A researcher who found a slew of vulnerabilities in a popular router said it’s so hopelessly broken that consumers who own them should throw them away.
Pierre Kim said attackers could easily exploit the vulnerabilities and use the device as a spamming zombie or a man-in-the-middle tool. “I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector,” Kim said.
The router, D-Link’s DWR-932B, suffers from 20 vulnerabilities, including a backdoor, backdoor accounts, and a default Wi-Fi Protected Setup PIN, to name a few of them.
Kim, who’s based in South Korea and has discovered his fair share of router bugs in the past, says the faulty D-Link router is still being sold in stores. Given the lack of vendor response, Kim doesn’t believe users shouldn’t expect a patch anytime soon.
The model is based on the Quanta LTE brand router; a device that Kim looked at last winter and also found riddled with vulnerabilities. Kim began looking into D-Link router after receiving a tip from Gianni Carabelli, a developer at the Italian e-commerce platform Triboo Group, that the routers were similar.
While Quanta ultimately decided not to fix the vulnerable router – it was plagued by similar flaws; backdoors, a hard coded SSH key, and remote code execution bugs – it’s unclear whether D-Link will address the issues in DWR-932B.
Kim broke down all of the vulnerabilities in a public advisory, which he forwarded to security mailing lists, on Wednesday.
According to Kim, both SSH and telnet run by default in the D-Link router. On top of that, two backdoor accounts, which can be used to bypass HTTP authentication, also exist. The router also suffers from default passwords – the password for admin is “admin” while the password for the root account is “1234.”
In addition to the backdoor accounts, a backdoor in the device’s software also exists. If an attacker sends a string, “HELODBG,” to the router’s UDP port, it allows root access in telnet.
The router also suffers from a hardcoded PIN in its Wi-Fi Protected Setup that can be gathered from the either the router’s App Manager program or its HostAP configuration tool, according to Kim. If for some reason an attacker didn’t want to use the hardcoded WPS PIN, they could easily generate their own temporary PIN. The algorithm the software uses is so weak that the researcher claims it’d be trivial for an attacker to generate valid WPS PIN suites and brute force them.
The credentials needed to contact the firmware’s over the air (FOTA) server, or access a dynamic DNS No-IP account, are also hardcoded, and the device’s HTTP daemon is also chock full of vulnerabilities, including two remote code execution bugs, Kim said.
The router’s UPnP permission rules are misconfigured, too. That means an attacker could forward traffic from the wide area network (WAN) to the local area network (LAN).
“For example, an attacker can add a forwarding rule in order to allow traffic from the Internet to local Exchange servers, mail servers, ftp servers, http servers, database servers… In fact, this lack of security allows a local user to forward whatever they want from the Internet into the LAN,” Kim writes.
The fact that the router has a “sizable memory” (168 MB) and free space (235 MB) could make it an enticing target for attackers, Kim warns, adding that it’d be fairly easy to exploit the vulnerabilities and use the device to host a sniffing, LAN hacking, or active MiTM tool.
While D-Link acknowledged the vulnerabilities in June, it never provided Kim with a timeline for fixing the issues. He gave the company 90 days to provide him with an update and published his findings this week after the time frame elapsed.
In the last correspondence it had with Kim earlier this month D-Link said it was encouraging customers with questions to contact their local support offices for further guidance.
When reached Thursday, a spokesperson from D-Link provided a statement, which said the company was looking into the vulnerabilities and clarified that the DWR-932B router is not sold in the United States.
“D-Link has been investigating this issue since it was reported and is addressing all reported vulnerabilities. Please note the DWR-932B is not sold in the U.S., and as this is a discontinued product, we ask customers to contact their local D-Link customer service and D-Link will exchange it for a different router. D-Link engineers are providing ongoing updates, and customers are advised to check with their local region for the latest information,” the statement reads.
Kim disclosed the vulnerabilities in the Quanta router after a lengthy back and forth with the company in April. Initially the company said it would take his findings into consideration for its next product.When pressed, the company said it wasn’t planning to patch the devices or offer workarounds, insisting it considered the devices in “working well” condition.
Last year, before he dug up the Quanta bugs, Kim identified vulnerabilities in routers made by Chinese telecom firms Huawei and Totolink.
Totolink eventually released new firmware updates to mitigate the issues but according to Kim the updated firmware images still contained a backdoor–it just wasn’t launched on startup. Huawei ultimately branded its routers as End of Service and urged users to replace any old, affected devices with newer versions.