More than 20 vulns in SOHOpeless LTE gateway
If you’ve got a D-Link DWR-932 B LTE router, you might want to fire it into the sun – or hope that a firmware upgrade lands soon.
Following the consumer broadband industry’s consistently lackadaisical attitude to security, the device suffers from everything from backdoor accounts to default credentials, leaky credentials, firmware upgrade vulns and insecure UPnP.
Pierre Kim outlines the litany of SOHOpelessness here, noting that many of the vulns are inherited from the Quanta LTE device that forms the basis of the badge-engineered marvel.
The messes Kim found include:
SSH and the telnet daemon are enabled by default, with two backdoor accounts (admin:admin, and root:1234);
If an attacker sends a crafted UDP string to the appmgr program, it will launch telnetd;
The Wi-Fi Protected Setup (WPS) has a hard-coded PIN (28296607);
Should a user decide to generate a different temporary WPS PIN, Kim writes, it’s a weak PIN because it’s based on srand(time(0));
The HTTP daemon, qmiweb is a horror that inherits five vulnerabilities from the Quanta device;
Its remote firmware over-the-air update mechanism uses hardcoded credentials (qdpc:qdpc, qdpe:qdpe and qdp:qdp); and
For the full set of steak knives: the UPnP configuration allows any user on the LAN to add their own port forwarding rules.
There’s more, but the killer Kim points out is that the router has a big processor and lots of memory, and is so badly secured it would be trivial to recruit it into a botnet.
Kim says he contacted D-Link in June, and with no update forthcoming, he says he obtained CERT’s advice to publish the vulns. ®