Vulnerability in many D-LINK routers called Joel's Backdoor patched: SSO Alert Priority Moderate
16 December 2013
A number of models of D-Link routers, which are commonly used for home and small business networks, were recently found to contain a ‘backdoor’, a deliberately added vulnerability potentially allowing access to the device, even if it is password protected.
You should update your router's firmware immediately if you use a D-LINK router. The models known to contain the backdoor are DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240. If you have a D-LINK router that is not one of the above models, you are advised to still update your firmware, as it is not currently known if other models are affected.
A router is a device that controls network activity and connects to your devices, such as computers or smartphones. These connections can be via a network cable (also called an Ethernet cable) or through a wireless connection. Routers can be configured to allow or disallow certain types of traffic, set your wireless password, control how computers can connect to the internet, and many other options. Configurations are performed through an administrator website, which is normally protected by a username and password. An example image of a router is shown below, but routers come in a very wide range of designs.
The D-LINK DI-774 Router
The recently patched backdoor-vulnerability is known as “Joel’s Backdoor” and is easy to exploit if the router can be accessed from the internet. The discovered vulnerability could allow anyone from the internet to access your administrator website without the password by sending a specific phrase to the router. The phrase was discovered by reverse engineering—examining the contents of the code on the router. Such backdoors can often be malicious, for example a disgruntled employee inserting the vulnerability so that they may later exploit it. However this particular backdoor appears to be for testing purposes but should have been removed before the router was sold. There does not appear to be any evidence of malicious intent behind this backdoor, however it can still be exploited by people with malicious intent.
Updating your firmware
Firmware updates are updates for hardware products and (much like software updates) they can be used to fix security problems that have been discovered. To address Joel’s Backdoor, D-LINK have provided a firmware update that addresses the issue.
Updating firmware is normally a straightforward process; however, the instructions need to be followed closely. A bad firmware update can render your device unusable and, in the case of a router, can disconnect all of your computers from the internet.
The firmware update can be found at D-LINK’s security advisory website. Use the instructions there to find your model number and hardware revision before applying the firmware update. Ensure you download the correct firmware for your model of D-LINK router.
The file that is downloaded from D-LINK is a zip file, containing the update and instructions on how to update the firmware for your device. This can vary from device to device, and the instructions need to be followed exactly. You will need to access your administrator panel to perform the update. By default, the address you can use to access this via a browser is http://192.168.0.1, and will take you to your router’s administrative panel, however your configuration may be different.
As stated before, instructions for updating firmware need to be followed exactly, as incorrectly updating a device can render it unusable. If you are unsure of a step, seek technical advice.
Securing your router
In addition to updating your firmware, you should also check for and disable Remote Management for your router. This step is recommended for most routers, not just D-LINK models. The instructions below are given for common D-LINK routers and may vary between brands and models.
Remote Management allows people to connect to your administrative panel from the internet, and is almost never needed for simple home networks. On D-LINK routers, navigate to your administrative panel (by default http://192.168.0.1) and click “Tools”. Then find the option for “Remote Management” and click “Disabled”. Then click the “Apply” button to confirm the setting.
Image credit: Sophos
When this option is disabled, only computers physically connected to the router through a network cable can access the administrative panel. If a vulnerability similar to the one explained in this alert was to be found in the future (or in a different router), disabling “Remote Management” would stop people from the internet being able to exploit it.
A recent article from security company Sophos outlined the flaw, and contains more information on how it works. This article also contains more information on how to disable Remote Management to secure your router. The exploit was originally described at the website /dev/ttyS0 in this article.
Stay Smart Online has more information on securing modems and routers and setting strong passwords. While the vulnerability explained in this alert by-passes the router's password, it is still important to set a strong password to prohibit password guessing.
The information provided here is of a general nature. Everyone's circumstances are different. If you require specific advice you should contact your local technical support provider.
Thank you to those subscribers who have provided feedback to our Alerts and Newsletters. We are very interested in your feedback and where possible take on board your suggestions or requests.
This information has been prepared by Enex TestLab for the Department of Communications ('the Department'). It was accurate and up to date at the time of publishing.
This information is general information only and is intended for use by private individuals and small to medium sized businesses. If you are concerned about a specific cyber security issue you should seek professional advice.
The Commonwealth, Enex TestLab, and all other persons associated with this advisory accept no liability for any damage, loss or expense incurred as a result of the provision of this information, whether by way of negligence or otherwise.
Nothing in this information (including the listing of a person or organisation or links to other web sites) should be taken as an endorsement of a particular product or service.
Please note that third party views or recommendations included in this information do not reflect the views of the Commonwealth, or indicate its commitment to a particular course of action. The Commonwealth also cannot verify the accuracy of any third party material included in this information.