Senrio+Xipiter 0day for MANY D-Link devices

[…] In our last post we talked about a vulnerability discovered in the D-Link DCS-930L Cloud Camera. Since then the Senrio Research Team has been working closely with the D-Link Security Incident Report Team. Below we disclose technical details of our efforts.  […] What does that mean in terms of exposure to consumers? In a collaboration with Shodan we discovered 400,000 devices publicly accessible that could be affected by this 0day.  […]

Exploiting D-Link webcams

Vectra Labs has a blog post on how easy it is to attack U-Boot-based D-Link webcams, using simple tools like BusPirate, FlashROM, and BinView. I wonder if the U-Boot in question was using U-Boot Verified Boot or not? At a higher level, this blog seems to be a good example of how insecure the current generation of IoT devices are, and how much (or little) you should rely on such devices.

[…] Conclusion

So does all this mean that D-Link’s web camera has a major security issue? Not necessarily – we get what we pay for, and asking a vendor who sells a webcam on Amazon for $30 to provide safe firmware update features which would require a TPM or a specialized chip to verify the content and signature of a software update is not very realistic. Rather the point of this demonstration is to highlight the real impact that IoT devices pose to the attack surface of a network. As we’ve shown, the barriers to hacking these devices are relatively low, and even the most basic devices can provide the plumbing for a persistent command-and-control channel. While these devices are low-value in terms of hard costs, they still matter to the security of the network, and teams need to keep an eye on them to reveal any signs of malicious behavior.

*Vectra disclosed the issue to D-LInk in early December 2015. As of January 7, 2016, the company has not provided a fix.

Full post:

D-Link releases private keys in firmware

D-Link left their private keys in their firmware, for attackers to exploit!

Google.Translation of article below:

D-Link blunder by releasing private keys of certificates

By Olaf van Miltenburg

D-Link had accidentally private keys for certificates signed by which software is released. The keys were to distill out of open-source firmware packages of the manufacturer. Criminals had certificates thereby exploit. Malware writers can use the certificates to sign their malicious code, which for example is Windows look like legitimate software. The certificate is a guarantee that the programs will actually come from the relevant company. The blunder was discovered by bartvbl, who pointed to the editorial on the issue. He had purchased the DCS-5020L-surveillance camera from D-Link and wanted to download the firmware. D-Link firmware source code of many open source under a GPL license available. “It turned out what to look through the files that were in private keys to sign with code”, reports bartvbl, “In fact, in some batch files were the commands and pass phrases that were needed.” The user was able to verify that the key could be used to create a file that was not D-Link with a certificate signing. In early September expired certificates, so the trick no longer works. Even after providing the expiration date remains signed software that is to be seen as valid. Only after the withdrawal of the certificates given by W indows check a certificate stating that they are not valid. That withdrawal has already happened. That is no longer the abuse problem. Security firm Fox-IT request, confirms the findings of the user. Yonathan Klijnsma, researcher at the company: “T he code signing certificate is indeed a firmware packages, firmware version 1.00b03 whose source February 27 this year, was released this certificate was therefore issued for expired, a big mistake.”. He even found four other certificates in the same folder. D-Link has released new versions of the firmware, where the certificates no longer in it. The company late in a statement regularly update the firmware “in the latest safety and quality standards” to meet. The company stressed that there was no intent. “D-Link prevent at all times to develop product features that intentionally provide unauthorized access to the device or network, including, for example backdoors.” Furthermore, the company Tweakers promises that early next week new firmware comes out which security issues are also resolved.

There’s a Y-Combinator thread, as well: