D-Link Router Backdoor

Several versions of D-Link router firmware contain a backdoor. Just set the browser's user agent string to "xmlset_roodkcableoj28840ybtide," and you're in. (Hint, remove the number and read it backwards.)

It was probably put there for debugging purposes, but has all sorts of applications for surveillance.

Good article on the subject.

EDITED TO ADD (11/14): There are open-source programs available to replace the firmware.

Posted on October 18, 2013 at 12:03 PM • 37 Comments

Comments

NobodySpecialOctober 18, 2013 12:58 PM

My god they're using secret backwards language - the fiends.
Now we will have to - Itchsway otay igpay atinlay

Douglas2October 18, 2013 1:24 PM

Am I correct in recalling that the consumer d-link routers are particularly compatible with open-source router firmware of the likes of DD_WRT?

ScottOctober 18, 2013 1:24 PM

This is probably one of the biggest problems with closed source; people just assume that once it is compiled, no one is going to be able to read it. If all developers assumed everyone has access to the source code, then most software would be at least marginally more secure. For example, instead of comparing plaintext, you would be limited to comparing a hash of the plaintext (which is ideally a long random text) or using a client certificate.

AlexOctober 18, 2013 2:09 PM

At least igpay atinlay ostmay isn'tay easay orfay la NSA ootay useay automateday ogramspay ithway.

Of course, you could probably just use Esperanto since no one's ever heard of it and even fewer have used it.

HermanOctober 18, 2013 2:17 PM

There is a little utility on UNIX systems called 'strings'. It provides a simple way to look for text strings in binary files. Sometimes, a 'secret' login and password is sitting right there in the open.

Brian M.October 18, 2013 3:11 PM

After reading about the backdoor, I decided to use it as an excuse to upgrade my (very old) DLink to something else.

So I bought a Cisco. I'm absolutely sure there isn't a backdoor.

Now everything I do is automatically scanned, and forwarded to Maryland and Beijing.

Isn't the improvement wonderful?

ElemeccaOctober 18, 2013 3:11 PM

@Some_Guy_In_A_Diner:

At a guess, either an issue number from a bug tracker or a commit number from a source-control system.

Stanislav DatskovskiyOctober 18, 2013 3:41 PM

All stock Verizon FIOS routers include a manufacturer back-door, plain as daylight on port 4567. Password is derived from the unit's serial number. The back-door cannot be disabled (unless one were to come up with a patched firmware blob.)

But since this one is for the "lizard men" only, it apparently isn't newsworthy.

routersOctober 18, 2013 3:46 PM

Good place to get open routers and firewall boxes are the recommended hardware vendors on PfSense and m0n0wall websites. Soekris you can load on OpenBSD as well

JoeNotCharlesOctober 18, 2013 4:01 PM

Douglas2: You are correct. I upgraded my D-Link router to dd-wrt not long ago.

Really, that's the fix for this security issue. There's no reason for anyone to run D-Link's default firmware: dd-wrt has more features (dnsmasq!) and is more secure.

Okian WarriorOctober 18, 2013 4:24 PM

@Douglas2: There are several open-source platforms which replace the native firmware in a router. DD-WRT and OpenWRT are the the most popular, and others exist:

http://www.infoworld.com/d/networking/review-6-slick-open-source-routers-206810

Both DD-WRT and OpenWRT are compatible with D-link routers, but check their respective "compatible hardware" lists for your specific model.

DD-WRT uses the "Cathedral" model, where the source code is available but only the project maintainers can add code (I believe this is correct).

OpenWRT uses the "Bazaar" model, where anyone can add drivers and features to the project.

I'm just starting a router project that requires source-code modification using OpenWRT. You can 'kinda figure out the web interface if you know how to do network configuration (ie - Shorewall in linux), but pray you don't need to do anything unusual because the documentation is sketchy at best. For example, I spent about 6 hours thinking that I had bricked my router because the "recover factory defaults" documentation didn't match the actual code behaviour.

The DD-WRT "compatible hardware" list shows several router models (that I have) that OpenWRT does not have, leading me to believe that DD-WRT is compatible with more models than OpenWRT.

Alain from SwitzerlandOctober 18, 2013 4:30 PM

The first Google hits for "28840" are for an electrical connector, which would make sense: That special User-Agent header is some sort of "virtual connector" and the number is in the middle of the string.

Bauke Jan DoumaOctober 18, 2013 4:34 PM

xmlset_roodkcableoj28840ybtide in reverse is

editby04882joelbackdoor_teslmx

now that looks more revealing.


bjd

ScottOctober 18, 2013 4:45 PM

My guess is that 28840/04882 is the employee ID number for Joel, probably used as part of the user name for source control.

