Backdoor ids in D-Link DSL-3780 Home Broadband ADSL2+ router.

10 replies [Last post]
leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

For your convenience a copy of my blog entry from here:

http://andrewlindley.co.uk/2014/09/30/diary-on-needing-a-sledgehammer/

My disability apportions me a healthy dose of
randomness. Accordingly this weekend I had a firtle in my ISP provided
broadband home router and the GPL source bundle for it duly downloaded
from the manufacturer. There in and amongst the build configuration
files was the setup for two backdoor admin logins complete with
passwords in clear. A bit of testing proved they were extant in the
router as shipped.

So in search of what one is supposed to do about such things I
consulted the relevant pages at CERT.
'The vendor' they say. Of course there's no magic high priority
contact for security matters when it comes to home routers. Thus
after a journey involving an esupport website bug, the manufacturer's
10p/min support line referring me to my ISP, the first call I made to
my ISP being disconnected by someone who didn't seem to understand
what a security bug is, and another person who evidenced lack of
comprehension I finally ended up speaking to a manager in my ISPs
helpdesk router section.

He expressed patent disinterest and came up with a spurious logic
rationalisation for there being no need to fix it. I reached for the
sledgehammer of promising publicity if the matter was not pursued.
The result was a change of tack and some reassurances in a tone which
wasn't exactly convincing. Nor has anyone with a more appropriate
technical or security brief at the ISP subsequently contacted me to
confim they've received the report and are actioning it. I have,
therefore, little confidence that the matter is being dealt with
correctly.

Better name and shame then, the router is the D-Link DSL-3780 as
shipped by Talk Talk who were the ISP I spoke to. Technical details
of the vulnerability are available in response to signed GPG email.
My fingerprint is AB3F DF36 512E 1EE1 9055 A8C9 62C6 5508 B625
C793. Use the email address at this domain in the key.

rakyi
Offline
Joined: 05/09/2014

Thank you for taking action and telling people about it. It encourages me to do alike should a similar situation arise, despite the seemingly ignorant responses you have so far received.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

Thanks for the thanks. I would normally stick with the keep it confidential nature of proper security practice but I made a personal decision to break with that based on the balance of a number of factors in this case.

As to the rudeness, as I've subsequently blogged this is as much down to their folly in shipping a device containing free software and not thinking members of the free software community would contact them with patch reports - which is essentially what I did here. Their fault of course.

islander
Offline
Joined: 05/27/2013

Bruce mentions D-Link backdoors and offers links to articles:
https://www.schneier.com/blog/archives/2013/10/d-link_router_b.html

One such article in InfoWorld:
http://www.infoworld.com/article/2612384/network-router/backdoor-found-in-d-link-router-firmware-code.html

How to reverse engineer a D-Link backdoor:
http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/

Use care if you decide to flash it with clean firmware. They sure do make expensive paperweights!

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

Thanks, I must admit when I did the research on this one I didn't
read absolutely everything to see if it was new, but I couldn't find any
record of these admin logins being known.

There're other outstanding security problems with this particular
model and many users will have a worse similar exposure from leaving
the completely daft default userid/password unchanged. So with the
rep of these things I thought it would be worth blogging what happens
when you contact the manufacturer's designated service agent (the ISP
in this case) telling them which lines in the GPL source bundle need
deleting. So far as per their reputation would be the summary.

Of course no sensibile person trusts the zone their telco CPE is in in
the first place. Accordingly I already had a replacement, which with
there being no libre ADSL2+ is the only ADSL2+ device compatible with
blobby WRT distros. The first of which has proven unreliable in use
as its a very long running beta (but that's very different from
insecure).

Watchingtheweasels
Offline
Joined: 09/05/2013

After doing a little reading, it would appear that Netgear, D-link, and Cisco have some sort of backdoor. If you're concerned about router security, I'm guessing DD-WRT or some other open source firmware is something to consider.

http://securityaffairs.co/wordpress/20941/hacking/netgear-linkys-routers-backdoor.html

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

> After doing a little reading, it would appear that Netgear, D-link,
> and Cisco have some sort of backdoor. If you're concerned about
> router security, I'm guessing DD-WRT or some other open source
> firmware is something to consider.
>
> http://securityaffairs.co/wordpress/20941/hacking/netgear-linkys-routers-backdoor.html

Yes, it's DD-WRT I've tried and has proven unstable. I'm in the
process of loading OpenWRT on it now. It's a Buffalo WBMR-HP-G300H
[-EU is the submodel of this particular one]. It's now supported in
OpenWRT stable so I'm hopeful.

The recent history of this class of device, including some from this
manufacturer, having backdoors was a factor in why I decided to go public
with this.

axgb
Offline
Joined: 09/22/2013

What about the bug in GNU BASH? I dont think any of the manufacturers have fixed that.

jxself
Offline
Joined: 09/13/2010

Most routers don't run GNU BASH. Rather, they use BusyBox instead: https://en.wikipedia.org/wiki/BusyBox

They do this because BusyBos is much smaller than the GNU tools and, in embedded stuff, size is very important.

axgb
Offline
Joined: 09/22/2013

So cheap £40 routers are entirely unaffected? (obviously appart from backdoors.

leny2010

I am a member!

I am a translator!

Offline
Joined: 09/15/2011

> So cheap £40 routers are entirely unaffected? (obviously appart from
> backdoors.

As per the DD-WRT homepage, the bash bug doesn't impact a typical
router even when it's installed (which you can with community WRTs
like LibreCMC) because mostly there's no network facing use of bash.

To rehearse something I've said in another thread - for the purposes
of a typical Trisquel user, then the instruction has to be put all the
security patches on as and when they become available. However, 'pro'
security patch practice is quite different from that advice. Just
doing what the 'pros' do and not making a mess of it is something most
people don't have the knowledges, skills or time for. So, again, keep
putting those patches on... I do at home to save the time despite
being capable of doing otherwise.