Researcher Find D-Link DWR-932 Router Is 'Chock Full of Holes' (helpnetsecurity.com) 70
Reader JustAnotherOldGuy writes: Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities in the LTE router/portable wireless hotspot D-Link DWR-932. Kim found the latest available firmware has these vulnerabilities: Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
-A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
- Multiple vulnerabilities in the HTTP daemon
- Hardcoded remote Firmware Over The Air credentials
- Lowered security in Universal Plug and Play, and more.
"At best, the vulnerabilities are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor," says Kim, and advises users to stop using the device until adequate fixes are provided.
-A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
- Multiple vulnerabilities in the HTTP daemon
- Hardcoded remote Firmware Over The Air credentials
- Lowered security in Universal Plug and Play, and more.
"At best, the vulnerabilities are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor," says Kim, and advises users to stop using the device until adequate fixes are provided.
"Oh my God, it's full of holes!" (Score:4, Funny)
Re: (Score:1)
There's Your Problem. (Score:1, Insightful)
UPnP has no security.
Only morons leave it enabled on Home routers.
Re: (Score:1)
The problem manifested here is yours: only morons make blanket statements concerning the intelligence of large groups of people without clinical testing to back it up. Most of those people are not morons, they're just educated in other domains.
Those are "Speed Holes" (Score:3, Funny)
For faster internet DUH
Re: (Score:2)
Re: (Score:2)
Re: (Score:1)
Re: (Score:1)
Re: (Score:2)
For faster internet
And great justice!
Re: (Score:2)
If they were serious about faster internet, they would paint their routers red instead of the slow white/black.
Same Tune, New Stanza (Score:2)
Do these sound familiar? Google Quanta router security holes. You'll find the issues that the D-Link has are remarkably similar to what the Quanta firmware had.
I could safely guess is that Quanta foisted the firmware and designs off onto D-Link for a small tune so they could recover some of the cost.
BTW, the tech that found the D-Link issues, found the holes in the Quanta routers as well.
Hey! (Score:4, Funny)
Guess who has two thumbs and bought a D-Link router yesterday?
*This* dumbass. :(
Re: (Score:2, Informative)
Guess who has two thumbs and bought a D-Link router yesterday?
*This* dumbass. :(
return it... we have to push back on bad products in a way that manufactures will understand, return the product as defective.
Re: (Score:3)
Re: (Score:2)
Nice one, Alice.
Re: (Score:2)
Surely you can shove OpenWRT, Shibby's build of version of Tomato-USB, or (*shudder*) DD-WRT on the thing, yes?
Re: (Score:3)
I haven't bought a D-Link router in years. They used to be all right value for the money but over the last 6-8 years it seems like the quality vastly varied between even small model revisions so I got tired of the D-Link Russian Roulette and started buying other routers. ASUS routers have been consistently good in my experience so far, Linksys is a crap shoot like D-Link so I avoid, NetGear is utilitarian but acceptable.
Re: (Score:2)
Linksys stopped being good sometime shortly after being sold to Cisco. NetGear is usually fine but will fall over under heavy traffic if you add too many custom routes.
Re: (Score:2)
In this lesser Slashdot that we have these days (wherein I don't even see anyone saying "just use an old box for pfsense and be done"), I'll second Asus.
The stock firmware is allegedly built upon OpenWRT, and for those that like Tomato-USB/Shibby, they're generally all well-supported.
I have had many small networks that would have fallen over (and indeed, were actively falling-over), which were absolutely saved by proper QoS rules in Shibby's builds of Tomato-USB.
For the home-gamer: Multiple massive torrent
Re: (Score:2)
Why use an old box for pfSense when you can buy an outstanding Intel N3150 based tiny box that consumes 10W for less than $130?
Stop buying routers for WiFi and buy a plain, simple AP and stick it behind pfSense.
Re: (Score:2)
Why do that, when for $50-$100 you can get an ARM box that just does everything -- including AP duties -- while also consuming insignificant power?
It even comes with a reasonably-good Gigabit switch that can also tackle VLAN duties.
Thanks for the flame, though. It almost felt like old times.
Re: (Score:2)
Why do that, when for $50-$100 you can get an ARM box that just does everything -- including AP duties -- while also consuming insignificant power?
