Pierre Kim has found that he device has so many security flaws including backdoor accounts, weak default PINs, and hardcoded passwords that it is probably not worth trying to fix.
Kim started finding flaws on Quanta LTE routers which were so wide open they had to be buried in a y shaped coffin and noticed that the -Link DWR-932 was similar. D-Link’s router is based on the Quanta models, and inherited some of the vulnerabilities.
It is not as if they are old vulnerabilities either. Kim found them all in the latest available firmware. He told the D-Link Security Incident Response Team in June, but the outfit said it didn’t have a schedule for a firmware release.
- The firmware has the following errors:
- Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
- A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
“As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump ...), I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector (ie: hosting a sniffing tool, LAN hacking, active MiTM tool, spamming zombie),” he noted.
Kim said that the vulnerabilities are either incompetence or a deliberate act of security sabotage from the vendor. He advises users to stop using the device until adequate fixes are provided.