Tactical Network Solutions vulnerability researcher Craig Heffner, who specializes in wireless and embedded systems, recently discovered a security vulnerability in seven D-Link network routers after reverse engineering a recent firmware update. This vulnerability grants full access into the configuration page without the need for a username and password.
Heffner discovered that if a browser's user agent string is set to "xmlset_roodkcableoj28840ybtide," hackers can gain access to these routers if connected to the network via Ethernet or wireless, or if the router's configuration page is publicly accessible. When reversed and the numbers removed, this string actually reads "edit by joel backdoor" as if the "backdoor" in the routers' firmware was intentionally placed.
"My guess is that the developers realized that some programs/services needed to be able to change the device's settings automatically," Heffner writes. "Realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something."
"The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, 'Don't worry, for I have a cunning plan!'" he adds.
According to Heffner, the affected models include D-Link's DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240. Also on the list are the BRL-04UR and BRL-04CW routers from Planex that appear to use the same firmware.
Obviously, this exploit could allow "hackers" to make unauthorized changes to the settings. As an example, the Domain Name System server addresses could be altered to direct users to rogue websites when they try to access legitimate versions. The risk for unauthorized access is even higher for routers that are configured for remote management.
D-Link now reports that the company will address the issue by the end of the month. "Security and performance is of the utmost importance to D-Link across all product lines," the company states. "This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed."
D-Link suggests that customers ignore unsolicited emails that relate to security vulnerabilities and prompt them to action. Customers should also make sure their network is secure, and disable remote access to the router if it's not required.