D-Link DWR-932 router is chock-full of security holes

Security researcher Pierre Kim has unearthed a bucketload of vulnerabilities affecting the LTE router/portable wireless hotspot D-Link DWR-932. Among these are backdoor accounts, weak default PINs, and hardcoded passwords.

D-Link DWR-932

Kim went searching for them after he previously poked around some Quanta LTE routers and also found a huge number of flaws, and a D-Link DWR-932 user noted that the two router types have many similarities.

In fact, he says that D-Link’s router is based on the Quanta models, and inherited some of the vulnerabilities.

The documented D-Link DWR-932 vulnerabilities affect the latest available firmware. Kim first responsibly disclosed them to the D-Link Security Incident Response Team in June, but after the company said early this month that they don’t have a schedule for a firmware release, he decided to go public with the details about some of the flaws.

In short, the firmware sports:

  • Two backdoor accounts with easy-to-guess passwords that can be used to bypass the HTTP authentication used to manage the router
  • A default, hardcoded Wi-Fi Protected Setup (WPS) PIN, as well as a weak WPS PIN generation algorithm
  • Multiple vulnerabilities in the HTTP daemon
  • Hardcoded remote Firmware Over The Air credentials
  • Lowered security in Universal Plug and Play, and more.

“At best, the vulnerabilites are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor,” says Kim, and advises users to stop using the device until adequate fixes are provided.

“As the router has a sizable memory (168 MB), a decent CPU and good free space (235 MB) with complete toolkits installed by default (sshd, proxy, tcpdump …), I advise users to trash their routers because it’s trivial for an attacker to use this router as an attack vector (ie: hosting a sniffing tool, LAN hacking, active MiTM tool, spamming zombie),” he noted.

The router is still being sold and used around the world.