D-Link Router Backdoor, really?

[ronan_zj]

I just read the article today, and I feel lucky that I don't have D-link product.

https://www.schneier.com/blog/archives/2013/10/d-link_router_b.html

 

[thiggins]

http://www.dlink.com/uk/en/support/security

 

[RogerSC]

Here's a different article, this one about Netgear...apparently DLink isn't the only one out there with security problems:

http://www.computerworld.com/s/article/9243462/Vulnerabilities_in_some_Netgear_router_and_NAS_products_open_door_to_remote_attacks?source=CTWNLE_nlt_storage_2013-10-24

 

[lexist2112]

The Dlink mods are aware of this. It appears to be UK Dlink models only and NA are not affected. Dlink will be issuing FW updates to the affected EU models.





http://forums.dlink.com/index.php?topic=56089.0

 

[RMerlin]

Asus, Netgear, Dlink, Teda... They all have serious security holes reported in the last year. Linksys as well in recent years.

I think those manufacturers will have to start paying closer attention to the firmware their devices run. Routers are intended to be security devices, therefore security should be taken more seriously into account while developing their firmwares. Too many of these are based on quite old code, with a serious baggage of poor design decisions going back 5-7 years ago. Some of these might require to have the proprietary bits rewritten, especially their internal web server which is often the main security issue. Most of these are based on a very old basic httpd daemon, which got tons of custom extensions added to over the years.

The first step for many of these would probably to rewrite that httpd server from the ground up, or started from a cleaner base at least.

 

[stevech]

Asus, Netgear, Dlink, Teda... They all have serious security holes reported in the last year. Linksys as well in recent years.

I think those manufacturers will have to start paying closer attention to the firmware their devices run.

Think the vendors like D-Link, et al in the consumer space can do so, given they tend to buy from Asia and skin the GUI with their logos?

 

[RMerlin]

Think the vendors like D-Link, et al in the consumer space can do so, given they tend to buy from Asia and skin the GUI with their logos?

DLink used to have their routers designed by Alpha Networks (which is actually a DLink spinoff). They also did the WD routers.

Netgear seems to have Foxconn working on their firmware.

Asus took TomatoUSB and worked from that code base (I think it's done in-house).

It's up to the vendors to start requesting more quality and do more stringent testing of their routers. Tim did a very nice article last year where he ran a router test suite against an RT-N66U running various firmwares - that test suite alone was able to spot quite a few problems. It should be a bare minimum.

But for now, public shaming through disclosures like is recently happening is probably the way to go. When some vendors start to rise above the rest by providing actual secure products, it might force the hand of the rest to either improve their products, or start losing market shares.

 

[sfx2000]

Think the vendors like D-Link, et al in the consumer space can do so, given they tend to buy from Asia and skin the GUI with their logos?

Indeed... there's a few vendors that do their own SW stack, but most of the chipset vendors have a pre-built board support package, and the ODM's can skin it to the OEM's requirements.

Things like this contribute to the recent issues with the uPNP and WPS issues noted in the last few months.

 

[remixedcat]

I wonder what FW base Amped Wireless uses... I think it's thier own. Can anyone clarify that?

I know thier routers are not DDWRT compatible.