Backdoor Account Found in D-Link DIR-620 Routers (bleepingcomputer.com) 118
Catalin Cimpanu, writing for BleepingComputer: Security researchers have found a backdoor account in the firmware of D-Link DIR-620 routers that allows hackers to take over any device reachable via the Internet. Discovered by Kaspersky Lab researchers, this backdoor grants an attacker access to the device's web panel, and there's no way in which device owners can disable this secret account. The only way to protect devices from getting hacked is to avoid having the router expose its admin panel on the WAN interface, and hence, reachable from anywhere on the Internet.
OpenWRT/LEDE is the only solution (Score:3, Insightful)
This is why I will never buy or recommend any router that cannot be flashed/used with OpenWRT/LEDE.
Re: (Score:1)
You are welcome to get fucked yourself as long as you like. Just do not expect others to be as stupid as you are. Anybody that thinks a long-standing FOSS project with an excellent reputation needs to have the code reviewed by every user in order to be better than closed source is a complete moron.
Re: (Score:2, Insightful)
Calm down man you get any more angry and that Fedora is going to fly off. Your argument died with Heartbleed. Open source that nobody looked at.
Re: (Score:2)
Once it was checked, the news was out quickly, and fixes not far behind. Contrast that with propriety security flaw handling.
Re: (Score:2)
Just continue to be stupid. It is no use arguing with people like you, you have all the answers and no clue. There is just no basis to explain actual reality to you, you are utterly disconnected.
DD-WRT is pretty darned secure (Score:3)
ArchieBunker demanded:
Have you done an audit of the code yourself? Are you sure anyone else has? Would you know what to look for?
I use DD-WRT exclusively on all my routers.
It's 100% open source, and there are several people who are still actively developing it. In addition, there's a lot of security-savvy users who closely examine and pen-test each release.
In 2008, a pair of backdoor IP addresses were discovered in the code (placed there by one of the developers, at a customer's request). Both were accessible only from the NAT side of the router, and both were removed within an hour of being reported ...
Re: (Score:3, Informative)
Too bad their last stable release (V24 SP1) is from 9 years ago. They are almost done with the SP2!
And by 100% open source, you mean is heavily dependent on closed source drivers obtained from broadcom under NDA?
With outdated info on their wiki on how to build the source?
Re: (Score:3)
fred6666 sneered:
Too bad their last stable release (V24 SP1) is from 9 years ago. They are almost done with the SP2!
And by 100% open source, you mean is heavily dependent on closed source drivers obtained from broadcom under NDA? With outdated info on their wiki on how to build the source?
As the AC who posted after your comment pointed out, there are beta releases all the time - many of which are by BrainSlayer (who was the principal architect for V24 SPI, and is the principal architect for SP2, as well). For popular routers (i.e. - inexpensive and relatively powerful ones), there are often 2 or 3 betas per month. So who the hell cares about the "stable" release of SP2, when Kong's v3.0-r33675M (which I use on all 3 of my ASUS RT-56U's) is reliable, stable, has all relevant
Re: (Score:2)
As the AC who posted after your comment pointed out, there are beta releases all the time - many of which are by BrainSlayer (who was the principal architect for V24 SPI, and is the principal architect for SP2, as well). For popular routers (i.e. - inexpensive and relatively powerful ones), there are often 2 or 3 betas per month. So who the hell cares about the "stable" release of SP2, when Kong's v3.0-r33675M (which I use on all 3 of my ASUS RT-56U's) is reliable, stable, has all relevant security issues patched, and supports more functions than most users will ever need?
(BTW - I agree with that guy about ignoring the router database, too. It's full of misinformation and outdated releases that no sane admin would choose to install on an Internet-exposed router. Newbies to DD-WRT should search the forums for advice on the best forks and versions to install for their particular make and model, instead.)
Sounds like a very badly managed project from one man in his mom's basement. Why should newbies have to search on forums and use a fork? What's wrong with the main branch? Why don't they fix it?
I wouldn't trust DD-WRT with security updates if I have to use a beta fork.
As for the Broadcom code, again, openwrt uses a set of reverse-engineered drivers, and it is a freakin' nightmare to configure.
You probably haven't used openwrt in the past 8 years or so. It's very easy to configure with a web-based UI like any other router.
