Backdoor in D-Link Router Could Give Hackers Access to Enterprise Nets

Backdoors in networking equipment could admit attackers into whole networks

A security researcher has discovered a backdoor in the firmware of some D-Link home routers that would allow attackers to access security settings simply by modifying a text string sent by the User Agent in their browsers.

With unauthenticated access to the security settings, attackers could reroute Internet traffic from destinations chosen by the D-Link user to sites of their own, remotely intercept network traffic – including security data sent during login to a corporate VPN or other security system – or piggyback on any secure connections between the router and banks or other secure sites.

Heffner discovered hardware with the flawed software using Shodan, a site designed to search for routers, webcams, industrial devices, remote sensors and other hardware connected to the Internet.

The backdoor, which appears to have been created purposely, was discovered by Craig Heffner, security researcher with Tactical Network Solutions, a specialized security consulting, training and response firm. Heffner specializes in wireless and embedded systems, teaches a course in how to hack them and has spoken at the Black Hat security conference.

In a blog posted Saturday, Oct. 12, Heffner demonstrated the D-Link security flaw and his process for reverse-engineering a web-access function apparently written by engineers at Alpha Networks, which was spun off from D-Link in 2003.

“If your browser’s user agent string is ‘xmlset_roodkcableoj28840ybtide’ (no quotes), you can access the web interface without any authentication and view/change the device settings,” he wrote.

Heffner discovered the backdoor in firmware version 1.13 for D-Link’s model DIR-100 Ethernet Router. A backdoor appears to affect system running the same or similar firmware, including models • DI-524, • DI-524UP, DI-604S, DI-604UP, DI-604+, TM-G5240 and two models of router from Planex: BRL-04UR and BRL-04CW.

Though the same flaw appears in firmware in several different product lines, it does not appear to have been created as a default, but rather an undisclosed point of access for service technicians working for the manufacturer, as was the case with a series of Hewlett-Packard Co. storage products earlier this year.

Oddly, it turns out that entering the string backwards prompts the firmware to respond “Edit by 04882 joel backdoor.”

A commenter named Travis Goodspeed found the backdoor is used by the XML Security Library xmlsetc,, which is contained in the D-Link firmware.

“Perhaps the backdoor serves some legitimate purpose, and Mystery Joel is only guilty of incompetence and not of malice?” Goodspeed suggested. Sergey Nivens