Some D-Link routers contain “backdoor” which allows remote access, researcher warns

Some models of the popular routers made by D-Link contain a “backdoor” which could allow a remote attacker access to settings and private data, a researcher has warned.

At time of writing, D-Link has not responded to the post by researcher Craig Heffner, and has not issued a patch for the backdoor.

Craig Heffner, a security researcher, and former employee of the National Security Administration, claims that the backdoor appears to have been placed deliberately – and could allow attackers access to unencrypted data.

Heffner says on his blog, “You can access the web interface without any authentication and view/change the device settings.”All an attacker needs to do is change their user agent string to “xmlset_roodkcableoj28840ybtide”, and no password is required, Heffner says. The reason Heffner suspects it was left deliberately is that the string appears to be signed by “Joel”.

The code which could allow access was found on a Russian cybercrime forum, according to Heffner, which suggests it has been known about for some time, according to a report by PC World.

Commenters on Heffner’s site claimed to have tested the vulnerability successfully, which affects models including,IR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 units, as well as some routers from Planex and Virgin Media, according to The Register.

Heffner used the search engine Shodan to find affected models – a search engine which allows users to “find” connected appliances such as routers and fridges.

“My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically,” Heffner wrote.

“Realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something.”

 ”The only problem was that the web server required a username and password, which the end user could change. Then, in a eureka moment, Joel jumped up and said, ‘Don’t worry, for I have a cunning plan’!”

Earlier this year, Heffner found a vulnerability which could allow attackers to control security cameras – including those made by D-Link – which was shown off at the Black Hat conference in Las Vegas.

Heffner found “zero-day vulnerabilities” which would allow attackers to control cameras made by D-Link, Trendnet, Cisco, IQInvision, Alinking and 3SVision. Those are used in homes as well as businesses, Heffner said

Heffner described the scope of the vulnerabilities as allowing “Hollywood-style” attacks – referring to the manipulation of video feeds commonly seen in heist movies.
“Thousands of these cameras are Internet accessible, and known to be deployed in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities,”  Heffner said.