If you own a D-Link wireless router, especially DWR-932 B LTE router, you should get rid of it, rather than wait for a firmware upgrade that never lands soon.
D-Link DWR-932B LTE router is allegedly vulnerable to over 20 issues, including backdoor accounts, default credentials, leaky credentials, firmware upgrade vulnerabilities and insecure UPnP (Universal Plug-and-Play) configuration.
If successfully exploited, these vulnerabilities could allow attackers to remotely hijack and control your router, as well as network, leaving all connected devices vulnerable to man-in-the-middle and DNS poisoning attacks.
Moreover, your hacked router can be easily abused by cybercriminals to launch massive Distributed Denial of Service (DDoS) attacks, as the Internet has recently witnessed record-breaking 1 Tbps DDoS attack that was launched using more than 150,000 hacked Internet-connected smart devices.
Security researcher Pierre Kim has discovered multiple vulnerabilities in the D-Link DWR-932B router that’s available in several countries to provide the Internet with an LTE network.
Telnet and SSH Backdoor Accounts
While penetration testing, the researcher found that D-Link wireless router has Telnet and SSH services running by default, with two hard-coded secret accounts (admin:admin and root:1234).
Hackers can simply need these credentials to gain access to vulnerable routers from a command-line shell, allowing them to perform man-in-the-middle attacks, monitor Internet traffic, run malicious scripts and change router settings.
If this isn’t enough, D-Link DWR-932B LTE router has another secret backdoor that can be exploited by only sending "HELODBG" string as a secret hard-coded command to UDP port 39889, which in return launch Telnet as root privileges without any authentication.
Vulnerable WPS System
Default WPS PIN:
You might have seen a small push button on your router, labeled WPS, stands for Wi-Fi Protected Setup, a ‘so-called’ security feature that allows anyone to connect to your wireless network with a PIN, instead of your actual Wi-Fi password.
Bingo! The PIN for the WPS system on D-Link routers is ‘28296607,’ which is hard-coded in the /bin/appmgr program.
Weak WPS PIN Generation:
Users can also temporary generate a new WPS PIN using router’s administrative web-interface, but unfortunately, the PIN generation algorithm is flawed and so weak that an attacker can easily predict it.
Now, if you hope that a firmware upgrade will land soon and save you from these issues, then you are wrong.
It’s because the D-Link’s remote firmware over-the-air (FOTA) update mechanism is also vulnerable.
The credentials to contact the FOTA server are hard coded in the /sbin/fotad binary. The user/password combinations are qdpc:qdpc, qdpe:qdpe and qdp:qdp.
"It’s notable the FOTA daemon tries to retrieve the firmware over HTTPS. But at the date of the writing, the SSL certificate for https://qdp:email@example.com/qdh/ispname/2031/appliance.xml is invalid for 1.5 years," Kim writes.
Security Removed in UPnP
Due to the security risks involved, there are usually restrictions in place in order to avoid modified new firewall rules from untrusted LAN clients.
However, there is no restriction about the UPnP permission rules in the configuration file for the vulnerable D-Link router, allowing anyone on the LAN to add their own Port forwarding rules from the Internet to other clients located in the LAN.
"An attacker can add a forwarding rule in order to allow traffic from the Internet to local Exchange servers, mail servers, ftp servers, http servers, database servers," Kim writes. "In fact, this lack of security allows a local user to forward whatever they want from the Internet into the LAN."
There are more security issues surrounding the vulnerable router, but Kim points out that the router with a big processor, sizable memory (168 MB) and good free space (235 MB) is so badly secured that it would be trivial for attackers to use this router as an attack vector.
Kim privately reported the security flaws to the Taiwan-based networking equipment manufacturer D-Link in June and received no update from the company. So, he went public with details of the vulnerabilities after obtaining CERT’s advice.