D-Link has released an important security update for some of its older Internet routers. The patch closes a backdoor in the devices that could let attackers seize remote control over vulnerable routers.
D-Link DI-524 router.
The update comes roughly seven weeks after researcher Craig Heffner discovered and blogged about a feature or bug built into at least eight different models of D-Link routers that could allow an attacker to log in as administrator and change the router’s settings. Although the router models affected are fairly old, there are almost certainly plenty of these still in operation, as routers tend to be set-it-and-forget-it devices that rarely get replaced or updated unless they stop working.
According to Heffner, an attacker who identified a vulnerable router would need merely to set his browser’s user agent string as “xmlset_roodkcableoj28840ybtide”, and he could log in to the router’s administrative interface without any authentication. Heffer later updated his blog post with a proof-of-concept illustrating how attackers also could use the bug to upload arbitrary code to the vulnerable devices.
On Nov. 28, D-Link released a series of updates to fix the problem. Updates are available for the following models:
- DI-524
- DI-524UP
- DIR-100
- DIR-120
- DI-604UP
- DI-604+
- DI-624S
- TM-G5240
It’s not clear exactly why or how this backdoor found its way into the D-Link routers, but Heffer said a suggestion by fellow researcher Travis Goodspeed points to one likely explanation: “My guess is that the developers realized that some programs/services [such as dynamic DNS] needed to be able to change the device’s settings automatically,” he wrote. “Realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something. The only problem was that the web server required a username and password, which the end user could change.”
Updating an Internet router can be tricky, and doing so demands careful attention; an errant click or failure to follow closely the installation/updating instructions can turn a router into an oversized paperweight in no time. Normally when it comes to upgrading router firmware, I tend to steer people away from the manufacturer’s firmware toward alternative, open source alternatives, such as DD-WRT or Tomato. Most stock router firmware is fairly clunky and barebones (or includes undocumented “features” like the one discussed in this post); I have long relied on DD-WRT because it comes with comes with all the bells, whistles and options you could ever want in a router firmware, but it generally keeps those features turned off by default unless you switch them on.
Unfortunately, none of the models listed above appear to be compatible with either firmware. Also, some of these routers are old enough that they don’t support the more secure wireless encryption protocols, such as WPA-2; others may even require users to administer the router using Internet Explorer (not much of an option for Mac users).
For these reasons, I would suggest that anyone with a vulnerable router consider upgrading to a newer device. Asus, Buffalo and Linksys make many routers that are broadly compatible with DD-WRT and Tomato, but you may want to check their respective compatibility pages (linked in this sentence) prior to purchasing a new one.
Update, 8:43 a.m. ET: Updated list of routers affected, per the official D-Link advisory on this (H/T @William_C_Brown).