D-Link DWR-932 B Plagued with Vulnerabilities

The security researcher Pierre Kim has identified a lot of security issues in the D-Link DWR-932 B LTE router.

D-Link DWR-932 B Suffers from Serious Security Issues

Yet another popular consumer product has been identified to have a lot of critical issues. This time, it’s the D-Link DWR-932 B Router with LTE connectivity. The security researcher Pierre Kim has discovered multiple vulnerabilities in the model which is based on the Quanta LTE router models. The issues are identified in the latest firmware:

• The router has enabled the telnet and SSH services by default. The daemon for Telnet is running even though that is not documented in the manual or the technical specifications of the device. There are two backdoor accounts that can be used bypass the HTTP authentication that manages the router. The password for the admin account is “admin” which is certainly not a good security practice. The root account’s password is “1234”.
• A backdoor was also identified in the /bin/appmgr application. It can be exploited by crafting a specific UDP string to the victim router. The string “HELODBG” activates threads that allow root shell script access without authentication.
• Bad WPS configuration is also present – a default WPS PIN “28296607” is hardcoded into the router.
• The WPS generator that is used to change the hardcoded PIN uses a weak algorithm because it is based on the time function. An attacker can also generate a valid WPS PIN. In addition, the router uses the NTP protocol to poll remote servers about the accurate time and date so its very easy to use the same variables.
• The security expert has also identified that the router contains user credentials with a hardcoded username and password for the No-IP dynamic DNS service.
• The HTTP service “qmiweb” contains a lot of vulnerabilities that can easily be exploited by criminals.
• The next problem is related to the firmware updating over the air mechanism that is available on the router. It appears that the credentials are hardcoded into a binary.
• Various chmod operations with the 777 value are executed under the root account.
• The UpnP implementation has intentionally lowered security. The setup allows attackers located in the local area network to add port forwarding from the Internet to other hosts located on the local network. This gives criminals the opportunity to forward all traffic from the WAN to the LAN.

All mentioned weaknesses are also explained with relevant proof of concept code. The D-Link DWR-932 B has a lot of memory and a good performing CPU so these potential vulnerabilities can be used to recruit the device into a botnet. For more detailed information, you can read Pierre’s blog post.