GodelOctober 18, 2013 6:48 PM

Heh.

"SE researchers have discovered critical security vulnerabilities in numerous small office/home office (SOHO) routers and wireless access points. We define a critical security vulnerability in a router as one that allows a remote attacker to take full control of the router's configuration settings, or one that allows a local attacker to bypass authentication and take control.

This control allows an attacker to intercept and modify network traffic as it enters and leaves the network.

All 13 routers evaluated can be taken over from the local network
4 of these attacks require no active management session.
11 of 13 routers evaluated can be taken over from the WAN
2 of these attacks require no active management session."

http://securityevaluators.com//content/case-studies/routers/soho_router_hacks.jsp

There is additional information and a PDF report at the site.

65535October 18, 2013 8:08 PM

Looking at /dev/ttys0 dot com article devttys0 Reverse Engineering a D-Link router
and replies that John Lee is the CEO of Alpha Networks which supplies some source code to D-Link routers.

http://www.alphanetworks.com/_english/04_ir/00_overview.php

It does appear that the back door works and does by-pass the Admin password. Some posters have used the Shodan search engine. Here is one reply in /dev/ttyso’s article :

“WOW,
“really works..
“tested against one of the ip listed in shodanHQ!”

I will say that shodan search engine is revealing. It may actually be used by the NSA. I wonder if it can be used to locate NSA routers?

Now, let start listing all of the routers with back doors. Any body care to add a second router to the list?

65535October 18, 2013 9:03 PM

It was right in front of me. Tenda router has a back door and can be added to the list - but with a caveat. You can only access the router on the Lan or via it’s wireless – and you have to crack the WPS password.

[devttys0]

“One teensy-weensy, but ever so crucial little tiny detail is that the backdoor only listens on the LAN, thus it is not exploitable from the WAN. However, it is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting. My shiny new ReaverPro box made relatively short work of cracking WPS, providing access to the WLAN and a subsequent root shell on the router (they also ship with a default WPA key, which you might want to try first)…”

http://www.devttys0.com/2013/10/from-china-with-love/

Alain from SwitzerlandOctober 19, 2013 1:50 AM

"The first Google hits for "28840" are for an electrical connector, which would make sense: That special User-Agent header is some sort of "virtual connector" and the number is in the middle of the string."

According to Google searches, MIL-C-28840 is a family of military connectors that delphi.com advertises in this pdf as "A high density, harsh environment connector designed to meet the most demanding environmental conditions and RFI/EMI shielding requirements.".

This seems to be the same family of connectors as MIL-DTL-28840 by glenair.com, which a distributor here advertises as follows: "MIL-DTL-28840 connectors are the commonly used for shipboard applications and offers a high-density insert arrangement and high-shock performance. The MIL-DTL-28840 features RFI/EMI shielding, scoop-proof shells and corrosion-resistant materials and finishes."

According to Wikipedia, D-Link is a Taiwanese company, not a place where one would expect a civil software engineer to be aware of a military connector that seems to be mainly used on military ships?

Of course, this could very well be just a coincidence. :)

Alain from SwitzerlandOctober 19, 2013 1:57 AM

Other ideas for "28840":

Close to the old 28.8k modem speed, which is specified as 28800 in V.34?

Maybe a date if read backwards 04828: 2004-08-28?

Maybe the date would make most sense:

"Edit by (2004-08-28) Joel Backdoor"

Vandelay IndustriesOctober 19, 2013 2:04 AM

Verbose checking for possible malware strings:

grep -aRPno --text --binary-files=text "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" fileordirectoryhere

Less verbose when checking, often provides the answer, "matches" instead of printing out text (see above --text option)

grep -RPn "(passthru|shell_exec|system|base64_decode|fopen|fclose|eval)" fileordirectoryhere

Binary file:
strings filename | grep -i whateveryouwanttofindhere (see top search options above in 'Verbose')

Mike the goatOctober 19, 2013 4:55 AM

Stanislav: absolutely. There's a proprietary spec for their "cable customer management" system too. Very reassuring.

Tony: yes... I didn't follow your link (on my cell and it is dog slow) but I assume you are speaking of the 10 digit hex WiFi key veingt derived from the SSID. Their first fix involved simply changing the default SSID suffix to be random but they forgot that you can query the serial number via WPS. Their "fix" even on their newer (now technicolor) routers isn't much better.

