pcworld.com reported recently about a backdoor in some D-Link router firmware. You should read the article. It works basically like this: routers require a username and password for authentication. On many SOHO (small office/ home office) or personal routers, the username is often blank or there is a user called ‘admin’ who can do the administration. Some of those routers allow creating of users with different privileges, but those are generally more expensive. Higher-end enterprise or workgroup routers often have a more sophisticated scheme than just username/password. The SOHO routers are generally also Wi-Fi access points and may even be used as such in a larger corporate environment.
It seems someone creating the firmware for some D-Link routers (check the link to the story above to find out exactly which ones) decided that it would be nice to have “backdoor” access to the router: a way in without a password. Unfortunately, whoever made that decision chose to do so by using a cryptic string for the http user agent. The user agent is the browser used to “surf the web” or access the router. Each browser sends a “User-Agent” string to a web server to identify itself. The idea is that since different browsers behave differently, a web page can be crafted to display correctly on each browser. On my everyday PC my User-Agent is “Mozilla/5.0 (Windows NT 6.1; WOW64; rv:24.0) Gecko/20100101 Firefox/24.0”. The string reportedly chosen by the developer was “
xmlset_roodkcableoj28840ybtide”. If the browser (or another piece of software) claimed it was that string, access without a password was reportedly granted, according to media reports. According to the pcworld.com article, the backdoor should be fixed by the end of October 2013 and the updated firmware available on the D-Link site.
While it’s true that it would be difficult to find a browser with that string as a user-agent, if one looked through the binaries for the router and noticed it, the router could be compromised. By relying on this unlikelihood, the code writer was relying on security through obscurity. In other words, if people can’t see it, they won’t use it. This seldom works as a solo strategy, however. It clearly did not in this case as the researcher Craig Heffner discovered the backdoor and the string.
What would have been the right approach? Clearly anybody knowing the magic string could control any router with this firmware. Bypassing authentication altogether is probably not a good idea in the first place (although one could argue that the obscure string was an – albeit poor – form of authentication). I invite your authentication suggestions below. We talk about multiple forms of authentication in Learning Tree Course 468, System and Network Security Introduction and one or more of those could be implemented simply enough in the router’s firmware.