A simple mistake by networking gear manufacturer D-Link could have opened the door for costly damage.
Private keys used to sign software published by D-Link were found in the company’s open source firmware packages. While it’s unknown whether the keys were used by malicious third parties, the possibility exists that they could have been used by a hacker to sign malware, making it much easier to execute attacks.
A Dutch technology website called Tweakers (translated via Google Translate) was alerted to the problem by one of its readers who had purchased a D-Link DCS-5020L security camera and downloaded the firmware from the manufacturer. The reader found not only the private keys, but also passphrases needed to sign the software. Tweakers turned it over to Dutch security firm Fox-IT, which confirmed the findings.
“I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version,” Fox-IT researcher Yonathan Klijnsma told Threatpost. “The version above and below the specific package did not contain the folder in which the code signing certificates resided. A simple mistake of folder exclusion as far as I could see.”
Klijnsma said he found certificates not only from D-Link but also from Starfield Technologies, KEEBOX Inc., and Alpha Networks. All of the certificates have since expired or been revoked. The D-Link cert, however, was published on Feb. 27 and was exposed more than six months before it expired Sept. 3.
“As this is a file you don’t really want to leak, I wouldn’t say it’s that easy to find one of these,” Klijnsma said.
Leaking a legitimate code-signing certificate has potentially serious consequences. The use of stolen digital certificates is a common tactic among malware authors and attackers looking for a way to get their code past security systems. Many security technologies will trust files that are signed and let them pass.
Many APT groups have made use of lost or stolen certs to sign malware used in targeted attacks; underground services exist as well providing code-signing services. For example, the Destover wiper malware used in the attacks against Sony Pictures Entertainment was signed using a certificate stolen from Sony. A similar tactic was used by the attackers behind the Duqu 2.0 APT campaign, using a cert stolen from a Chinese technology manufacturer to sign malware.
Klijnsma said there’s no way to tell from the initial investigation whether the D-Link certificate was abused.
“Investigation through malware samples on services like VirusTotal could conclude this but of course not all malware is on VirusTotal; it first has to be found,” he said.