This does not give me the warm fuzzies. Nor should it give the warm fuzzies to people who own certain D-Link routers. Craig Heffner, a vulnerability researcher with Tactical Network Solutions, discovered that some D-Link routers have a built-in backdoor that allows one to change settings and remotely execute code:
if your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings
Now, what does “xmlset_roodkcableoj28840ybtide” mean? The last part when read backwards is “edit by 04882 joel backdoor.” That implies it was written in by D-Link, likely during the development of the firmware as part of the development process. Except that these sorts of things are usually removed before the product is released. This one clearly wasn’t.
The following routers are affected by this:
Additionally, several Planex routers also appear to use the same firmware:
Now D-Link has posted this on their website discussing the issue. Among other things, it says this:
We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.
We will continue to update this page to include the relevant product firmware updates addressing these concerns.
It sounds like this will eventually be fixed.
My take on this? This is an #epicfail if I have ever seen one. It leaves those who have these routers with the impression that D-Link doesn’t take security seriously. That’s not good. Hopefully this is addressed by them quickly and transparently.