Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Networking Network Security

Researcher Find D-Link DWR-932 Router Is 'Chock Full of Holes' (helpnetsecurity.com) 70

Reader JustAnotherOldGuy writes: Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities in the LTE router/portable wireless hotspot D-Link DWR-932. Kim found the latest available firmware has these vulnerabilities: Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
-A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
- Multiple vulnerabilities in the HTTP daemon
- Hardcoded remote Firmware Over The Air credentials
- Lowered security in Universal Plug and Play, and more.
"At best, the vulnerabilities are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor," says Kim, and advises users to stop using the device until adequate fixes are provided.

This discussion has been archived. No new comments can be posted.

Researcher Find D-Link DWR-932 Router Is 'Chock Full of Holes'

Comments Filter:
  • by neo-mkrey ( 948389 ) on Thursday September 29, 2016 @03:14PM (#52985353)
    Of course it is David, it's D-Link.
  • by decipher_saint ( 72686 ) on Thursday September 29, 2016 @03:49PM (#52985527)

    For faster internet DUH

  • Do these sound familiar? Google Quanta router security holes. You'll find the issues that the D-Link has are remarkably similar to what the Quanta firmware had.

    I could safely guess is that Quanta foisted the firmware and designs off onto D-Link for a small tune so they could recover some of the cost.

    BTW, the tech that found the D-Link issues, found the holes in the Quanta routers as well.

  • Hey! (Score:4, Funny)

    by halivar ( 535827 ) <bfelger@gmai l . com> on Thursday September 29, 2016 @03:54PM (#52985539)

    Guess who has two thumbs and bought a D-Link router yesterday?

    *This* dumbass. :(

    • Re: (Score:2, Informative)

      by Anonymous Coward

      Guess who has two thumbs and bought a D-Link router yesterday?

      *This* dumbass. :(

      return it... we have to push back on bad products in a way that manufactures will understand, return the product as defective.

    • Bob Kelso? But seriously, never look at car prices after you've bought a car, and avoid SlashDot after buying tech gear.
    • by adolf ( 21054 )

      Surely you can shove OpenWRT, Shibby's build of version of Tomato-USB, or (*shudder*) DD-WRT on the thing, yes?

    • I haven't bought a D-Link router in years. They used to be all right value for the money but over the last 6-8 years it seems like the quality vastly varied between even small model revisions so I got tired of the D-Link Russian Roulette and started buying other routers. ASUS routers have been consistently good in my experience so far, Linksys is a crap shoot like D-Link so I avoid, NetGear is utilitarian but acceptable.

      • Linksys stopped being good sometime shortly after being sold to Cisco. NetGear is usually fine but will fall over under heavy traffic if you add too many custom routes.

      • by adolf ( 21054 )

        In this lesser Slashdot that we have these days (wherein I don't even see anyone saying "just use an old box for pfsense and be done"), I'll second Asus.

        The stock firmware is allegedly built upon OpenWRT, and for those that like Tomato-USB/Shibby, they're generally all well-supported.

        I have had many small networks that would have fallen over (and indeed, were actively falling-over), which were absolutely saved by proper QoS rules in Shibby's builds of Tomato-USB.

        For the home-gamer: Multiple massive torrent

        • Why use an old box for pfSense when you can buy an outstanding Intel N3150 based tiny box that consumes 10W for less than $130?

          Stop buying routers for WiFi and buy a plain, simple AP and stick it behind pfSense.

          • by adolf ( 21054 )

            Why do that, when for $50-$100 you can get an ARM box that just does everything -- including AP duties -- while also consuming insignificant power?

            It even comes with a reasonably-good Gigabit switch that can also tackle VLAN duties.

            Thanks for the flame, though. It almost felt like old times.

            • Why do that, when for $50-$100 you can get an ARM box that just does everything -- including AP duties -- while also consuming insignificant power?

              It even comes with a reasonably-good Gigabit switch that can also tackle VLAN duties.

              Would you mind sharing a link or at least a name?

