Sophos Cloud Optix
Members of the embedded systems hacker collective /dev/ttys0 spend their time playing around with devices like home routers and set-top boxes.
They like to see what interesting facts these devices’ proprietary hardware and firmware might reveal.
Part of the hackers’ motivation is to get the devices to do things that the vendor may not have bothered to implement, thus improving their functionality.
And why not, if it’s your device that you bought outright with your own money?
But hacking on embedded systems can also help to improve security, or at least help others to avoid insecurity, by revealing and helping to fix potentially exploitable vulnerabilities that might otherwise lie dormant for years.
Indeed, in recent times, we’ve written repeatedly about security problems in consumer embedded devices.
We had a botnet that unlawfully mapped the internet by jumping around from router to router and taking measurements without permission.
We described a flaw that allowed attackers to force your router to open up its administration interface to the internet, something you would never normally do.
We’ve talked about how the Wi-Fi Protected Setup (WPS) feature, intended to improve security, typically makes your wireless access point easier to break into.
And we wrote up a widepsread flaw in the way that many routers implement a popular system known as Universal Plug and Play (UPnP).
UPnP is a protocol that is supposed to make it easier to configure your system correctly, but may instead leave you open to the world.
You can probably guess where this is going: another security hole.
This one was found in the firmware of a number of D-Link routers – the author suggests at least the models DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240.
I’ll skip the details – you should read the original author’s analysis, since he did the hard yards to identify the flaw – and cut to the almost unbelievable conclusion.
If you browse to any page on the administration interface with your browser’s User Agent (UA) string set to a peculiar, hard-wired value, the router doesn’t bother to ask for a password.
→ Browsers send a User Agent string in the headers of every HTTP request. This is a handy, if clumsy, way to help web servers cater to the programmatic peccadillos of each browser.
Let’s be perfectly clear what this means: these routers have a hardwired master key that lets anyone in through an unsupervised back door.
“What is this string,” I hear you ask?
You will laugh: it is xmlset_roodkcableoj28840ybtide.
Geddit?
Ignore the xmlset, which probably just means “Configure Extensible Markup Language (XML) setting.”
Flip round the part after the underscore, in reversible-rock-music style, to get the hidden message:
Edit by 04882 Joel: Backdoor.
Can you believe it?
If you tell your browser to identify itself as Joel’s backdoor, instead of (say) as Mozilla/5.0 AppleWebKit/536.30.1 Version/6.0.5, you’re in without authentication.
Fortunately, the administration interface isn’t accessible from the internet-facing port of these routers by default, which limits the exploitablity of this vulnerability.
(If you have one of these models, check right now that you can’t access the management interface directly from the outside!)
This is a shabby feature to put in any product, let alone in a router than aims to provide at least some additional security.
It begs the question, “Why have Joel’s code there at all?”
A good guess is that the backdoor probably wasn’t put there to enable illicit surveillance, or for any other nefarious purpose, but as a favour to special-purpose D-Link software, so it could make configuration tweaks without needing a password.
Or it was put in to save time in development and debugging, but never taken out again.
Sadly for the world, though, 04882 Joel made it easy for anyone at all to make configuration tweaks without needing a password.
For the second time this year, we’d therefore like to say, “Hardwired passwords were a design blunder back in the 1970s. In the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code.”
Here we see the evidence: it is the vendors of the firmware or software that put in backdoors and make these security flaws that makes your computer and company vulnerable
I agree.
"Hardwired passwords were a design blunder back in the 1970s. In the 2010s, they are simply unacceptable, so never succumb to the temptation to include them in your code."
Amen to that. I mean, jeez…if hardwired passwords were a blunder in the '70s (when most people didn't even have a computer, much less a router), today they constitute breathtaking stupidity. D-Link needs to fix this pronto.
How on Earth did they happen to find that URL string? Were they just randomly typing in different URLs? Sounds a bit unlikely, no?
Reverse engineering
Check the article…
The chap looked through the firmware, and noticed a function called "auth_check" (that text string was visible in the firmware binary data). So he decompiled it and noticed that at one point, the auth-check code was comparing data from the user's browser with the abovementioned "joelbackdoor' string (also visible in the firmware binary data).
That looked suspicious.
So he worked out exactly what was being compared to the "joelbackdoor'' string, and realised it was the User Agent string. If they matched, then auth_check would succeed, just like that.
WHAT?!?!?!
Easy enough to verify what he'd found – set his User Agent to the "joelbackdoor" string, and, bingo. In with no password.
So, to answer your question, he found the string by looking around in the firmware for interesting data that was used in interesting parts of the code. And there it was 🙂
That's what happens when you buy the worlds cheapest engineers…
…OK I get it, but what can we (end users) do about it?
Be sure the admin interface only listens on the inside (see screenshot), be sure your WiFi is secured and update the firmware once DLink makes a fixed version available.
With security being the biggest threat on pretty much all computing devices, did they not think it would be found with all these thousands of hackers (legit and criminal)?
Come on guys, security is like the top thing that should be thought out, or dose protecting users not come to mind?
Is it way too Conspiracy-Theoryish of me to wonder if people like the mysterious Joel were hired (or swayed) by the NSA to implement such back doors, thereby opening up these devices to easier surveillance?
I doubt it in this instance, because simply blocking admin access on the external interface fixes this particular issue.
But it's sad that every time I read about a new vulnerability or exploit, my thoughts turn to, "I wonder if the NSA planted that one."
Gavin
I don't know about you but if I were to take part in some form of illicit activity I wouldn't plaster my name all over it.
My guess is it was a dev/testing feature that was forgotten about.
How do you know Joel ever existed? 😉 If it is an intentional backdoor, what better way to cover your tracks if it ever is discovered than to make it look like an accident?