It has been found that seven domestic router models, made by well-known networking firm D-Link, can be easily controlled remotely via a back door. Researcher Craig Heffner found the exploit by reverse engineering some D-Link router software. This process revealed a character string which can be used to get full access to the admin page of these routers. D-Link has promised a fix for this vulnerability by the end of October.
Heffner speculates that the backdoor was used by D-Link to provide remote firmware updates. He noted that a hard-coded string in the authentication system, ‘xmlset_roodkcableoj28840ybtide’, provides full access to the router web interface with no username or password required when it is used as the ‘user agent’ string. If we look at that string of characters and reverse it we can read it as ‘edit by 04882 joel backdoor’. So it looks like a programmer called ‘Joel’ put this back door in the router software deliberately.
The list of affected D-Link routers is as follows:
- DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and the TM-G5240
- Also Planex, a Japanese networking company, has two router models which are equally vulnerable; the BRL-04UR and BRL-04CW.
D-Link has published an update on this “router security issue” on its support pages. The firm says that “Security and performance is of the utmost importance to D-Link across all product lines”. D-Link also said it was currently working with the sources of the back door reports “to ensure that the vulnerabilities discovered are addressed”.
While the networking hardware firm readies updates for the affected routers it has recommended that users do the following:
- Ignore unsolicited emails about security vulnerabilities that prompt you to action. These could allow unauthorised access to your network
- Make sure that your wireless network is secure.
- Disable remote access to your router if it is not required (this is disabled by default).
As mentioned in the introduction, D-Link hopes to have updates available to apply to the affected router models by the end of October. Planex is yet to respond to the news.