Owners of the D-Link DWR-932 B need to take their router to the nearest garbage can.
Researcher Pierre Kim found multiple issues with the device that could have major implications to anyone who finds themselves unfortunate enough to own one. The words, “unsafe at any speed” come to mind when thinking about the amount of issues the DWR-932 has.
Here’s a quick list:
- Default backdoor accounts for SSH and Telnet. Both Telnet and SSHd are running by default and use the login admin:admin, and root:1234. Yeah it’s that simple.
- Backdoor. To open an authentication-less telnet, just send “HELODBG” to the router in UDP. The appmgr thread listens to port 39889.
- Default WPS PIN (28296607). Yeah seriously… Hardcoded into the appmgr.
- Weak WPS PIN Gerneration. Not that it matters since they give you a default PIN
- DYNDNS client has hardcoded username and password.
- HTTP daemon has several vulnerabilities.
- FOTA (Firmware Over the Air) firmware updater uses hardcoded accounts. They seem to love doing that.
- Strange shell commands executed as root instructions.
- UPnP allows for any user to add Port Forwarding rules.
- There’s even more.
Here’s why I (and everyone else) suggest removing this device from your network and home immediately. Kim had contacted D-Link with these vulnerabilities back in June. D-Link has yet to issue a firmware update, and has said nothing about plans to do so. So, with that in mind, I’d say ditch it. Do it NOW!