It even comes with a reasonably-good Gigabit switch that can also tackle VLAN duties.
Would you mind sharing a link or at least a name?
Re: (Score:3)
Sure. I use one of these [amzn.to], with this firmware [groov.pl], making it a cute little self-contained Linux box with both a HTML GUI and a command-line interface that is as complete as you want to make it. (I've got a build environment on mine, just because I can.)
802.11ac, dual-core 800MHz ARM, 256MB of RAM and 128MB of flash (all of which are complete overkill for this application), along with multiple USB ports for plugging in random goodies.
Re: (Score:2)
>(wherein I don't even see anyone saying "just use an old box for pfsense and be done")
As I've gotten older and I do this stuff for my day job my enthusiasm for doing it on off hours has waned, especially now that there are consumer devices that will get you 99% of the way there with very little hassle and the devices are silent and small compared to even an old HTPC case. A lot of people aren't going to customize anything if they can get close enough with an off the shelf product. That said, I did thr
Re: (Score:2)
Re: (Score:2)
As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump )
So why not just take advantage of having awesome hardware, and replace the crappy firmware with something else like OpenWRT?
Re: flashrouters.com (Score:2)
You have some incredibly power hungry routers.
Don't just stop using it. (Score:1)
At the very least return it for a full refund. If you feel litigious, sue D-Link. Backdoor accounts and other deliberate vulnerabilities must become expensive for the dickheads who make them.
So which routers have good security? (Score:1)
Cisco, Linksys, D-Link all have security problems. At this point I would hazard a guess that most routers have security problems.
So which SOHO routers *don't* have security problems? What can I tell my non-computer-savy relatives to get?
Do you have to flash DD-WRT software to improve the security situation?
Re: (Score:1)
What can I tell my non-computer-savy relatives to get?
An education, or at least better help.
Do you have to flash DD-WRT software to improve the security situation?
An old used PC with 2 or more ethernet ports that's running OpenBSD also does just fine.
Re: (Score:2)
An old used PC is such a memory hog, as well as likely being a space hog and noisy. You'll spend more money on electricity than the money it would take to buy a modern tiny PC to do the job better.
Intel N3150 based tiny PC, 2GB SODIMM and a 4GB flash drive will set you back $130. Silent, small as a fat paperback book and you'll save $50 in electricity per year compared to that old noise maker.
Reusing old PCs sounds environmentally friendly but it probably is short sighted.
Re: (Score:2)
I would love a Raspberry Pi with two Ethernet ports. That would be my new router.
Re: (Score:1)
You're on the right track, but even if you add a second ethernet device the Raspberry Pi itself only has enough throughput to keep up with basic DSL speeds. There are other, less popular single-board ARM computers that would be better suited for this task.
Re: (Score:2)
Re: (Score:2)
I recently bought a Cisco 4200v1 and D-Link DIR615 at a yardsale for $10. Slapped OpenWRT on them. $10 lol.
Product recall time? (Score:1)
Not only is it not fit for its advertised purpose, it's unsafe to use.
Re: (Score:2)
"Unsafe at any BPS"
Fuck D-Link (Score:2)
Re: (Score:2)
fuck their routers
Mixing saline bodily fluids and electrical equipment likely voids the warranty and that it's not the volts, its the amperage that's the real danger.
Re: (Score:2)
Shit you really hate D-Link.
Don't buy a router unless you can install openwrt. (Score:4, Insightful)
Re: (Score:2)
D-Link security (Score:2)
Those D-Link routers are actually very, very secure.
No attacker (or you) are able to properly send or receive packets on it's network (when you can actually get in it), which thwart most attacks.
The D-Link DWR-932 case is very tight... (Score:2)
D-Link is the most secure (Score:1)
In fact is indestructible https://www.youtube.com/watch?... [youtube.com]
D-Link routers can be broken hardware wise too (Score:2)
I remember an article years ago of a D-Link router where they cheaped out and left out a filtering capacitor. An engineer figured this out because hilariously they left the solder pads on the actual circuit boards so a fix was to solder in your own filtering capacitor. The missing capacitor resulted in the power supply being noisy and eventually corrupting ram which would lead to the router crashing. D-Link of course in their brilliance figured the quick fix was to reboot your router every 15 minutes, st