Kaspersky Labs identified two hardcoded backdoor accounts and two security flaws in D-Link DIR-620 routers.
Despite being a terrible security practice, it’s actually not that uncommon for router or surveillance camera companies to have hardcoded default credentials in their devices. Besides the potential for abuse from the companies themselves, this practice exposes users to all sorts of attackers, from botnet owners to nation states. The hardcoded credentials make it trivial to hack these devices once attackers learn about them.
According to Kaspersky’s researchers, the hardcoded account cannot be changed by the routers’ administrators. This probably means it was never meant to be seen by users and that the account is purposely made to allow D-Link employees to remotely log in to the routers. Kaspersky also discovered yet another backdoor account for Telnet, which could have given attackers administrative access to the routers.
One of the vulnerabilities Kaspersky found in D-Link’s DIR-620 routers allows for a cross-scripting (XSS) attack. The D-Link developers seem to have missed filtering certain special characters, which can now allow attackers to deliver an exploit by sending malicious code to the routers. Another vulnerability is an operating system command injection, which is the result of incorrect processing of input data.
D-Link Needs To Step Up Its Security Game
Although the two vulnerabilities are not too sophisticated, and D-Link developers should have been able to dodge them, the bigger issue is the hardcoded backdoor accounts. After many years, or decades even, of seeing such accounts being taken over by attackers, D-Link should have known better than to have them in its routers.
Kaspersky researched the DIR-620 router because it's a common router used by millions of people in Russia, as it's a router sold directly to ISPs, who then give it to their customers. However, as D-Link uses the same firmware on multiple router line-ups, it's possible the same type of vulnerabilities exist in other D-Link routers, too.