It's also much easier to configure if you want to build from source and choose which package to include.
But you
Re: (Score:2)
He didn't say that
Actually he did. Before you can secure the router, you have to buy the router. Before you buy the router, you have to decide whether it meets your criteria. By providing his criteria, he indicated his first step.
Re: (Score:3)
I just installed openwrt/LEDE 17.01.4 on a TP-Link Archer C7 v2. I downloaded the file, used the web page to upload it and waited. How could it be any easier?
I then configured the router using the LuCI web interface which is better than most stock router web interface.
You're telling them about our backdoors? (Score:5, Funny)
Router found on backdoor (Score:3)
At this point, I think it's fair to say that it was a backdoor that also had a router. Indeed I suspect the router was probably found left on the backdoor.
Re: (Score:1)
Comment removed (Score:5, Insightful)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
otherwise they'd have to give you two boxes and risk you screwing up the configuration between the two somehow.
lol. Really? The casual user's cablemodem gives out an ethernet port, which you connect your own router to, which will work out of the box in every case as new routers are already set to DHCP. If you're like me and have a business, then the cablemodem will give you multiple ports, which will behave the same way. I have static IP addresses, so the configuration becomes a little (just a little) more involved, but "screwing up the configuration" is not on the agenda.
The ISP gives you one box by preference and if you are lucky, it operates in straight passthrough in one form or another requiring a customer to use their own router which the ISP cannot deal with. And then there are ISPs like AT&T which expect you to use their modem/router and passthrough mode is crippled so you never get full functionality if you use your own router.
I like how AT&T would update the firmware on their router resetting all configuration to reenable things like the WiFi and breaking
Re: (Score:2)
Re: (Score:1)
Right in it they say Russian ISPs actually did give it out.
Re: (Score:1)
Not that many devices left around to exploit
The good news is that D-Link DIR-620 devices are older router models and there aren't that many around to exploit.
Most of these devices were deployed by Russian, CIS, and Eastern European ISPs as on-premise equipment provided to broadband customers.
The vast majority of these devices are located in Russia, and Kaspersky said it already contacted ISPs to inform them of the issue.
Shodan searches for these devices reveal less th
Re: (Score:3)
Service providers don't use the web admin interface
https://en.wikipedia.org/wiki/... [wikipedia.org]
Re: (Score:2)
Re: (Score:2)
Tweaking the router remotely for your elderly parents or other friends is a valid use-case... Yes, you can — and I do — achieve that by ssh-ing into a Unix computer behind the router, and then use a tunnel to talk to the router's LAN interface. But that may be too complex for most people, wouldn't you agree?
Re: (Score:3, Insightful)
Too complex for most people - yes
Too complex for someone who can be trusted to remotely tweak a router - no
Re: (Score:2)
And what is your suggestion for the case mentioned by the GP "for your elderly parents or other friends"? As somebody suggested earlier "just use an old Dell and threw OpenBSD on it"? Let them have a full computer just so you can tunnel through the router to it and then access from it the router interface? There's always a compromise between security and convenience and really in this case it isn't the worst compromise possible to jus
Re: (Score:2)
Re: (Score:2)
Most of those "fully exposed to internet" systems are "behind routers and firewalls"?
Re: (Score:2)
If I were to help my parents out with their router, I'd simply remote in to one of their computers and proceed. There is absolutely no way I'd ever expose critical infrastructure to the wild wild web.
Re: (Score:2)
So, you are fine exposing "one of their computers" to the "wild wild web", but not the router itself?.. Because routers are somehow uniquely exploitable?
Re: (Score:2)
I was expecting this level of paranoia. A 30-minute session in a program I won't mention because neckbeards annoy me, problem solved, and program closed, is better than exposing a router 24/7.
Re: (Score:2)
Whatever program you are using, neckbeard, talking to whatever computer, if you want to tweak a device without moving your dimply behind into very close physical proximity of the device in question, you must allow remote access of some sort — that is, as you put it, expose something to the "wild wild web". That's a given and unavoidable risk inherent in the requirement.
The entire conversation is about mitigating this risk — such as by using a more secure protocol or a more reliable device.
