D-Link Keys Blunder Puts Everyone at Risk
As consumers, we are all forced to place a certain amount of trust in the technology companies we use. After all, most of us are not skilled enough to discover security loopholes and vulnerabilities on our own.
The debate around privacy and the recent furor caused by Windows 10 is only one part of the jigsaw. Another – altogether more sinister part – is when the hardware itself has flaws.
A savvy computer user can manage their online presence and tweak sufficient settings to limit their privacy concerns , but a problem with the underlying code of a product is more serious; it’s much more difficult to spot, and tougher for an end-user to address.
The latest company to blunder their way into a security nightmare is popular Taiwanese networking equipment manufacturer, D-Link. Many of our readers will use their products either at home or in the office; in March 2008, they became the number one vendor of Wi-Fi products in the world, and they currently control around 35 percent of the market.
News broke earlier today of gaffe which saw the firm release its private code signing keys inside the source code of a recent firmware update. Private keys are used as a way for a computer to verify that a product is genuine and that the code of the product has not been altered or corrupted since it was originally created.
In layman’s terms, therefore, this loophole means that a hacker could use the published keys on their own programs to trick a computer into thinking that his or her malicious code was actually legitimate a D-Link product.
How Did It Happen?
D-Link has prided itself on its openness for a long time. Part of that openness is a commitment to open-sourcing all its firmware under a General Public License (GPL) license. In practice, that means that anyone can access the code of any D-Link product – allowing them to tweak and amend it to suit their own precise requirements.
In theory it’s a commendable position to take. Those of you who keep abreast of the Apple iOS vs Android debate will no-doubt be aware that one of the biggest criticisms levelled at the Cupertino-based company is their unwavering commitment to remaining closed-off to people who would like to tweak the source code. It’s the reason why there aren’t any custom ROMs like Android’s Cyanogen Mod for Apple’s mobile devices.
The opposite side of the coin is that when large-scale open source blunders are made, they can have a huge knock-on effect. If their firmware was closed-source, the same mistake would have been much less of an issue and far less likely to have been discovered.
How Was It Discovered?
The flaw was discovered by a Norwegian developer known as “bartvbl” who had recently purchased D-Link’s DCS-5020L surveillance camera.
Being a competent and curious developer, he decided to poke around “under the bonnet” in the device’s firmware source code. Within it, he found both the private keys and the passphrases needed to sign the software.
He started conducting his own experiments, quickly finding that he was able to create a Windows application which was signed by one of the four keys – thus giving it the appearance that it was coming from D-Link. The other three keys did not work.
He shared his findings with Dutch tech news site Tweakers, who it turn passed the discovery on to Dutch security firm Fox IT.
They confirmed the vulnerability, issuing the following statement:
“The code signing certificate is indeed for a firmware package, firmware version 1.00b03. Its source date February 27th this year, meaning this certificate’s keys were released well before the certificate expired. It’s a big mistake”.
Why Is It So Serious?
It is serious on a number of levels.
Firstly, Fox IT reported that there were four certificates in the same folder. Those certificates came from Starfield Technologies, KEEBOX Inc., and Alpha Networks. All of them could have been used to create malicious code that has the ability to bypass anti-virus software and other traditional security checks – indeed, most security technologies will trust files that are signed and let them pass without question.
Secondly, advanced persistent threat (APT) attacks are becoming an increasingly favored modus operandi for hackers. They almost always make use of lost or stolen certificates and keys in order to subjugate their victims. Recent examples include the Destover wiper malware used against Sony in 2014 and the Duqu 2.0 attack on Apple’s Chinese manufacturers.
Adding more power to the criminal’s armory is clear not sensible, and comes back to the element of trust mentioned at the start. As consumers, we need these companies to be vigilant in protecting their security-based assets in order to help combat the threat of cyber-criminals.
Who Is Affected?
The honest answer here is that we don’t know.
Although D-Link have already released new versions of the firmware, there is no way of telling if hackers managed to extract and use the keys prior to bartvbl’s public discovery.
It is hoped that analyzing malware samples on services like VirusTotal might ultimately yield an answer to the question, we first need to wait for a potential virus to be discovered.
Does This Incident Shake Your Trust in Tech?
What’s your opinion of this situation? Are flaws like this an inevitability in the world of technology, or are the companies to blame for their poor attitude towards security?
Would one incident like this put you off using D-Link products in the future, or would you accept the problem and carry on regardless?
As ever, we’d love to hear from you. You can let us know your thoughts in the comments section below.
Image Credit: Matthias Ripp via Flickr.com