular this idea that a $50 consumer grade device becomes a $1000 enterprise router with a change of firmware - "See, it does everything that this more expensive router does".
Apart from simple performance of course - packet throughput is frequently less than 1% of the more expensive device. It's frequently much worse than even the original firmware - those extra functions don't come for free but take extra processing time. This is leaving aside that third party firmwares, DD-WRT especially, usually aim for device coverage as opposed getting it to work properly on any single device. That frequently means a less powerful wifi signal if the antennae is not optimally configured. How many open source developers wanting a cheap, capable router have access to an EMI testing lab? That'd be none of them.
Yes, DD-WRT has it's place but all too often it is advocated in an axiomatic fashion by the relentless fiddlers. Like here for instance where the router does not support it. Too often it simply devolves to the point of "See, look what I've done, aren't I clever?" when the reality is no extra functions were needed so it is actually "I've made my router slower and less powerful to show how clever I am".
This post has been deleted by its author
> Too often it simply devolves to the point of "See, look what I've done, aren't I clever?" when the reality is no extra functions were needed so it is actually "I've made my router slower and less powerful to show how clever I am".
Well, it also means you have a router running open source software in all likelihood devoid of xmlset_roodkcableoj28840ybtide-style backdoors. And you can even check - if you're mighty competent and have too much time on your hands - or at least build from source yourself (if you don't trust the blob).
You can most certainly trust the community's source code review more than any company's.
That's where I see the value anyway.
It is for reasons like this, exactly like this, that I live 4.8 miles from the neighbours, I don't use wifi, and have two separate wired networks in the house. On one, connected to the internet, i have diskless pc, a boot disk, a printer and a scanner. I boot from the disk and print anything i want to transfer to my other network. My other network is fully wired, has pc's, printers, scanners, and anything i want to transfer from the one network to the other I print on one system and scan into the other.
Oh, wait, perhaps I don't, maybe i just steal a neighbours wifi using a similar backdoor to the mentioned in this article. I love the prevalence of BT supplied H/W in the UK :-)
Backdoors have been around for a very long time, for some odd reason they seem to get little reportage, perhaps that is because of hidden influence?
I would have ensured a back door existed in an incredibly common driver binary for DD-WRT and received endless amusement watching people installing it to escape the other firmware I nobbled some time ago.
Is your router secure?
... although these things are normally litigated in the US, does anyone have any insight into whether the existence of a deliberately introduced massive security flaw (into a device whose function is partly to implement security between the WAN and the LAN) could count as the goods being unfit for purpose in the UK? Any law students fancy a go at a UK test case?
I can't see that it was really known three years ago. Translating the last few lines of the Russian post gives:
And there is an interesting line in the elf-binaries Web server:
xmlset_roodkcableoj28840ybtide
(Try reading it backwards)
To sum up - friends, colleagues, tell me where to find the list of users / passwords?
So it looks as though he had not followed up the lead, at least not publicly ;-)
Given that most of these devices DO support WPA2, which supports AES as well as TKIP. These have not been compromised and most of the talk about WPA2-PSK cracking has been in the same old problems: weak passwords. As for the WPS button, which IS handy so I don't have to carry wound my standard-limit WPA key around, especially to devices where entering the key is difficult, I just make sure to use it carefully so that the device is most likely to be seen first, and I check my client tables afterwards in case of intruders.
Accidentally breached a neighbour's WPA protected router. I was using Netgear wireless adapter's interface and clicked on the neighbour's SSID and suddenly was in. Backtracked and discovered that if I flipped the Netgear interface between WPA and no security the neighbour's router was accessible. I could, if I wanted, use their internet and change settings in their D-Link (as it turned out to be) router.
This was a couple of years ago and the ISP has stopped issuing that D-Link model.
Not really surprised. If at least d-link followed wifi standard properly, it would be a huge improvement. The number of dlink routers I've seen that "work fine on the old laptop", but for some reason the latest shinny laptop or tablet they got just can't connect to it would be funny if it wasn't so sad.