              • by adolf ( 21054 )

                Sure. I use one of these [amzn.to], with this firmware [groov.pl], making it a cute little self-contained Linux box with both a HTML GUI and a command-line interface that is as complete as you want to make it. (I've got a build environment on mine, just because I can.)

                802.11ac, dual-core 800MHz ARM, 256MB of RAM and 128MB of flash (all of which are complete overkill for this application), along with multiple USB ports for plugging in random goodies.

        • >(wherein I don't even see anyone saying "just use an old box for pfsense and be done")

          As I've gotten older and I do this stuff for my day job my enthusiasm for doing it on off hours has waned, especially now that there are consumer devices that will get you 99% of the way there with very little hassle and the devices are silent and small compared to even an old HTPC case. A lot of people aren't going to customize anything if they can get close enough with an off the shelf product. That said, I did thr

      • I pretty much put D-Link on my permanent never-buy blacklist after having to play with a DSL-502. Dear ghod, how can you cram so much fail into such a small box?
    • To quote the article:

      As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump )

      So why not just take advantage of having awesome hardware, and replace the crappy firmware with something else like OpenWRT?

  • by Anonymous Coward

    At the very least return it for a full refund. If you feel litigious, sue D-Link. Backdoor accounts and other deliberate vulnerabilities must become expensive for the dickheads who make them.

  • by Anonymous Coward

    Cisco, Linksys, D-Link all have security problems. At this point I would hazard a guess that most routers have security problems.

    So which SOHO routers *don't* have security problems? What can I tell my non-computer-savy relatives to get?

    Do you have to flash DD-WRT software to improve the security situation?

    • What can I tell my non-computer-savy relatives to get?

      An education, or at least better help.

      Do you have to flash DD-WRT software to improve the security situation?

      An old used PC with 2 or more ethernet ports that's running OpenBSD also does just fine.

      • An old used PC is such a memory hog, as well as likely being a space hog and noisy. You'll spend more money on electricity than the money it would take to buy a modern tiny PC to do the job better.

        Intel N3150 based tiny PC, 2GB SODIMM and a 4GB flash drive will set you back $130. Silent, small as a fat paperback book and you'll save $50 in electricity per year compared to that old noise maker.

        Reusing old PCs sounds environmentally friendly but it probably is short sighted.

        • by hodet ( 620484 )

          I would love a Raspberry Pi with two Ethernet ports. That would be my new router.

          • You're on the right track, but even if you add a second ethernet device the Raspberry Pi itself only has enough throughput to keep up with basic DSL speeds. There are other, less popular single-board ARM computers that would be better suited for this task.

    • Comment removed based on user account deletion
      • by hodet ( 620484 )

        I recently bought a Cisco 4200v1 and D-Link DIR615 at a yardsale for $10. Slapped OpenWRT on them. $10 lol.

  • Not only is it not fit for its advertised purpose, it's unsafe to use.

  • I've said it before. Fuck D-Link and fuck their routers. May they rot in hell.
    • fuck their routers

      Mixing saline bodily fluids and electrical equipment likely voids the warranty and that it's not the volts, its the amperage that's the real danger.

    • by hodet ( 620484 )

      Shit you really hate D-Link.

  • by anwyn ( 266338 ) on Thursday September 29, 2016 @06:00PM (#52986135)
    Where ever you look commercial routers are full of security vulnerabilities.
  • Comment removed based on user account deletion
  • Those D-Link routers are actually very, very secure.
    No attacker (or you) are able to properly send or receive packets on it's network (when you can actually get in it), which thwart most attacks.

  • ...so they had to place holes elsewhere for a proper CPU venting.
  • In fact is indestructible https://www.youtube.com/watch?... [youtube.com]

  • I remember an article years ago of a D-Link router where they cheaped out and left out a filtering capacitor. An engineer figured this out because hilariously they left the solder pads on the actual circuit boards so a fix was to solder in your own filtering capacitor. The missing capacitor resulted in the power supply being noisy and eventually corrupting ram which would lead to the router crashing. D-Link of course in their brilliance figured the quick fix was to reboot your router every 15 minutes, st

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...