My pre
Re: (Score:2)
Holy Messiah, it's not complicated. Mum connects to a hosted service, I connect to same hosted service. The security of this hosted service is orders of magnitude beyond what I could do on my own. And, again, 30 minutes later we're DISCONNECTED.
Re: (Score:2)
It is also a magnet for hackers and subpoenas... It also costs you money, or privacy, or both.
It is perfectly legitimate to not want any third parties involved...
Finally, if you are willing to have your mom involved in the tweaking process at all, instead of training her to use this 3rd-party, you can teach her to enable the WAN-access feature of the router — and disable it 30 minutes later.
Re: (Score:2)
Fuck off. And while you're fucking off, shave that stupid neck.
Re: (Score:2)
Seldom is one's online-debate victory quite as complete, as this one is today... You made it adversarial, and then lost.
Not only are you bad at anything IT, you are, evidently, a bad person as well.
Re: (Score:2)
Cheaper than possible developers at work. They think this is the thing to do for easy debugging and, since nobody will ever find that password (right?), it can just be left in. Yes, morons on that level do not only exist, there are a lot of them in the industry.
Don't by ANY router that... (Score:5, Insightful)
Cannot be flashed with third party firmware. I use OpenWRT and DD-WRT and I *refuse* to buy any consumer router that doesn't have at least a porting effort to one of these third party firmware packages.
It's not a perfect solution, but it's one heck of a lot better than just trusting the manufacturer to do the right thing and fix their security issues in a timely manner.
Re: (Score:2)
Indeed. And while not perfect, you get updates and patches long-term and you can do thinks yourself if you like.
Re: (Score:2)
Re: (Score:2)
That's cute that you believe flashing a firmware with something else is an absolute guarantee of security.
To quote my original post:
It's not a perfect solution, but it's one heck of a lot better than just trusting the manufacturer ...
Having issues with reading comprehension? I think so.
Re: (Score:3)
The "only commercial software is good software" morons cannot even think. You expect them to be able to comprehend written language? That is wayyy beyond what they can do. At best, they can do keyword matching.
Re: (Score:2)
That's cute that you believe flashing a firmware with something else is an absolute guarantee of security.
It is better than the alternative of using the stock firmware but not as good as using something like Linux or FreeBSD on your own x86 or possibly now ARM hardware.
Not the first time (Score:4, Interesting)
Why would anyone still buy anything from D-Link or e.g. Cisco?
With their stuff, backdoors are not the exception but mandatory feature for every device they sell. 2013, 2016, now.
https://www.theregister.co.uk/... [theregister.co.uk] DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240" maybe more.
https://thehackernews.com/2016... [thehackernews.com] DWR-932 B
So, sure once maybe it's an error or oversight. But the number of backdoors with pretty much all router manufacturers, from low end cheapo consumer D-Link to usurious Cisco plated with gold stuff, shows it's not an oversight but pretty much deliberate. Both manufacturers are only examples here. All of them have similar holes several times over the last few years, repeatedly. Or they are too incompetent to be allowed to design and then sell anything to the public.
Re: (Score:2)
D-Link is a nice base to flash OpenWRT on. No other sane use.
Re: (Score:2)
Why would anyone still buy anything from D-Link or e.g. Cisco?
Damn if I know.
I gave up on D-Link more than 10 years ago when they reneged on firmware updates for Wifi security which they said they would support and then their routers just died one after another within a span of months. Since then I have been using the same Slot 1 x86 based FreeBSD router which is going on 20 years old now and has failed once ... when the ice machine upstairs sprung a leak and dripped water into it. And that only knocked it out of operation for 24 hours and 15 minutes of downtime sin
and D-Link wont update the firmware? (Score:2)
Re: (Score:2)
Re: (Score:2)
they rather you go buy a new D-Link Router, if i had one of these routers i would be sure to buy another brand, but if D-Link quickly made a new firmware and patched my router it would give me confidence in D-Link's attention to detail and would gladly make my next router a D-Link product, (something to think about D-Link people)
I am still waiting on the firmware update for my DI-624s with D-Link's promised Wifi security updates. I am sure they will release them any day now; it has only been 15 years.
