D-Link confirms, defends router back-door code
October 16, 2013 // 9:50 a.m.
D-Link has confessed to deliberately inserting back-doors in older models of its broadband routers, defending the move as a failsafe against firmware crashes, while stating that the method is no longer used in its current devices.
The company hit headlines earlier this week when a security researcher discovered a particularly insecure back-door system in its router firmware files: simply changing a browser's user agent to a particular string, which contained the phrase 'edit by 04882 joel backdoor' written backwards, would allow full access to the router's administrative control panel without the need to know the username or password.
Although D-Link quickly announced that it would be releasing firmware updates for the affected routers - the DIR-100, DIR-120, DI-524 and DI-524UP, DI-604S, DI-604UP and DI-604+, DI-624S, and TM-G5240 - it failed to detail how the back-door code ended up in the products in the first place, nor what purpose it served. Speaking to bit-tech this morning, the company has offered a few more details regarding the flaw.
'The so-called back-door was implemented in these six older products as a failsafe for D-Link technical repair service to retrieve router settings for customers in case of firmware crashes that would result in lost configuration information,' a company spokesperson explained via email. 'Nonetheless, the new firmware updates will respectively revoke any failsafe opportunity.
'The affected models all shared a very early software platform that predated today's standard failsafe mechanisms, so this [back-door] one had to be used. At that time, roughly ten years ago, this method was one of several that were commonly used by the industry. Since then, failsafe mechanisms have become standard inclusions in newer platforms, obviating the need for backdoors. Thus this approach is no longer used and this particular issue is irrelevant to modern products nowadays.'
The company has pointed out that, of the models known to be affected by the vulnerability, some - the DIR-120, DI-524 and DI-524UP - reached end-of-life status more than three years ago. Others, however, are more current - and the flaw has also been successfully used against the DIR-615, a current-generation model of wireless router still sold by the company and chosen by numerous ISPs for provision to customers. The company has also declined to state whether it will be performing a code audit to ensure that similar back-doors are not present in any other of its networking products.
We have asked for clarification on the status of the DIR-615 - which has not been listed as receiving a firmware update to resolve the flaw, despite confirmation from users that it is indeed vulnerable - and will update this article accordingly.
D-Link has stated that no firmware update is due for the DIR-615, despite claims by users that selected models are vulnerable to the back-door. 'As far as we are aware, the DIR-615 is not affected by this issue,' a spokesperson has told bit-tech.