News D-Link routers contain back-door code, claims researcher

Joel puts a hole in D-Link's security.
http://www.bit-tech.net/news/hardware/2013/10/14/d-link-back-door/1

 

Hah! I'd written 'edit' the first time around, then when I was giving the article a final scan-through before publication I automatically corrected the grammar without a second thought. Fixed, ta!

 

I've updated the article with a brief comment from D-Link announcing that it will be patching the back-door by the end of the month, which fails to actually address any of the questions raised. I've pressed for clarification.

 

Trufax, but there are clever backdoors - "let's stick a cryptographic public key in there, and if our private key knocks open up a hole" - and dumb backdoors - "hey, let's open a hole when someone uses a plaintext string that appears in our easily-analysed and publicly-available firmware files as their user agent. THAT WON'T GO WRONG AT ALL."

(Although, in D-Link's defence, it took a fair few years for anyone to publicise the vulnerability - which isn't to say it hasn't been discovered and exploited by ne'er-do-wells clever enough to keep their new toy quiet in the past, of course.)

 

D-Link has responded to my questions with a defence of the back-door code. There are still some outstanding issues to be addressed, however, including its apparent presence in DIR-615 routers - which aren't on the list of devices getting a firmware update it provided this morning.