Some D-Link Routers Have Built-In Backdoor…. Yikes!

This does not give me the warm fuzzies. Nor should it give the warm fuzzies to people who own certain D-Link routers. Craig Heffner, a vulnerability researcher with Tactical Network Solutions, discovered that some D-Link routers have a built-in backdoor that allows one to change settings and remotely execute code:

if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings 

Now, what does “xmlset_roodkcableoj28840ybtide” mean? The last part when read backwards is “edit by 04882 joel backdoor.” That implies it was written in by D-Link, likely during the development of the firmware as part of the development process. Except that these sorts of things are usually removed before the product is released. This one clearly wasn’t.

The following routers are affected by this:

  • DIR-100
  • DIR-120
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

Additionally, several Planex routers also appear to use the same firmware:

  • BRL-04UR
  • BRL-04CW

Now D-Link has  posted this on their website discussing the issue. Among other things, it says this:

We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.  
We will continue to update this page to include the relevant product firmware updates addressing these concerns. 

It sounds like this will eventually be fixed.

My take on this? This is an #epicfail if I have ever seen one. It leaves those who have these routers with the impression that D-Link doesn’t take security seriously. That’s not good. Hopefully this is addressed by them quickly and transparently.

Advertisements

One Response to “Some D-Link Routers Have Built-In Backdoor…. Yikes!”

  1. Pretty good post. I just stumbled upon your blog and wanted to say that I have really enjoyed reading your blog post.

    d-link support

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: