D-Link Finally Shuts Firmware Backdoor in Routers

D-Link has finally released a patch to fix a serious vulnerability in a number of routers that allows a hacker to remotely change the settings.

The vulnerability was originally discovered back in October by Tactical Network Solutions vulnerability researcher Craig Heffner, who specializes in wireless and embedded systems. He reverse engineered a previous firmware update and saw that the vulnerability grants full access into the configuration page without the need for a username and password.

"Various D-Link routers allow administrative web actions if the HTTP request contains a specific User-Agent string," reads the patch overview. "This backdoor allows an attacker to bypass password authentication and access the router's administrative web interface. Planex and Alpha Networks devices may also be affected; please contact these vendors directly at their regional websites."

Heffner discovered that if a browser's user agent string is set to "xmlset_roodkcableoj28840ybtide," hackers can gain access to these routers if connected to the network via Ethernet or wireless, or if the router's configuration page is publicly accessible. When reversed and the numbers removed, this string actually reads "edit by joel backdoor" as if the "backdoor" in the routers' firmware was intentionally placed.

"The so-called backdoor was implemented in these six older products as a failsafe for D-Link technical repair service to retrieve router settings for customers in case of firmware crashes that would result in lost configuration information," a company spokesperson told Bit-Tech back in October.

The firmware update was reportedly slated for a late October release but instead saw a slight delay. Models affected by the "backdoor" problem include DIR-100, DIR-120, DI-524, DI-524UP, DI-604UP, DI-604+, DI-624S, and TM-G5240. This new firmware is expected to lock those backdoors once and for all.

“Security and performance is of the utmost importance to D-Link across all product lines," a company rep previously stated. "This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards.”

D-Link previously suggested that customers should make sure their network is secure, and disable remote access to the router if it's not required. Customers should also ignore unsolicited emails that relate to security vulnerabilities and prompt them to action. For more information about the new firmware, head here.

Create a new thread in the US News comments forum about this subject
This thread is closed for comments
5 comments
    Your comment
  • Rancifer7
    Well at least we "know" the NSA plant at D-Link is named Joel. Gotta start somewhere eh?
    3
  • clonazepam
    I always had the thought that the modems could potentially have backdoors. Anyone looking at those?
    2
  • Darkk
    While this backdoor had it's good intentions from customer service standpoint but poorly designed. The backdoor should be unique to each device. Backdoor should ask for a password such as the device's serial number and few digits of the MAC address. Also add a deny timer if hacking of the backdoor is in progress.

    Easy to implement. Ah well, least they took it out entirely.
    0