OpenBSD DIY (Score:2)
Re: (Score:2)
Hmm, the only problem is that an old Dell uses ten times more power than a little ARM based router. Something like a $30 Raspberry Pi with Raspbian may be a better idea for a home router.
More generic old x86 hardware does a little better. Underclock the processor, make sure power management is enabled, and replace the mass storage with solid state storage.
The problem with ARM is finding something which has 2 or more *real* Ethernet ports for a reasonable price and none of them will have ECC memory. Low end x86 which can include ECC is a lot more flexible and still economical even for power.
The Marvell Espressobin [espressobin.net] looks interesting given its low price. Ha! It even has OpenWrt support but
So done w/ commercial routers (Score:2)
And this is why I finished with commercial router firmware.
First Tomato, then dd-wrt, now pfSense on custom hardware.
Re: (Score:2)
As anybody else with a clue is doing as well.
Re: (Score:2)
I have a clue, I have managed enterprise class routers and firewalls and been using Linux since 1995, I use a Netgear router at home. Their no cost integration with OpenDNS for content filtering and anti-malware protection is better than any opersource solution I have found. They also continue to provide security updates for years after the device is no longer for sale (previous model was ~8 years old when I replaced it for better WiFi performance, it had had a firmware update about 3 months before I retire
Which open router software? (Score:2)
I'd like to replace my vendor supplied router with one running open software.
I'm just not sure which is considered the most current, or the pros and cons of the various distros.
* DD-WRT
* OpenWRT
* Lede
* Tomato (is that even still around)?
etc...
Suggestions? (Maybe I should make this an Ask Slashdot?)
Re: (Score:3)
Re: (Score:2)
That's a good option, but I'm looking for Wifi too... want to use *MY* wifi rather than the ISP's, in case they decide to do fun stuff like turning my wifi into a hotspot...
Re: (Score:2)
That's a good option, but I'm looking for Wifi too... want to use *MY* wifi rather than the ISP's, in case they decide to do fun stuff like turning my wifi into a hotspot...
There are some FreeBSD friendly Wifi adapters but much better for both features and RF propagation is to use dedicated indoor access points like something from Ubiquiti.
Re: (Score:2)
First, check for patch history to see what is currently maintained. And then select the one of the remaining ones were you like the interface best.
Re: (Score:2)
DD-WRT is generally pretty solid and is available on a far greater number of routers.
Tomato is my personal favorite, not the least of which because it does ad blocking at the router level and is a bit better with VLANs than DD-WRT.
OpenWRT isn't my favorite, but it's gotten a lot better recently. I was particularly happy that it's available for some Cisco Meraki hardware. The least intuitive of the three IMO, but it does the job in lots of cases.
All of them have upstream updates from within the past three mo
Re: Backdoor found in 20 year old router (Score:2)
I knew a guy who was running one 2 years ago. Far bigger problem than any built in account was that he had the WiFi set up to use WEP, since that was the standard back when he first configured it.
Re: Backdoor found in 20 year old router (Score:2)
He wasn't in a rural area; he was in a heavily populated city. From his house I could pick up more than 20 other APs.
There are numerous known weaknesses in WPA, but it's nowhere near as insecure as WEP. I've never seen a WEP AP which couldn't be broken into in a matter of minutes. The amount of time it would take with WPA can vary wildly depending on numerous factors but will typically be much longer.
Web-Facing Control Panels (Score:2)
Why would you willingly expose even the most secure login page to the net if you didn't have to? Between bruteforce, backdoor accounts, overflow errors, URL manipulation, and yes, even the dreaded default password,
tl;dr: Why do you have your admin panel WAN-accessible in the first place? -_-
Re: (Score:2)
Re: (Score:2)
Why would you willingly expose even the most secure login page to the net if you didn't have to? Between bruteforce, backdoor accounts, overflow errors, URL manipulation, and yes, even the dreaded default password,
If you trust the hardware and software, which I would not for any commercial or consumer stuff, then you might expose a secure login to the router so that the firewall rules can be modified to allow incoming connections only from your current IP.
And that is why Kaspersky is outlawed in the USA (Score:1)
They are too good at finding US backdoors in US products.
But we don't trust Kaspersky! (Score:2)
Kaspersky is a shill of the Russian government right?
We don't trust anything they say!
So, what's the login ? (Score:1)