What's new

[Security] - D-Link exposes code signing key in GPL drop...

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

sfx2000

Part of the Furniture
Thanks D-Link... you've made the world a little bit less safe... you guys at D-Link are a freaking security train-wreck and you put your customers serious at risk, and with this, you put the entire Windows/Mac community at risk.

To all, please consider this when thinking about your next router/AP/adapter...

You can also review here for other security concerns related to D-Link...

http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/

I suppose the good news is that those keys will expire, but with those keys, someone can assert that the code was released before key expiration..


D-Link blunder by releasing private keys of certificates
By Olaf van Miltenburg, Thursday, September 17th, 2015 09:44, 24 commentsFeedback
Submitter: bartvbl

D-Link had accidentally private keys for certificates signed by which software is released. The keys were to distill out of open-source firmware packages of the manufacturer. Criminals had certificates thereby exploit.

Malware writers can use the certificates to sign their malicious code, which for example is Windows look like legitimate software. The certificate is a guarantee that the programs will actually come from the relevant company.

The blunder was discovered by bartvbl, who pointed to the editorial on the issue. He had purchased the DCS-5020L-surveillance camera from D-Link and wanted to download the firmware. D-Link firmware source code of many open source under a GPL license available. "It turned out what to look through the files that were in private keys to sign with code", reports bartvbl, "In fact, in some batch files were the commands and pass phrases that were needed."

The user was able to verify that the key could be used to create a file that was not D-Link with a certificate signing. In early September expired certificates, so the trick no longer works. Even after providing the expiration date remains signed software that is to be seen as valid. Only after the withdrawal of the certificates given by W indows check a certificate stating that they are not valid. That withdrawal has already happened. That is no longer the abuse problem.

Security firm Fox-IT request, confirms the findings of the user. Yonathan Klijnsma, researcher at the company: "T he code signing certificate is indeed a firmware packages, firmware version 1.00b03 whose source February 27 this year, was released this certificate was therefore issued for expired, a big mistake.". He even found four other certificates in the same folder.

D-Link has released new versions of the firmware, where the certificates no longer in it. The company late in a statement regularly update the firmware "in the latest safety and quality standards" to meet. The company stressed that there was no intent. "D-Link prevent at all times to develop product features that intentionally provide unauthorized access to the device or network, including, for example backdoors." Furthermore, the company Tweakers promises that early next week new firmware comes out which security issues are also resolved.​
 
This isnt the first major security issue they've had. On a number of their routers you can get the PPP secret and router password if you navigate to a particular link on the router. Its one of the reasons why i always say to stay away from Dlink aside from poor hardware and firmware design.

Some ISPs have been distributing majorly flawed dlink routers that allow anyone from the internet to go in without having to log in. This is also because the ISP wants a backdoor to the customer router "for customer service" such as an unexposed operator account and remote management not visible to the normal admin account.

I really do not like manufacturers that do away with ethics just because the ISP or government wants a backdoor since it is unethical to keep things hidden from the user.
 
The keys had already been revoked BTW - a fact many news sites forgot to mention before scaring people out...


Sent from my Nexus 9 using Tapatalk
 
That doesn't mean that what D-Link did was very bright - it was still really idiotic. Just that the impact isn't as catastrophic as some news sites were leading their readers to believe.
 
I black-listed D-Link for me about 15 years ago.
Amazed they're still going.

They sell on Best Buy and they sell cheap. The average Best Buy customer prefers "cheap" over anything else. Why do you think Acer laptops are still being sold there?
 
Cheap initially can end up being expensive later especially when all your finance details and personal details are leaked to hackers and to the wrong people if they can easily access the router.
 
Cheap initially can end up being expensive later especially when all your finance details and personal details are leaked to hackers and to the wrong people if they can easily access the router.

The typical home buyer doesn't know that. Many of them don't even know what a firmware is.
 
My wife's mother always said You get what you pay for.
I'll add: If you aren't a naive or uninformed buyer.
 
That doesn't mean that what D-Link did was very bright - it was still really idiotic. Just that the impact isn't as catastrophic as some news sites were leading their readers to believe.

Embedded OS's have come under a lot of attention from the security community (both White Hats and Black Hats) - Linux AP/Routers, Android have been beaten up pretty hard, which makes errors like D-Link's publishing of signing keys are the more worrisome...

Remember that Stuxnet used stolen JMicron and Realtek signing keys...

Just because the key is revoked doesn't mean that Windows won't install - a revoked key just means that post-revocation, later code can't be signed with it. Any code prior to the revocation, will still be allowed...

So the D-Link key exposure is a big deal...
 

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!
Top