Backdoor Accounts, Security Vulnerabilities Found In D-Link DIR-620 Routers

By Lucian Armasu
published

Kaspersky Labs identified two hardcoded backdoor accounts and two security flaws in D-Link DIR-620 routers.

Despite being a terrible security practice, it’s actually not that uncommon for router or surveillance camera companies to have hardcoded default credentials in their devices. Besides the potential for abuse from the companies themselves, this practice exposes users to all sorts of attackers, from botnet owners to nation states. The hardcoded credentials make it trivial to hack these devices once attackers learn about them.

According to Kaspersky’s researchers, the hardcoded account cannot be changed by the routers’ administrators. This probably means it was never meant to be seen by users and that the account is purposely made to allow D-Link employees to remotely log in to the routers. Kaspersky also discovered yet another backdoor account for Telnet, which could have given attackers administrative access to the routers.

One of the vulnerabilities Kaspersky found in D-Link’s DIR-620 routers allows for a cross-scripting (XSS) attack. The D-Link developers seem to have missed filtering certain special characters, which can now allow attackers to deliver an exploit by sending malicious code to the routers. Another vulnerability is an operating system command injection, which is the result of incorrect processing of input data.

Although the two vulnerabilities are not too sophisticated, and D-Link developers should have been able to dodge them, the bigger issue is the hardcoded backdoor accounts. After many years, or decades even, of seeing such accounts being taken over by attackers, D-Link should have known better than to have them in its routers.

Kaspersky researched the DIR-620 router because it's a common router used by millions of people in Russia, as it's a router sold directly to ISPs, who then give it to their customers. However, as D-Link uses the same firmware on multiple router line-ups, it's possible the same type of vulnerabilities exist in other D-Link routers, too.

Lucian Armasu
Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
5 Comments Comment from the forums
  • gstar42
    How about an article reviewing SOHO wifi router manufacturers with an eye towards which ones take security seriously, don't have back doors, provide updates when new security issues are discovered, etc. I want a fast connection but don't want it to be part of someone's botnet!
    Reply
  • PaulAlcorn
    I used Tomato for a long time, but not recently. Maybe its time to pick another tomato :)

    https://en.wikipedia.org/wiki/Tomato_(firmware)

    \
    Reply
  • alan_rave
    Tomato is a good solution.But user-friendly version (Asus wrt routers) costs $300-400
    Reply
  • kuhndj67
    I've used Tomato on the classic linksys wrt54g (the router that the vendor left open to full os replacement) for at least 10 years... for a while not it's been relegated to being a FTTH router (not doing any wireless work anymore) but it's still chugging along and so is tomato. Both the 54g and Tomato are getting pretty old so they're outside my firewall (just in case) but they still work. As for DLink... never thought much of their networking products... seem pretty low end.
    Reply
  • kuhndj67
    I've used Tomato on the classic linksys wrt54g (the router that the vendor left open to full os replacement) for at least 10 years... for a while not it's been relegated to being a FTTH router (not doing any wireless work anymore) but it's still chugging along and so is tomato. Both the 54g and Tomato are getting pretty old so they're outside my firewall (just in case) but they still work. As for DLink... never thought much of their networking products... seem pretty low end.
    Reply