December 2, 2013

D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers.

D-Link DI-524 router.

D-Link DI-524 router.

The update comes roughly seven weeks after researcher Craig Heffner discovered and blogged about a feature or bug built into at least eight different models of D-Link routers that could allow an attacker to log in as administrator and change the router’s settings. Although the router models affected are fairly old, there are almost certainly plenty of these still in operation, as routers tend to be set-it-and-forget-it devices that rarely get replaced or updated unless they stop working.

According to Heffner, an attacker who identified a vulnerable router would need merely to set his browser’s user agent string as “xmlset_roodkcableoj28840ybtide”, and he could log in to the router’s administrative interface without any authentication. Heffer later updated his blog post with a proof-of-concept illustrating how attackers also could use the bug to upload arbitrary code to the vulnerable devices.

On Nov. 28, D-Link released a series of updates to fix the problem. Updates are available for the following models:

  • DI-524
  • DI-524UP
  • DIR-100
  • DIR-120
  • DI-604UP
  • DI-604+
  • DI-624S
  • TM-G5240

It’s not clear exactly why or how this backdoor found its way into the D-Link routers, but Heffer said a suggestion by fellow researcher Travis Goodspeed points to one likely explanation:  “My guess is that the developers realized that some programs/services [such as dynamic DNS] needed to be able to change the device’s settings automatically,” he wrote. “Realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change.”

Updating an Internet router can be tricky, and doing so demands careful attention; an errant click or failure to follow closely the installation/updating instructions can turn a router into an oversized paperweight in no time. Normally when it comes to upgrading router firmware, I tend to steer people away from the manufacturer’s firmware toward alternative, open source alternatives, such as DD-WRT or Tomato. Most stock router firmware is fairly clunky and barebones (or includes undocumented “features” like the one discussed in this post); I have long relied on DD-WRT because it comes with comes with all the bells, whistles and options you could ever want in a router firmware, but it generally keeps those features turned off by default unless you switch them on.

Unfortunately, none of the models listed above appear to be compatible with either firmware. Also, some of these routers are old enough that they don’t support the more secure wireless encryption protocols, such as WPA-2; others may even require users to administer the router using Internet Explorer (not much of an option for Mac users).

For these reasons, I would suggest that anyone with a vulnerable router consider upgrading to a newer device. Asus, Buffalo and Linksys make many routers that are broadly compatible with DD-WRT and Tomato, but you may want to check their respective compatibility pages (linked in this sentence) prior to purchasing a new one.

Update, 8:43 a.m. ET: Updated list of routers affected, per the official D-Link advisory on this (H/T @William_C_Brown).


20 thoughts on “Important Security Update for D-Link Routers

  1. Yeah

    Okay, the backdoor is a cool find, but how many of these devices really have the web server enabled on the Internet interface? I believe by default most devices only have this web admin interface enabled on the LAN?

    1. Allan Miller

      Yes, but this could make you vulnerable to an attack through the WiFi interface.

  2. Allan Miller

    Just a note, the UK DLink web site has updates for more models than are listed in the article (it may have been updated). So, you need to check there to see if there is an update for your router.

    Great article, Brian, with good info. Thanks very much for this!

  3. DNS changer

    Backdoor build in by who ? NSA ? or Chinese ?
    Strange ,that this rooter has been around for some time and only now they manage to find this backdoor .My question is — WHAT took them so long ?

  4. blah

    “I have long relied on DD-WRT because it comes with comes with all the bells”

  5. Joel Backdoor

    It’s said in the Russian forum post:
    Try to read the string backwards.

    xmlset_roodkcaBleoJ28840ybtide turns into

    Edit By 04882 JoelBackdoor

  6. IA Eng

    heh, this one has been out for a while. About a month or so.

    I am not a big fan of wireless IP networks – even to this day. Its another “matter of convenience” and cosmetic appeal. To my tastes there is still too much wrong with it, and not enough right. No I don’t care to elaborate.

    To each their own. isc.sans.edu had an article about a vacuum that had a chip it it, from china of course, that would look for a hot spot and the vacuum would spit forth spam. I can only these new garbage gadgets from the Big Red Spam machine are in retaliation for us catching them hacking some of our larger websites. Now, devices that are wireless enabled – even the LG TV’s – call home, and that feature even if turned off, its reported that it will continue to provide info with the “feature” disabled.

    Oh joy. New items under the Christmas tree that are willing to silently eat up your bandwidth. What a bunch of Ho Ho Horseshit.

    This is why network security, information security, CNA and CND will probably never go away.

    1. Old School

      “To each their own. isc.sans.edu had an article about a vacuum that had a chip it it, from china of course, that would look for a hot spot and the vacuum would spit forth spam. ” See: https://isc.sans.edu/diary/Is+your+vacuum+cleaner+sending+spam%3F/16958 .
      “The story claimed that appliances like tea kettles, vacuum cleaners and iron(y|ing) irons shipped from China and sold in Russia were discovered to contain rogue, WiFi enabled chip sets.”

  7. Steve Griffin

    I’m looking at the age of these models and thinking, “Who in the heck ever gets a D-Link router to last that long anyway?”

  8. TheOreganoRouter.onion

    I use Buffalo Tech N router, (WPA-PSK2) and it’s a excellent unit with outstanding tech support however it’s not as good as say a Sonic Wall unit

  9. Ryan

    I actually just replaced a DI-604 router that my father has been using since 2005. Looks like it was just in time. That router was so old it wouldn’t even be worth updating the firmware since it didn’t even support WPA-2.

  10. Richard

    From the D-Link forum on dslreports.com

    Most of these models were only marketed in the EU region. Only effects those model routers.

  11. Mike

    From the dlink page:

    Immediate Recommendations for all D-Link router customers

    Do not enable the Remote Management feature since this will allow malicious users to use this exploit from the internet. Remote Management is default disabled on all D-Link Routers and is included for customer care troubleshooting if useful and the customer enables it.
    If you receive unsolicited e-mails that relates to security vulnerabilities and prompt you to action, please ignore it. When you click on links in such e-mails, it could allow unauthorised persons to access your router. Neither D-Link nor its partners and resellers will send you unsolicited messages where you are asked to click or install something.
    Make sure that your wireless network is secure.

    So it appears that if the remote management feature is not enabled, it is not a problem.

    1. DI-524_user

      I don’t feel confident enough to do
      a D-link Router firmware upgrade…

      BUT…
      The “Remote Management” setting
      in my DI-524 D-Link Router,
      has been [X] DISabled,
      for the last 7 years.

      Am I safe from this exploit?
      Brian? Anybody?

  12. 0_o -- null_null

    Hi Brian,

    thanks a lot for your blog which I enjoy for several years now.

    I might have something interesting to add to this post. There are severe vulnerabilities on D-Link’s DSR small business router models.

    http://www.exploit-db.com/exploits/30062/
    http://www.exploit-db.com/papers/30061/

    Patches are available via http://tsd.dlink.com.tw

    Intriguing: neither http://securityadvisories.dlink.com/security/ nor http://www.dlink.com/uk/en/support/security are announcing them – so how will users learn about the patches?

    This is why I’m posting here.

    Thanks!
    — nu11

  13. User

    Also some of dlink routers have strange unknown users in /etc/shadow. In dsr1000 for example.

Comments are closed.