D-Link router

South Korean security researcher Pierre Kim has published details about ten vulnerabilities he discovered in the firmware of D-Link DIR 850L routers.

The researcher published the details without giving D-Link the chance to fix the flaws. Kim says he took this step after reporting similar issues in D-Link products in February that the company ignored.

Kim publishes details on high-impact vulnerabilities

The reported flaws can be exploited from both the router's internal (LAN) and external (WAN) connections to grant attackers the ability to intercept traffic, upload malicious firmware, or get root privileges.

In addition, the researcher also discovered vulnerabilities in the MyDLink cloud service that device owners use to connect to their routers at home, from a remote connection, via Internet.

Below are summaries for all the flaws Kim discovered:

1) Lack of proper firmware protection allows an attacker to upload a new firmware to the router. D-Link 860L firmware revision A has no protection at all, while revision B firmware images come with a hardcoded password that attackers can extract and gain access to the firmware.
2) Cross-site scripting (XSS) flaw when accessing the router admin panel from both the LAN and WAN interfaces allow attackers to steal the authentication cookies and gain access to the device.
3) Attackers can retrieve admin password from routers, and use it to associate users' routers with their own MyDLink cloud accounts, effectively taking control over the device.
4) MyDLink cloud protocol works via a TCP tunnel that doesn't use proper encryption, exposing communications between the user's router and the MyDLink account.
5) The private encryption keys for this TCP tunnel are hardcoded in the firmware and attackers can extract them to perform MitM attacks.
6) Backdoor account via Alphanetworks / wrgac25_dlink.2013gui_dir850l
7) Attackers can alter DNS settings via non-authenticated HTTP requests.
8) Router exposes local files. Also stores credentials in cleartext.
9) Router's internal DHCP client is vulnerable to command injection attacks that allow attackers access to root-level actions.
10) DOS flaw allows attackers can crash router daemons.

"Due to difficulties in previous exchange with Dlink, full-disclosure is applied," the researcher wrote in a security advisory he published this week, which also details each security flaw in more depth.

"Their previous lack of consideration about security made me publish this research without coordinated disclosure," Kim added. "I advise to IMMEDIATELY DISCONNECT vulnerable routers from the Internet."

Victor Gevers, security researcher and chairman of the GDI Foundation, estimates the number of D-Link 850L routers at around 95,000.

In a statement emailed to Bleeping Computer, D-Link says it's investigating the disclosed flaws and will provide a firmware update as soon as it becomes available via support.dlink.com.

In January, the FTC took D-Link to court because the Taiwanese hardware manufacturer failed to take action and secure devices when security flaws were reported.

UPDATE [September 12, 18:35 ET]: Article updated with D-Link reply.