D-Link accidentally leaks code-signing certs in its firmware
Malware peddlers don’t always have to steal or buy (from sellers on underground forums) legitimate and valid code-signing certificates to sign their malware with – sometimes the certificates can be found just “laying around” in open source software and code repositories.
An example of this blunder is D-Link inadvertently including several of their code-signing keys in a recently published firmware update.
According to Dutch news site Tweakers (via Google Translate), one of their readers who goes by the handle “bartvbl” has bought a D-Link DCS-5020L surveillance camera, and decided to take a peek at the firmware (D-Link open sources its firmware under the GPL license).
He found several certificates, and one of them was still valid. His findings were confirmed by Yonathan Klijnsma from Dutch infosec firm Fox-IT.
D-Link has reacted by revoking all the certificates, and releasing a new version of the firmware, sans certificates in the code.