Last Updated on August 3, 2017 by Dave Farquhar
Leave it to a security vulnerability to interrupt a perfectly good discussion, but it doesn’t get much worse than this. If you have an older D-Link router, it’s possible to completely bypass the authentication on its administrative web interface.
The upside is that these routers are generally rather old, and many are no longer in service due to AC adapter or capacitor issues. But if you have one of the models affected (D-Link DIR-100, DI-524, DI-524UP, DI-604S, DI-604UP, DI-604+ and TM-G5240 or Planex BRL-04UR and BRL-04CW), it’s time to think seriously about a replacement. Arguably one of these D-Link routers is worse protection than no protection at all.
The original technical writeup is an impressive piece of reverse engineering and is worthwhile reading if that kind of thing interests you. The backdoor is a workaround for other problems in the device, which is common in devices with limited CPU or memory or other system resources. Unfortunately once the wrong person finds it, bad things happen. I can’t tell whether this is remotely exploitable. Theoretically, if you have remote administration disabled, port 80 is closed, so it can’t be exploited over the Internet. But if someone cracks your wireless, all bets are off.
Regarding fixes, most of these routers are long since discontinued, so there’s not likely to ever be a fix. In some cases, it may be possible to load alternative firmware such as DD-WRT on the device, but a better option is probably to go buy a TP-Link. TP-Links aren’t invincible either, but TP-Link has the best track record of late when it comes to releasing patches. And they’re inexpensive. The low-end devices run about $20 at Micro Center.
As Windows gets harder to exploit, exploits for devices like routers will become more common. They’re initially a little harder to crack, but they never get patched, so the payoff for the effort is higher. As long as people continue to think of routers as invincible and spread that myth, this situation won’t get any better, either.
David Farquhar is a computer security professional, entrepreneur, and author. He started his career as a part-time computer technician in 1994, worked his way up to system administrator by 1997, and has specialized in vulnerability management since 2013. He invests in real estate on the side and his hobbies include O gauge trains, baseball cards, and retro computers and video games. A University of Missouri graduate, he holds CISSP and Security+ certifications. He lives in St. Louis with his family.