Published in News

Put your D-Link DWR-932 in the bin

by on30 September 2016

Router is borked

A security expert has found that the LTE router/portable wireless hotspot D-Link DWR-932 is probably better in the rubbish bin where it can do no harm.

Pierre Kim has found that he device has so many security flaws including backdoor accounts, weak default PINs, and hardcoded passwords that it is probably not worth trying to fix.

Kim started finding flaws on Quanta LTE routers which were so wide open they had to be buried in a y shaped coffin and noticed that the -Link DWR-932 was similar. D-Link’s router is based on the Quanta models, and inherited some of the vulnerabilities.

It is not as if they are old vulnerabilities either. Kim found them all in the latest available firmware. He told the D-Link Security Incident Response Team in June, but the outfit said it didn’t have a schedule for a firmware release.

  • The firmware has the following errors:
  • Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
  • A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm

“As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump ...), I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector (ie: hosting a sniffing tool, LAN hacking, active MiTM tool, spamming zombie),” he noted.

Kim said that the vulnerabilities are either incompetence or a deliberate act of security sabotage from the vendor. He advises users to stop using the device until adequate fixes are provided.

Last modified on 30 September 2016
Rate this item
(3 votes)