bit-tech.net

D-Link confirms, defends router back-door code

D-Link confirms, defends router back-door code

D-Link has confirmed that selected router models contain back-door code, defending the practice as a 'failsafe' against firmware crashes which has long since been replaced with new techniques.

D-Link has confessed to deliberately inserting back-doors in older models of its broadband routers, defending the move as a failsafe against firmware crashes, while stating that the method is no longer used in its current devices.

The company hit headlines earlier this week when a security researcher discovered a particularly insecure back-door system in its router firmware files: simply changing a browser's user agent to a particular string, which contained the phrase 'edit by 04882 joel backdoor' written backwards, would allow full access to the router's administrative control panel without the need to know the username or password.

Although D-Link quickly announced that it would be releasing firmware updates for the affected routers - the DIR-100, DIR-120, DI-524 and DI-524UP, DI-604S, DI-604UP and DI-604+, DI-624S, and TM-G5240 - it failed to detail how the back-door code ended up in the products in the first place, nor what purpose it served. Speaking to bit-tech this morning, the company has offered a few more details regarding the flaw.

'The so-called back-door was implemented in these six older products as a failsafe for D-Link technical repair service to retrieve router settings for customers in case of firmware crashes that would result in lost configuration information,' a company spokesperson explained via email. 'Nonetheless, the new firmware updates will respectively revoke any failsafe opportunity.

'The affected models all shared a very early software platform that predated today's standard failsafe mechanisms, so this [back-door] one had to be used. At that time, roughly ten years ago, this method was one of several that were commonly used by the industry. Since then, failsafe mechanisms have become standard inclusions in newer platforms, obviating the need for backdoors. Thus this approach is no longer used and this particular issue is irrelevant to modern products nowadays.
'

The company has pointed out that, of the models known to be affected by the vulnerability, some - the DIR-120, DI-524 and DI-524UP - reached end-of-life status more than three years ago. Others, however, are more current - and the flaw has also been successfully used against the DIR-615, a current-generation model of wireless router still sold by the company and chosen by numerous ISPs for provision to customers. The company has also declined to state whether it will be performing a code audit to ensure that similar back-doors are not present in any other of its networking products.

We have asked for clarification on the status of the DIR-615 - which has not been listed as receiving a firmware update to resolve the flaw, despite confirmation from users that it is indeed vulnerable - and will update this article accordingly.

UPDATE 2013-10-17:
D-Link has stated that no firmware update is due for the DIR-615, despite claims by users that selected models are vulnerable to the back-door. 'As far as we are aware, the DIR-615 is not affected by this issue,' a spokesperson has told bit-tech.

10 Comments

Discuss in the forums Reply
law99 16th October 2013, 13:18 Quote
Fair enough. You can't catch everything... although in a new product: come on guys! Get it done.
tuk 16th October 2013, 13:22 Quote
Quote:
Originally Posted by Gareth Halfacree
code is a 'failsafe,'
ohh the irony.
Wolfe 16th October 2013, 13:24 Quote
What the hell are they talking about?

The "failsafe" is the reset button on the back of the router (that requires hardware access). Period. This whole argument is completely bullshit.

This was NEVER a standard approach. Any proper router EVER has always used a physical override for any cases involving forgotten passwords, etc.. The very fact that it presents this on the WAN facing side just goes to show they have no interest in customer security at all.
tuk 16th October 2013, 13:43 Quote
^^this
CrapBag 16th October 2013, 13:55 Quote
I don't think my DSL 2740R has this issue according to the report.

Don't think I'm going to google backdoor vulnerability though.
Guinevere 16th October 2013, 15:32 Quote
The backwards pass phrase of "edit by 04882 joel backdoor" in lovely plain text is so obviously a developer hack introduced during some phase of firmware development. It should never have been left in and they know it. If it was a genuine backdoor they would have used a completely random string or a combination of entry vectors.... this is just a hack. Anyone who's ever coded anything can see it for what it is.

Somewhere there is a guy called Joel trying to keep a very low profile!

D-Link should have just fessed up. I wonder if Joel is still with them he's now in a much higher position?
tuk 16th October 2013, 15:46 Quote
Quote:
Originally Posted by Guinevere
The backwards pass phrase of "edit by 04882 joel backdoor" in lovely plain text is so obviously a developer hack introduced during some phase of firmware development.
Couple of months ago( after reading an article ) I was able to view the live code(firmware) running on my router, albeit in assembly lang, the text strings were obvious, the debugger I was using has a nice feature where it lists all the $trings found in a given piece of code, a string containing the word 'backdoor' would be very eye catching.
Quote:
Originally Posted by Guinevere

Somewhere there is a guy called Joel trying to keep a very low profile!
:D
Quote:

D-Link should have just fessed up.
Honesty is such an underrated quality ...trying to spin the truth just make things worse & further damages their credibility.
Guinevere 16th October 2013, 22:21 Quote
Quote:
Originally Posted by tuk
Honesty is such an underrated quality

Along with honour, compassion, integrity, humanity and a string of other itys.
Gareth Halfacree 17th October 2013, 16:46 Quote
Little update: D-Link has claimed the DIR-615 isn't vulnerable to the back-door, despite some users claiming otherwise, so it won't be getting an updated firmware.
B1GBUD 17th October 2013, 17:01 Quote
Given the choice, I'd never buy a D-Link router..... Here's why
Log in

You are not logged in, please login with your forum account below. If you don't already have an account please register to start contributing.



Discuss in the forums