A wireless router made by D-Link has nearly one dozen critical vulnerabilities, according to a report released by independent researcher Pierre Kim.
The bugs found are in D-Link’s model DIR 850L wireless AC1200 dual-band gigabit cloud routers and could allow a hacker to ultimately hijack the routers and take control of them.
The vulnerabilities range from a command injection bug, a flaw that allows backdoor access to the router, to the fact hardcoded encryption keys are stored on the device.
“The Dlink 850L is a router overall badly designed with a lot of vulnerabilities. Basically, everything was pwned, from the LAN to the WAN. Even the custom MyDlink cloud protocol was abused,” Kim wrote in his disclosure of the bugs on Friday.
D-Link did not return requests for comment for this story. Researcher Victor Gevers, founder of the GDI Foundation, used the Shodan search engine to estimate there are 94,155 D-Link 850L routers in use currently.
The report singles out two versions of the D-link 850L router, revisionA and revisionB. The researcher said the vulnerabilities can be exploited both internally via a LAN or externally via a WAN by hackers that can ultimately intercept an internet connection and upload malicious firmware to the devices. That would allow an attacker to gain root privileges of the targeted router and remotely control them leaving devices connected to the compromised router (such as webcams, laptops and IoT devices) susceptible to attacks as well.
South Korean-based Kim has a long history of uncovering vulnerabilities in D-Link and other brand routers. Last year, he reported a slew of vulnerabilities in D-Link’s DWR-932B router claiming the router was hopelessly broken that users should throw them away. In February, he found flaws in TP-Link C2 and C20i routers that could lead to remote code execution on a device under certain conditions.
D-Link has a spotty history when it comes to device security. The company faces a complaint, filed in January, by the Federal Trade Commission alleging that the company neglects to adequately secure its wireless routers and IP cameras, potentially putting its customers’ data at risk.
The lawsuit, filed at the U.S. District Court for the Northern District of California, alleges among other things D-Link’s routers were plagued by command injection vulnerabilities that could let remote attackers take control over routers.
With this most recent disclosure, Kim said he published flaws before D-Link could patch them explaining that vulnerabilities reported to D-Link by him in the past were never addressed.
“Their previous lack of consideration about security made me publish this research without coordinated disclosure,” he wrote.
The flaws include a lack of firmware protection that allows a new firmware image to be “trivially forged” and uploaded to the router. He added, revision B firmware images come with a hardcoded password.
The doomed domain of D-Link.
94,155 D-Link 850L routers are exposed after a researcher made a full disclosure on it's exploitable flaws. pic.twitter.com/3doHr1wG6o
— Victor Gevers (@0xDUDE) September 10, 2017
The LAN and WAN admin passwords for the routers are easily retrievable, something that could allow attackers to use the MyDLink cloud protocol and gain access to a targeted device. “The webpage http://ip_of_router/register_send.php doesn’t check the authentication of the user, thus an attacker can abuse this webpage to gain control of the device,” he wrote.
A serious cross-site scripting bug allows an attacker to easily to steal a user’s authentication cookies and gain access to their device.
A weak MyDlink Cloud protocol does not include encryption by default. “It is only a basic TCP relay system. All the traffic is sent over TCP to remote Amazon server without proper encryption,” he wrote.
The DIR 850L also has a backdoor that allows a third-party design manufacturing service (DMS) firm Alphanetworks to access the device, allowing for root shell access to the routers.
Private encryption keys are hardcoded inside both routers’ firmware allowing an adversary to perform an “SSL MitM” attack via HTTPS.
Yet another vulnerability in the file “htdocs/parentalcontrols/bind.php” allows an attacker to change DNS configuration. “It doesn’t check authentication of the admin user… An attacker can use this vuln to forward traffic to server he/she controls,” according to Kim.
Weak file permissions and credentials stored in cleartext makes expose local files in both routers.
The internal DHCP client running on both D-Link 850L revisionA and revisionB routers is vulnerable to several command injection attacks, allowing attackers to gain root access on devices.
Lastly, “it appears some daemons running in the routers (revA and revB) can be crashed remotely from the LAN. As it doesn’t provide further remote privileges to an attacker, this is only for information and was not detailed,” Kim wrote.
In in lieu of a patch from the manufacturer, Kim said, “I advise to IMMEDIATELY DISCONNECT vulnerable routers from the Internet.”