In memoriam 1961-2018
A researcher who found a slew of vulnerabilities in a popular router said it’s so hopelessly broken that consumers who own them should throw them away. Pierre Kim said attackers could easily exploit the vulnerabilities and use the device as a spamming zombie or a man-in-the-middle tool. “I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector,” Kim said. The router, D-Link’s DWR-932B, suffers from 20 vulnerabilities, including a backdoor, backdoor accounts, and a default Wi-Fi Protected Setup PIN, to name a few of them. Kim, who’s based in South Korea and has discovered his fair share of router bugs in the past, says the faulty D-Link router is still being sold in stores. Given the lack of vendor response, Kim doesn’t believe users shouldn’t expect a patch anytime soon. The model is based on the Quanta LTE brand router; a device that Kim looked at last winter and also found riddled with vulnerabilities. Kim began looking into D-Link router after receiving a tip from Gianni Carabelli, a developer at the Italian e-commerce platform Triboo Group, that the routers were similar. While Quanta ultimately decided not to fix the vulnerable router – it was plagued by similar flaws; backdoors, a hard coded SSH key, and remote code execution bugs – it’s unclear whether D-Link will address the issues in DWR-932B. Kim broke down all of the vulnerabilities in a public advisory, which he forwarded to security mailing lists, on Wednesday. According to Kim, both SSH and telnet run by default in the D-Link router. On top of that, two backdoor accounts, which can be used to bypass HTTP authentication, also exist. The router also suffers from default passwords – the password for admin is “admin” while the password for the root account is “1234.” In addition to the backdoor accounts, a backdoor in the device’s software also exists. If an attacker sends a string, “HELODBG,” to the router’s UDP port, it allows root access in telnet. The router also suffers from a hardcoded PIN in its Wi-Fi Protected Setup that can be gathered from the either the router’s App Manager program or its HostAP configuration tool, according to Kim. If for some reason an attacker didn’t want to use the hardcoded WPS PIN, they could easily generate their own temporary PIN. The algorithm the software uses is so weak that the researcher claims it’d be trivial for an attacker to generate valid WPS PIN suites and brute force them. The credentials needed to contact the firmware’s over the air (FOTA) server, or access a dynamic DNS No-IP account, are also hardcoded, and the device’s HTTP daemon is also chock full of vulnerabilities, including two remote code execution bugs, Kim said.

See more at: Backdoored D-Link Router Should be Trashed, Researcher Says