The networking giant D-Link has acknowledged and committed to fixing a very serious backdoor vulnerability in a number of its older routers.
The vulnerability was uncovered by security researcher Craig Heffner as he was reverse engineering a version of the D-Link firmware, according to our friends at Threatpost. He came across an odd string of code and realized that an attacker could potentially exploit this vulnerability, log into the router’s administrative panel remotely, and make any number of critical settings changes, like changing the password, disabling encryption, cutting off the wireless signal, and all sorts of other things. The attacker could pretty easily block user access to the router as well by changing the admin panel access password so that any malicious changes would be pretty difficult to undo. Hackers might want to use this vulnerability to build a router-based botnet or just have internet access via other’s hotspot, adding one more security layer to protect their anonymity.
Hat tip to D-Link for seeing that they had a serious vulnerability and initiating the process to fix it. Unfortunately, this isn’t like a Windows or a Mac operating system update, where Microsoft or Apple asks if you’d like to install their updates, or in some cases just installs them automatically. Updating router firmware requires that you access the back end of the router, find the update firmware section, go to the router manufacturer’s website, download the correct firmware update file, go back into the router back-end interface, and upload the new firmware there.
In other words, D-Link saves a bit of face patching this thing, and, honestly, they’ve done everything they possibly can. It would be absolutely unreasonable to expect them to create invulnerable routers. Problematically though, the vast majority of affected users will remain vulnerable until they are forced to buy a new router, which is often a very long time, because the firmware update process is just too complicated and because most users neither know how to update these things nor will they even be aware there is a backdoor vulnerability in the first place.
Serious router bugs are among the worst kind in many cases given that user interaction with routers – for the most part – is limited to power-cycling them (turning then off and on again) when the wireless signal drops off. If the router is bad, the whole network is vulnerable. Compounding the seriousness, the router lifecycle is pretty long. Routers aren’t like computers or mobile devices that get better and better every year. If a router works, it’s likely that users rarely even think about it. When Apple releases a new iPhone, it’s all-iPhone-all-week. When a Cisco, or Huawei or some other networking company releases some new router gear, almost no one knows about it.
The affected products are D-Link’s DIR-100, DIR-120, DI-624S, DI-524UP, DI-604S, DI-604UP, DI-604+, and TM-G5240 routers. If you own any of these routers, I recommend you read our post about locking down routers. It has a pretty good explanation of how the firmware update works, broadly speaking. I’ll warn you though, and this is part of the reason these router vulnerabilities are so serious: if you mess up the firmware upgrade, you might break the router and you may be out of luck. Even if you update it properly, you might lose all of your custom settings. I’ve done it before, but I really try to avoid updating my router’s firmware unless I absolutely have to. Unfortunately for anyone operating on any of the models mentioned above, this might be one of those cases where an update is totally necessary.
D-Link says that the patch fixing the vulnerability will be ready by the end of the month, so there is nothing you can do now. When the update is eventually made available, you will need to go to the D-Link support page, and follow the instructions there. Until a new version of the firmware is available, security experts recommend that users with affected models ensure that their wireless networks have WPA2 enabled and use random passwords.
It’s not always clear why such a backdoor might exist, but it may have been put there intentionally so that its maker could provide remote support or debugging mechanism the product during its development process. In the past companies have done this and simply forgotten to remove the backdoors later.