sfx2000
Part of the Furniture
Thanks D-Link... you've made the world a little bit less safe... you guys at D-Link are a freaking security train-wreck and you put your customers serious at risk, and with this, you put the entire Windows/Mac community at risk.
To all, please consider this when thinking about your next router/AP/adapter...
You can also review here for other security concerns related to D-Link...
http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/
I suppose the good news is that those keys will expire, but with those keys, someone can assert that the code was released before key expiration..
To all, please consider this when thinking about your next router/AP/adapter...
You can also review here for other security concerns related to D-Link...
http://www.devttys0.com/2015/04/hacking-the-d-link-dir-890l/
I suppose the good news is that those keys will expire, but with those keys, someone can assert that the code was released before key expiration..
D-Link blunder by releasing private keys of certificates
By Olaf van Miltenburg, Thursday, September 17th, 2015 09:44, 24 comments • Feedback
Submitter: bartvbl
D-Link had accidentally private keys for certificates signed by which software is released. The keys were to distill out of open-source firmware packages of the manufacturer. Criminals had certificates thereby exploit.
Malware writers can use the certificates to sign their malicious code, which for example is Windows look like legitimate software. The certificate is a guarantee that the programs will actually come from the relevant company.
The blunder was discovered by bartvbl, who pointed to the editorial on the issue. He had purchased the DCS-5020L-surveillance camera from D-Link and wanted to download the firmware. D-Link firmware source code of many open source under a GPL license available. "It turned out what to look through the files that were in private keys to sign with code", reports bartvbl, "In fact, in some batch files were the commands and pass phrases that were needed."
The user was able to verify that the key could be used to create a file that was not D-Link with a certificate signing. In early September expired certificates, so the trick no longer works. Even after providing the expiration date remains signed software that is to be seen as valid. Only after the withdrawal of the certificates given by W indows check a certificate stating that they are not valid. That withdrawal has already happened. That is no longer the abuse problem.
Security firm Fox-IT request, confirms the findings of the user. Yonathan Klijnsma, researcher at the company: "T he code signing certificate is indeed a firmware packages, firmware version 1.00b03 whose source February 27 this year, was released this certificate was therefore issued for expired, a big mistake.". He even found four other certificates in the same folder.
D-Link has released new versions of the firmware, where the certificates no longer in it. The company late in a statement regularly update the firmware "in the latest safety and quality standards" to meet. The company stressed that there was no intent. "D-Link prevent at all times to develop product features that intentionally provide unauthorized access to the device or network, including, for example backdoors." Furthermore, the company Tweakers promises that early next week new firmware comes out which security issues are also resolved.
By Olaf van Miltenburg, Thursday, September 17th, 2015 09:44, 24 comments • Feedback
Submitter: bartvbl
D-Link had accidentally private keys for certificates signed by which software is released. The keys were to distill out of open-source firmware packages of the manufacturer. Criminals had certificates thereby exploit.
Malware writers can use the certificates to sign their malicious code, which for example is Windows look like legitimate software. The certificate is a guarantee that the programs will actually come from the relevant company.
The blunder was discovered by bartvbl, who pointed to the editorial on the issue. He had purchased the DCS-5020L-surveillance camera from D-Link and wanted to download the firmware. D-Link firmware source code of many open source under a GPL license available. "It turned out what to look through the files that were in private keys to sign with code", reports bartvbl, "In fact, in some batch files were the commands and pass phrases that were needed."
The user was able to verify that the key could be used to create a file that was not D-Link with a certificate signing. In early September expired certificates, so the trick no longer works. Even after providing the expiration date remains signed software that is to be seen as valid. Only after the withdrawal of the certificates given by W indows check a certificate stating that they are not valid. That withdrawal has already happened. That is no longer the abuse problem.
Security firm Fox-IT request, confirms the findings of the user. Yonathan Klijnsma, researcher at the company: "T he code signing certificate is indeed a firmware packages, firmware version 1.00b03 whose source February 27 this year, was released this certificate was therefore issued for expired, a big mistake.". He even found four other certificates in the same folder.
D-Link has released new versions of the firmware, where the certificates no longer in it. The company late in a statement regularly update the firmware "in the latest safety and quality standards" to meet. The company stressed that there was no intent. "D-Link prevent at all times to develop product features that intentionally provide unauthorized access to the device or network, including, for example backdoors." Furthermore, the company Tweakers promises that early next week new firmware comes out which security issues are also resolved.