D-Link has finally patched a serious security vulnerability in selected models of router, following the discovery of an easily-accessed back-door deliberately and knowingly inserted by an employee known only as 'Joel' ostensibly for settings recovery purposes.
Discovered by researcher Craif Heffner back in October this year
, there was little doubt that the flaw was a deliberate insertion: using 'xmlset_roodkcableoj28840ybtide', which tellingly contains the backwards plain-text string 'edit by 04882 joel backdoor', as your browser's user agent bypassed the router's requirement for a username and password to access the configuration menu.
D-Link, to its credit, admitted that the discovery was real
but defended the practice. 'The so-called back-door was implemented in these six older products as a failsafe for D-Link technical repair service to retrieve router settings for customers in case of firmware crashes that would result in lost configuration information,
' a company spokesperson claimed via email at the time. 'Nonetheless, the new firmware updates will respectively revoke any failsafe opportunity.
Those firmware updates were promised to arrive by the end of October, but hit something of a last-minute delay. For those still running the affected routers - models DIR-100, DIR-120, DI-524 and DI-524UP, DI-604S, DI-604UP and DI-604+, DI-624S, and TM-G5240 - the news is good: the company has finally released updated firmware files which remove the hard-coded back-door once and for all.
The files, the last of which was released to the public late last night, are available on the company's official support site
and are a recommended update for anyone running any of the above models. Suggestions that an additional model of router, the DIR-615, is also vulnerable to the flaw have been denied by D-Link with no firmware update planned for that device.