D-Link's backdoor: What else is in there?

The backdoor discovered recently in D-Link routers is the last example of the company's lax stance on security

A recently unveiled backdoor in a number of late-model D-Link brand routers indicates that the practice of adding manufacturer's backdoors to network hardware is still alive and well.

For certain D-Link routers, a user can access the Web interface for the router by simply setting a browser's user-agent string to "xmlset_roodkcableoj28840ybtide".

Tactical Network Solutions researcher Craig Heffner found the backdoor after some experimentation with the 1.13 version of the firmware for the D-Link DIR-100 revA router. His thesis was that it was added intentionally by the manufacturers to allow remote services to change router settings, but it's also trivially easy for an attacker to use such a doorway to remotely hijack the router, read all network traffic passed through it, or do any number of other malicious things. Worse, the backdoor may have been lurking undetected in D-Link products for as long as three years -- plenty of time for automated exploits to be developed.

The fact that a factory-added backdoor exists in their products at all doesn't speak well for D-Link's attitude toward security, and the company's prior history of security issues bears that out.

Back in 2010, a number of D-Link routers sported what SourceSec Security Research described as "insecure implementations of the HNAP (Home Network Administration Protocol)." That protocol, created by Cisco, is normally used for remotely configuring and managing network devices. Unfortunately, as Paul Asadoorian of Tenable Network Security wrote, HNAP doesn't even encrypt its authentication traffic and leaks detailed information about the system it's talking to (such as the firmware revision of the router). SourceSec further noted that insecure HNAP implementations had been in D-Link routers since 2006 and couldn't even be turned off.

D-Link currently has a page on its website devoted to the "Router Security Issue," which urges users to download revised versions of the firmware. But the page is annoyingly vague -- it doesn't say which issue is in question, only that "various media reports have recently been published relating to vulnerabilities in network routers, including D-Link devices." The firmware listed on the page all dates from earlier in 2013, which implies this page was created in response to an earlier issue.

It's likely many of those updates were posted when multiple models of their IP cameras were found to have had security issues. (One such issue was reported back in April, but wasn't fixed until July.)

Security's inherently hard, but one way for manufacturers to avoid leaving themselves open to such issues would be to rely as much as possible on open source firmware components (such as DD-WRT), which can be audited by responsible third parties. But even that isn't a panacea, as unaudited flaws can turn up in open source as well. Back in July 2012, Busybox -- an open source utility used in many routers -- turned out to have a major vulnerability that would allow a remote DHCP server to run commands.

If D-Link's most recent product vulnerability was put there on purpose, what else might be lurking, as yet undetected, waiting to be exploited en masse? It's high time an open and independent review of their product firmware was conducted, rather than leaving these things to be discovered by security researchers on their own.

This story, "D-Link's backdoor: What else is in there?," was originally published at InfoWorld.com. Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies