Executive summary: If your browser’s user agent string is “xmlset_roodkcableoj28840ybtide” (no quotes), you can access the web interface without any authentication and view/change the device settings on several recent D-Link devices.
posted by laconic skeuomorph at 11:45 AM on October 13, 2013 [11 favorites]

This is coming up 503 for me; is there a cached/alternate version?
posted by LobsterMitten at 11:53 AM on October 13, 2013

I think there's going to be a lot more stuff like this coming out for a while. Everyone's cynicism and suspicion is finally approaching levels that match reality.
posted by nevercalm at 11:56 AM on October 13, 2013 [6 favorites]

This is one of many reasons why open-source (and deterministic builds) are really important. Nobody should have to disassemble code.

Also, the server seems to be under heavy strain right now, here's a cached version.
posted by anemone of the state at 11:56 AM on October 13, 2013 [5 favorites]

I keep getting to the point where I say to myself, "Self, you don't really enjoy fiddling with firmware anymore. You should just pick some economical off-the rack product and stick with it, and just never even think about loading Tomato, or some other custom ever firmware again."

Then I read something like this. And I get it -- they want to be able to log in and fix it no matter how bad the customer screwed it up. Maybe they also want to help catch terrorists, and kiddie porn distributors. They're not villains in a hideout under Skullcrusher Mountain. But it sure doesn't make life easier for people who want to decide who gets the keys to their digital home.

I notice, of course, that no one even bothers to say "We don't insert secret back boors the way our competitors do. We promise no secret master keys, ever!"

Can the author expect to be sued, arrested, both or neither, do you think?
posted by tyllwin at 12:00 PM on October 13, 2013 [8 favorites]

Dang it, joel.
posted by cortex at 12:01 PM on October 13, 2013 [14 favorites]

I notice, of course, that no one even bothers to say "We don't insert secret back boors the way our competitors do. We promise no secret master keys, ever!"

Well, Microsoft was bashing Google on privacy stuff in their (terrible) "Scroogled" ads before Snowden. Ha ha, good times.
posted by jason_steakums at 12:05 PM on October 13, 2013 [2 favorites]

What is really pathetic is that not the slightest effort was made to mung, scramble, or break up the compare string, so that once you figure out there is a back door you trivially know what it is.
posted by localroger at 12:13 PM on October 13, 2013

So... 'edit by 04882 joel backdoor'? Wonderful. We can't even get creative backdoors.
posted by CrystalDave at 12:37 PM on October 13, 2013 [2 favorites]

I think there's going to be a lot more stuff like this coming out for a while. Everyone's cynicism and suspicion is finally approaching levels that match reality.


Nah, stuff like this comes out on a regular basis. The only change will be that non-hobbyists will pay more attention.
posted by Tell Me No Lies at 12:39 PM on October 13, 2013

By the way, this is a classic example of why all the encryption and password security and retinal scans in the world won't help you. People are people.
posted by Tell Me No Lies at 12:40 PM on October 13, 2013 [7 favorites]

"backdoor" spelled backwards is "roodkcab"

The entire back door string is this post's title backwards.
posted by localroger at 12:48 PM on October 13, 2013 [2 favorites]

The entire back door string is this post's title backwards.

I only noticed that when I googled "04882 joel" trying to figure out who joel is. Was a little surprised that this metafilter post was the top hit (although not too surprised as it's pretty common, esp. with ask metafilter).
posted by yeoz at 12:51 PM on October 13, 2013

Worth noting, this only works if you're already on the network. So, basically to exploit this you have to be in one of the following situations:

1) Physical access to the ports on the route
2) Un-authed wireless network
3) Have an existing wireless password

This is another way of saying it's not remotely exploitable via the internet at large, or that the potential for mass, automated damage is pretty low.

Considering most of this hardware is consumer grade, this really isn't a big deal. It's a good story and is obviously really shitty on the part of D-Link, but the real reason this is getting attention is how clumsy it is.

As for the catching terrorists/kiddie porn, this is almost definitely your standard corporate level incompetence, not government fiddling. The most interesting scenario is that D-Link's source repo has been compromised and this was inserted without their knowledge, but that's pretty unlikely.
posted by yeahwhatever at 12:54 PM on October 13, 2013 [1 favorite]

This is one of many reasons why open-source (and deterministic builds) are really important. Nobody should have to disassemble code.

Or sometimes open source makes the sneakiness hide itself better - I've been thinking about this comment my coworker wrote a few days ago about an unrelated closed-source product:

...if I wanted to distribute a chat program and have it be "evil" I would not distribute a binary with hidden behavior (if nothing else, when you find this code in my binary I'm pretty damn well screwed ;P): I'd instead distribute an open source program that involved a threaded work queue for handling multiple socket connections to peers and which had a few very subtle use-after-free race conditions that would only come up under nearly impossible timing scenarios that I knew how to trigger and exploit, giving me complete control of your client whenever I wanted.

posted by dreamyshade at 1:01 PM on October 13, 2013 [6 favorites]

The entire back door string is this post's title backwards.

THE CODE COMMITS ARE COMING FROM INSIDE THE HOUSE!
posted by zippy at 1:17 PM on October 13, 2013 [16 favorites]

What is really pathetic is that not the slightest effort was made to mung, scramble, or break up the compare string, so that once you figure out there is a back door you trivially know what it is.

Well, it was hidden in firmware. They probably assumed no one would ever take a second look at it.
posted by ymgve at 2:24 PM on October 13, 2013

Any conjecture on the reason for xmlset in the string?

I'm wondering if this was intended to make a script easier. Just have the setup CD (or such) connect up with this UA to reset or adjust things. If the config files are adjusted via XML you could have a cross model script rather than worrying about what the default password is on each model and/or randomized passwords on each unit. Just POST a model dependent default XML file at the web server using this UA. It would be incredibly lazy coding, but this is D-Link we're talking about.
posted by jaduncan at 2:40 PM on October 13, 2013 [2 favorites]

Who cares? Really. Look at the Snowden leaks, nothing happened. NSA won't change and people are more interested in Snapchat than security problems.
posted by bdz at 2:46 PM on October 13, 2013

Tell Me No Lies: "By the way, this is a classic example of why all the encryption and password security and retinal scans in the world won't help you. People are people."

So, why should it be the NSA and I should get along so awfully?
posted by symbioid at 2:52 PM on October 13, 2013 [11 favorites]

This exploit may only work from your LAN ports, meaning it can only be used from within your network, but that still allow explored computer to manipulate their routers. There are a lot of explored Windows machines out there...

Comin up, I'm only aware that TR069 exists, I haven't looked at how it works, but it basically lets your ISP look inside a TR069 modem, and update the router firmware remotely.

When that finally gets explored in a big way I can only assume that even percentage wise it'll make the Morris worn look inconsequential.
posted by straw at 2:54 PM on October 13, 2013 [1 favorite]

Well, it was hidden in firmware.

Which is distributed as an unencrypted binary image. The OP didn't read the flash from his router, he just downloaded the file and went poking around.

Having done such poking around myself, I'd consider not being aware that such poking is possible and attractive to certain people very lame.
posted by localroger at 2:59 PM on October 13, 2013

Are they really going to put in a super secret backdoor with the word backdoor in it?

I hate to be that guy, but this seems more like a setup / false flag kind of thing than anything else.
posted by gjc at 3:27 PM on October 13, 2013 [1 favorite]

So what additional surface area is being exposed to attack by this backdoor? Since you already need to be connected to the network to exploit the backdoor, it doesn't seem to me to be much.
posted by zixyer at 3:36 PM on October 13, 2013

Since you already need to be connected to the network to exploit the backdoor, it doesn't seem to me to be much.

This was mentioned upthread, but all you need is a compromised machine inside the network to be able to exploit this flaw.
posted by one more dead town's last parade at 3:43 PM on October 13, 2013 [1 favorite]

I'd instead distribute an open source program that involved a threaded work queue for handling multiple socket connections to peers and which had a few very subtle use-after-free race conditions that would only come up under nearly impossible timing scenarios that I knew how to trigger and exploit, giving me complete control of your client whenever I wanted.

From a user's perspective this is still better than the D-Link style "naive backdoor" which is what a lazy / stressed / unhappy programmer would probably implement in a closed-source product. At least with the open source "clever backdoor", it's harder for some random Russian hacker to find it and pown you; with the naive backdoor who knows who's going to be rummaging around in your stuff.

It's basically the same problem with the NSA backdooring: it would be bad if they were inserting really subtle, high-tech backdoors that nobody but them could possibly exploit. But it's worse if they're inserting really shitty backdoors that researchers can easily find through fuzzing or decompiling or whatever, because that means lots of people have the capability of exploiting them. So it's suddenly not just the NSA you have to worry about (because there are a lot of threat scenarios where you might not care especially about the NSA, or any other organization that can pretty easily whisk you off to a basement and waterboard you) but script kiddies everywhere.

So your friend's scenario isn't a vast improvement, but at least it raises the bar somewhat.
posted by Kadin2048 at 4:53 PM on October 13, 2013

This is another way of saying it's not remotely exploitable via the internet at large, or that the potential for mass, automated damage is pretty low.

Since you already need to be connected to the network to exploit the backdoor, it doesn't seem to me to be much.

Many routers include the option to allow remote management (though it's not usually checked by default.) The article's comments section already has someone claiming to have successfully connected to an internet-facing device found via SHODAN.
posted by sysinfo at 4:59 PM on October 13, 2013 [2 favorites]

Who cares? Really. Look at the Snowden leaks, nothing happened. NSA won't change and people are more interested in Snapchat than security problems.

I would not say nothing happened.
posted by JHarris at 5:19 PM on October 13, 2013 [2 favorites]

The people in this thread who are crediting the NSA are out of their minds. I understand they're the boogieman and all, but get real. The one, plausible NSA backdoor that we've found is likely Dual_EC_DRBG, and even knowing "Hey, the NSA probably backdoored this", we still don't have a proof of concept of an actual exploit.

The difference in complexity between the this backdoor, and a backdoored PRNG I don't even know how to explain in a way that would make sense. It's huge.

The reason this is almost 100% corporate idiocy has to do with deniability. Look at targets like Windows or iOS. The govn't spends millions for exploits and payloads against these targets. It would be far, far, far cheaper for them to pay off a programmer on one of these teams to insert a "clever bug", as they're called in this thread (which would be even harder to detect, as they're distributed as binary only, and in the case of iOS, on a locked down device). The issue is even though the bug isn't obviously a backdoor, the person who was paid off can attribute it. Defense contractors spend money to ensure that even if the exploits and payloads -are- detected, they don't share architectural similarities with other exploits and payloads to avoid attribution. Paying off people leaves way too much of a trail.

Also consider, the code quality in things other than D-Link home routers is much, much higher, and those targets are still exploited regularly. Do people somehow thing that D-Link routers were so hard to break into that the NSA had to put a hamfisted backdoor in them?
posted by yeahwhatever at 5:23 PM on October 13, 2013 [2 favorites]

Fortunately for me, all my D-Link stuff crapped out within a year of purchase.
posted by dirigibleman at 5:30 PM on October 13, 2013 [2 favorites]

Dijkstra must be rolling over in his grave. Something this amateur made it into a shipped build of an embeded system? Jesus wept.
posted by ob1quixote at 6:08 PM on October 13, 2013 [1 favorite]

This was mentioned upthread, but all you need is a compromised machine inside the network to be able to exploit this flaw.

Or a router with WAN access enabled.
posted by Blazecock Pileon at 6:09 PM on October 13, 2013

I've realized that I despise the locked-down crap firmware I deal with on most devices. After running tomato on my own hardware, using anything else is just painful. Goddamn Trendnet router at work, for example... There is a typo in one of the firewall rules, which can't be edited, which means it is not possible to change the firewall rules because the typo triggers an error when the new rules are saved. It's maddening.

Hearing about crap like this? Just firmed my resolve not to buy networking hardware I can't control ever again.

(I'd kill the crappy Trendnet stuff at work if I could, but we are required to use wired connections - no wireless - and no one seems to make wired hardware that will work with any of the alternate firmware packages. Or that is actually gigabit. Or, if it is gigabit, that doesn't cost an insane amount of money.)
posted by caution live frogs at 6:11 PM on October 13, 2013

Trendnet stuff really is crap. At the hardware level. I used a couple of their access points to bridge an embedded system I'd built to the customer's wifi, and found that every two or three weeks the AP's would just randomly factory default their settings. Both of them. Replaced with Cisco hardware and problem solved.
posted by localroger at 6:18 PM on October 13, 2013

For what it's worth, a comment on the original article points out that this string was actually present in the GPL source for the firmware, with a -DXMLSET_BACKDOOR_USER_AGENT="\"xmlset_roodkcableoj28840ybtide\"" in the configuration. Pretty ridiculous. (Source: this gist)
posted by caaaaaam at 6:49 PM on October 13, 2013 [6 favorites]

The first I heard of this was a tweet that said "Hey @DLink. Have an engineer named 'Joel'? Fire him." Absolutely crazy bad.
posted by gemmy at 7:13 PM on October 13, 2013

Mike would never have done this.
posted by dirigibleman at 7:21 PM on October 13, 2013 [9 favorites]

Yeahwhatever wrote: this only works if you're already on the network. [...] This is another way of saying it's not remotely exploitable via the internet at large

Yes, and what's the point of a backdoor designed to give configuration access to drive-by hackers? Why would a D-link programmer want to enable this? I know people are pooh-poohing the idea that the NSA is behind the backdoor, but it's really the sort of thing that's useful for espionage and not very useful to random strangers trying to steal WiFi or whatever. By using the backdoor you can do all sorts of things, like remotely access ports on the target's machines, or perhaps even install custom firmware. Yes, it looks amateurish, but the fact that it was created by an amateur doesn't mean that it wasn't instigated by the NSA or some other government body: they work with the tools they have, and the tool in this case was an existing employee.
posted by Joe in Australia at 8:17 PM on October 13, 2013 [1 favorite]

This one wasn't us.
posted by NSA at 8:58 PM on October 13, 2013 [8 favorites]

Mic.retlifatem
posted by fallingbadgers at 9:10 PM on October 13, 2013

Why would a D-link programmer want to enable this?

Well, here are two scenarios that are immediately more plausible than the NSA:

A) A handy temporary hack inserted late one night by Joel to help debug some issue, which was then accidentally left in the production image.
B) A desire by Support team to allow access to a fucked router without resetting it.

Linksys, ZTE, Motorola, Skype, Whatsapp. This kind of spectacular stupidity is nothing new. They're all motivated by good intentions and a lack of understanding of basic security principals. Which is, in fact, much more dangerous and scary than the NSA will ever be.

Hanlon's razor applies to this one I think. Never attribute to malice that which is adequately explained by stupidity.
posted by tracert at 9:17 PM on October 13, 2013 [4 favorites]

Joe in Australia: "
Yes, and what's the point of a backdoor designed to give configuration access to drive-by hackers?"

As the updated article mentions, it's used by various other programs on the device to provide them a semi-authenticated way to make configuration changes. Think dyndns. But the real question is, why didn't they just make sure the request was coming from the 127/fe08 network?
posted by pwnguin at 9:17 PM on October 13, 2013

Yeahwhatever wrote:

this only works if you're already on the network. [...] This is another way of saying it's not remotely exploitable via the internet at large

This is NOT a small, obscure problem for users of DLINK routers. Although it does not open up Wifi access or anything like that, having access to the configuration panel of your router is bad news even from inside the network. I can't think of anyway to automatically exploit it via a browser (XSS-style) but a small executable (or trusted Java applet) could do it.

Additionally, I wonder how many small establishments are offering free wifi using DLINK equipment. Those networks are now vulnerable.

If I was a bad(er) guy, the first thing I would change would be the DNS settings. Forcing all computers behind the router to use a DNS I control opens up all sorts of interesting ways to mess with people.
posted by AndrewStephens at 9:24 PM on October 13, 2013 [3 favorites]

<story>

Many moons ago I was a straight out of college, wet behind the ears engineer hired by cisco to write code for their routers.

As my first big feature matured someone hooked me up with the University of Florida, who would let me do Saturday night field tests on their equipment. All I had to do was copy my image up to their server, type in a command to reboot the box, and I was ready to go.

I waited to the appointed night, copied and rebooted, and . . . . fuck. They forgot to give me the admin password.