The problem they had was that they wanted to avoid flashing individual firmware onto each router with differing keys. So on many modems it is derived from MAC or single board PC serial ID (via cpuinfo), often its just combined with an arbitrary string and SHA'd and the first 10 chars become the key. security, huh?

04882 also indirectly alludes to Star TrekOctober 19, 2013 5:57 AM

04882 is apparently also the model # of Revell's plastic model of Star Trek's U.S.S. Enterprise NCC-1701 INTO DARKNESS.

So many possible explanations! :)

MelvinOctober 19, 2013 6:54 AM

When Schneier was talking about the NSA, "if they want in, they're going to get in," most likely has to do with these hardware based backdoors.

Bauke Jan DoumaOctober 19, 2013 3:37 PM

Very nice all this.
But -- where's the shamelist wherein we can place D-Link?
Just asking.

Alain from SwitzerlandOctober 20, 2013 3:35 AM

Still looking for the most plausible explanation for the choice of the string "editby04882joelbackdoor".

Normally, as a developer you would not put something into your code that you would yourself consider a backdoor and if you did, you would not label it as such and of top of that put your own name there, plus maybe even some additional identification, like the number "04882"/"28840" (bug number? employee id? internal phone number? etc.). Especially not in a mass product.

Bruce Schneier wrote "It was probably put there for debugging purposes [...]". Maybe initially, but as update #1 at the original article states: "The ever neighborly Travis Goodspeed pointed out that this backdoor is used by the /bin/xmlsetc binary in the D-Link firmware. After some grepping, I found several binaries that appear to use xmlsetc to automatically re-configure the device’s settings (example: dynamic DNS). [...]". So maybe "Joel" simply forgot about it instead of later changing the string? Seems that as long as the string is only used from within the firmware, changing the string would have been easily possible, right?

Plausible deniability because the hypthesis that "a backdoor for internet access was put there intentionally" does not logically add up? Hanlon's Razor? Maybe just not aware that the backdoor could be used from the internet?

Still puzzled...

cOctober 21, 2013 11:11 AM

maybe the author of this string is not Joel, but rather is telling us who to blame for the backdoor. Joel Backdoor could be a reference to a Joel who requested the backdoor, and has a history of such requests.

Dirk PraetOctober 21, 2013 5:46 PM

Rather predictable. The same principle applies for every SOHO router: get rid of the original firmware and replace by DD-WRT/OpenWRT the moment you unpack it. Check for compatibility before buying.

@ NobodySpecial

Now we will have to - Itchsway otay igpay atinlay

Real geeks who want to feel powerful by putting in backdoors just for themselves do ROT13. This seems to indicate that it was put there either by a manager or an engineer leaving a subtle hint as to the origin of its presence.

bobOctober 24, 2013 7:31 AM

I have a Belkin router. Every now and then it randomly hijacks my internet connection and sends me to the Belkin home page, just in case I want to buy some more stuff from them (Pay money to get more of this behavior? Absolutely! And while you're at it, raise my taxes to pay for more NSA please!) instead of doing my online banking or newsreading or pr0nsurfing or whatever it was I originally had in mind when I fired up my browser.

I've often wondered if that's all they were doing, or were they copying my transactions as well.

ChrisOctober 28, 2013 4:13 AM

Revell is a company name that made the operating system for these DLINK:s? think I read that somewhere else and got to the Startrek track pretty quickly afterwards.

However Revell is also a company making Startrek stuff
Joel is ofcourse the editor of Startrek "Joel Goldsmith"
this is ofcourse my own ideas but it makes kindof sence
since HAL is IBM etc Startrek computer humour.

04882 European Release Only 2013 USS Enterprise
04881 European Release Only 2011 Klingon D7
04880 European Release Only 2011 USS Enterprice
04813 European Release 1997 Kazon Torpedo
3608 US Release 1997 Kazon Torpedo
05780 European Release 1997 Voyager
3607 US Release 1997 Voyager
04810 Europe Rerelease 2009/1995 Kazon Raider
06901 Europe 1996 Kazon Raider
04801 Europe 1995
3606 US 1995

And so on...
04809
06902
04809
3605
04801
3612
06900
04801
3604

But another person allready touched the Revell/Startrek Track...

//chris

Barrier / PembatasFebruary 27, 2014 1:30 AM

Thank you for any other spectacular article. The spot altogether different may just anybody obtain that kind of information in these the perfect technique of composing? I've a demonstration up coming 1 week, with this particular for the try to find such info.

Leave a comment

Allowed HTML: <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre>

Photo of Bruce Schneier by Per Ervland.

Schneier on Security is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc..