D-Link has promised to close its routers' backdoors by Hallowe'en, following revelations that many of its consumer-grade devices accept unauthenticated access to its admin Web page.
As reported here yesterday, a researcher at /DEV/TTYS0 blog unpacked the firmware of a number of D-Link devices, finding that if a browser presented the correct user agent string to the internal administrative Web server, it would receive unauthenticated and unfettered access to the device's administration panel. From there, it would be a cinch to snoop on users' communications.
More ReadingSecurobods warn of wide open backdoor in Netis/Netcore routersD-Link FINALLY slams shut 'Joel's backdoor'Netgear router admin hole is WIDE OPEN, but DON'T you dare go in, warns infosec bodD-Link hole-prober finds 'backdoor' in Chinese wireless routersControl panel backdoor found in D-Link home routers
According to D-Link, the company is working on the fix now, and in a statement sent to The Register, the company said the firmware will be provided here.
The company also offered this advice:
“As there are different hardware revisions on our products, please check this on your device before downloading the correct corresponding firmware update. The hardware revision information can usually be found on the product label on the underside of the product next to the serial number. Alternatively, they can also be found on the device web configuration.”
In the meantime, users should ensure there's a strong Wi-Fi password on their kit, and should disable remote administrative access. ®