Lacklustre security on D-Link 850L and DWR-932B

Another day, another shocking firmware implementation on a consumer grade router. Security researcher Pierre Kim has done some analysis on two of D-Links home router products and found them distinctly lacking. Indeed that results were so bad that he recommended they be disconnected from the internet. His initial experience with D-Link was back in September 2016 with the DWR-932B. He was actually investigating routers from Taiwanese manufacturer Quanta Computer, and after publishing findings for their LTE QDH router was referred to D-Link by a colleague who noted they were similar.

Digging in to the DWR-932B he found the router “overall badly designed with a lot of vulnerabilities”. 9 distinct categories of vulnerabilities were found, including backdoor accounts (admin/admin, and root/1234) available via SSH or Telnet, a default hardcoded WPS (used for connecting to the router’s WiFi network) PIN which is the same for every router, multiple vulnerabilities in the HTTP daemon, hardcoded credentials for the Firmware Over the Air service, full read/write access to the file system, and no restrictions on UPnP allowing clients to create port forwarding to other devices on the network.

On this occasion Pierre attempted to responsibly disclose the issues to D-Link, and while they did initial acknowledge, subsequently failed to provide any timeline for an update. When it did eventually drop after the issues were published, the patch was found less than comprehensive. The researcher took a look at the updated firmware in February 2017 to see if the issues had been addressed correctly. Unfortunately, while several were fixed the backdoor issues remained allowing full root access to the device from the internet, and leading Kim to make his fairly drastic recommendation.

Following the reaction from D-Link and the lack of quality of the security patches, I finally advise users to trash their affected routers and I encourage security researchers to review security patches provided from D-Link instead of blindly trusting them.
— Pierre Kim

In September of 2017, Kim took a look at the 850L MyCloud router as part of a security research contest. This unit uses the MyDlink Cloud Service to provide remote access to your home network, and as you can imagine, the results were similarly catastrophic.

In total, 10 categories of vulnerabilities were found across the two version of the router available at the time, the RevA and RevB variants. These include such things as unsigned firmware with only a hardcoded encryption password in RevB (RevA had no protection), authentication cookies exposed through several cross-site scripting vulnerabilities, abuse of the unauthenticated MyDlink registration page to capture the device admin password in clear text, hardcoded telnet account with root access, passwd file stored in clear text with open read permissions, DHCP client vulnerable to several command injection attacks, and so forth.

Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused.
— PEirre Kim

Interestingly, given Kim's previous lacklustre response fro D-Link he opted to publish these in full without contacting them first. That's general considered bad form in the white hat business, but he notes it had the desired effect. On the 21st of September Kim reported a firmware update had been released far quicker than for the DWR-932B issues. Of the 18 exploits he found, he verified 7 were fixed of the 14 issues acknowledged by D-Link in their security announcement regarding the update. Admittedly some of the exploits were not tested due to time constraints, but Kim did note a private key issue was resolved by generating a new encryption certificate on the fly, self-signed by the router. This brings into question the security of the cloud service as a whole.

These issues are serious, and any one of them allows for the router itself to be totally compromised giving an attacker unfettered access to the owner's home network, and potentially anything else connected to it. Even if other devices are not targeted on the internal network, being able to modify the firmware allows for an attacker to intercept and decrypt all traffic between the home and the internet, redirect legitimate sites to malevolent clones, or inject malware into the network traffic. 

While Kim was 'pleasantly surprised' at the much faster response the second time around, the fact remains that a number of serious issues were not fixed, or even acknowledged as issues by D-Link. What is more concerning is the frequency and severity of these issues in the first place, which speaks to a general lack of attention, competence or care factor when it comes to building a secure firmware for such a critical security device in people's homes. The is all too common from low cost commodity manufacturers whose only concern is rushing out products as cheaply as possible. To be fair, D-Link does actually release updates when these issues are reported, which is more than many of these commodity companies do. Still, these investigations only covered two of D-Links many products. It is likely that this is just the tip of the iceberg.

My own experience with D-Link products has left a bitter taste, with lacklustre reliability, substandard performance, and now egregious security exposure to top it off. The best advice would seem to be "Friends don't let friends do D-Link".