Okay, I passed up a date to do this on a Saturday night. Not gonna to waste it... what do I do.... Oh hey, I'll just make our authentication code always return "correct" and upload that image. Mental note: Make sure that code gets removed pronto, and certainly under no circumstances should it ever slip through and get committed to the central code repository.

Modifying the code did the trick and I had a fruitful night of testing.

About three weeks after that I committed the huge chunk of code that was my feature to the central repository. And about two days after that I got a very interesting phone call from my manager. Something about me disabling all security on every cisco platform.

Needless to say it was the sort of disaster that a young person believes will end their career and an older person recognizes as stupid shit that happens every once in a while. In many ways I was fortunate to have made my blunder so obvious -- if it hadn't been caught locally it would have made it into the field and possibly be present to this day.

</story>


They say to never mistake stupidity for malice but when it comes to this sort of thing my question is always "Is this the sort of mistake a horny 23 year-old would make?" Many mysteries about computers, and not only ones involving security, can be resolved by asking that question. I would say this is likely one of them.
posted by Tell Me No Lies at 11:26 PM on October 13, 2013 [24 favorites]

Most programmers use their LDAP when commuting or adding debugging stuff. Anyone emailed Joel at dlink yet?
posted by Doroteo Arango II at 7:39 AM on October 14, 2013

I know people are pooh-poohing the idea that the NSA is behind the backdoor, but it's really the sort of thing that's useful for espionage

Did you see the update at the bottom of the article?

"My guess is that the developers realized that some programs/services needed to be able to change the device’s settings automatically; realizing that the web server already had all the code to change these settings, they decided to just send requests to the web server whenever they needed to change something."

This looks like a typical Hanlon's Razor ("Never attribute to malice that which is adequately explained by stupidity.") situation: rather than refactor the codebase to make the setting-changing code available to the web server and other programs on the router, they have the programs call the web server which necessitated a way to do so without authentication. This feels like mopping your floors by standing outside and using the mop through a window. In the rain.
posted by yerfatma at 7:40 AM on October 14, 2013

yeahwhatever eponstyrical WEP, WPA, etc., are not heavy duty and can be hacked. Lots of small businesses use consumer-grade equipment. If security's important, then this is a big deal.
posted by theora55 at 7:51 AM on October 14, 2013

it was considered the realm of the conspiracy theorist if you believed that backdoors were regularly installed by manufacturers in both consumer and enterprise hardware.

Well an organized system of formal back doors anyways. Believing that there are a good number of informal backdoors just makes you a software engineer.
posted by Tell Me No Lies at 8:54 AM on October 14, 2013 [2 favorites]

I can see this being a bonus exploit for a trojan writer. Get one person in an organization to click on an evil attachment or web page, install trojan that modifies company wireless router ... it would very hard to detect and clean up.
posted by zippy at 10:20 AM on October 14, 2013

These all in one devices also function as a DHCP server so it would be trivial to redirect every client behind the device to a malicious DNS server that then sends all traffic to a man in the middle without having to bother with port forwarding and direct attacks on the systems. Tack on the fact that once most people install these things, they forget about them for updates. As Blazecock said, if they also have WAN management turned on the attacker doesn't even need to be near the device.

This is an engineer's oops but a pretty big one and not some nefarious NSA plot. Of course they could have deliberately made it look sloppy to divert suspicion so I can clearly not choose the router in front of me! Never go in against an SE when root is on the line!
posted by cmfletcher at 12:16 PM on October 14, 2013 [1 favorite]

I have one of the affected models sitting in my basement. I'd pull it out and test it, if that actually mattered to you.

I don't doubt that the exploit is there. What I doubt is that it is anything more than a sloppy or malicious engineer. Or someone put it in there to "raise awareness" about the problems of network security.
posted by gjc at 5:02 AM on October 15, 2013

We don't insert secret back boors [sic] the way our competitors do.

We put in far more insidious and error-prone back doors than our competitors could ever imagine!
posted by plinth at 8:53 AM on October 15, 2013

Same researcher, different manufacturer with a backdoor into their product: D-Link hole-prober finds 'backdoor' in Chinese wireless routers

But it's all better now! Tenda seals shut router backdoor found by D-Link hole-prober
posted by Joe in Australia at 5:33 AM on October 28, 2013 [2 favorites]