Numerous D-Link Routers have Backdoor in Firmware

Security researchers have found that some D-Link Routers have a completely open backdoor that will allow an attacker full administrator access to the router without ever logging in.

On Saturday Craig from the /dev/ttyS0 website posted an in-depth overview of the backdoor that was found when specific router firmware was reverse engineered and analyzed.

The firmware analyzed was v1.13 for the DIR-100 revA. The firmware seems to be used in several different routers. A Shodan search shows that several thousand routers could be affected. But only those that have remote administration enabled seem to be critical.

The following routers could have the vulnerable firmware:

  • DIR-100
  • DIR-120
  • DIR-615
  • DI-624S
  • DI-524UP
  • DI-604S
  • DI-604UP
  • DI-604+
  • TM-G5240

And some Planex routers could also be vulnerable:

  • BRL-04UR
  • BRL-04CW

Not all of the firmware versions are susceptible.  But on those that are, all the attacker needs to do is set one setting in his browser and it will take them right to the router admin page without logging in!

Setting the browser user agent to “xmlset_roodkcableoj28840ybtide” and then browsing to a vulnerable D-Link router will give you full admin rights to the device.

dlink backdoor

The best way to stop this attack until D-Link releases a patch (later this month) seems to be to turn off remote management.

According to The Register, D-Link has promised to fix the problem by Halloween. Advice from D-Link and any updates can be found on D-Link’s support page.

But for now, turning OFF remote management is probably the safest (and smartest) option. Just go to your router setup and uncheck the box shown in the picture above. Check you user manual for directions.

One would have to wonder, why would a company put a backdoor into their product? Especially a product that is designed to keep intruders out.