D-Link Router Captcha Broken


We reported last week that D-Link was adding captchas to their routers to prevent automated login by malware. Unsurprisingly, it doesn’t work all time. The team from SourceSec grabbed the new firmware and began poking at it. They found that certain pages don’t require the authentication to be passed for access. One of these is WPS activation. WPS lets you do push button WPA configuration. Once activated, any nearby client can request the WPA key using a tool like WPSpy. Only user level credentials are needed to pull this off, so changing just the admin password won’t prevent it.

[photo: schoschie]

24 thoughts on “D-Link Router Captcha Broken

  1. I do not see the point of all of this. Nobody but a total dooschbag would even try to login a router by bot. If they really want to screw with you, they will login in person. And if u lrave ur network unsecured (like me). What’s the point? the guy has a nice wifi hotspot, why try to ruin it?

    and will someone help me crack my school’s wep key? I want to, uhh, ‘study’ during open campus.

  2. Was going to say “told you so” until I read more in depth. This is just a matter of an “advancement” making the original design more complex, which illuminates other problems. These should be no big deal, especially in light of the magical hax0r wizards over at d-link being able to implement CAPTCHA!

  3. Not news. In a competitive business environment, QA is frequently the group that is shortchanged (or outsourced, or just cut) in order to economically compete. But that’s the one group that could save the company.
    If you are finding holes in the security of a company’s product you can be sure that someone in management was saving a few bucks by cutting back on QA.
    If it comes back to bitch-slap them, they deserve it.

  4. Recently Dlink routers have been a lot better. Their entry level stuff is excelent for the price.

    On the other hand Linksys has become crap.

    What good brand is there left?

  5. Ok the captcha is random but the default admin password can’t be?
    Make it random and print it beneath the router!
    Or put a physical button on it that enables admin when pressed! It can be an already present button but with a longer push for instance!
    There are so many possible “full” solutions to the rooting problem and yet they choose to just fix (badly) the rooting-by-bot…

  6. Dont care…

    As long as the Bin file of OpenWrt installs It fixes all problems with these routers.

    Honestly, If you have any advanced education you should be using OpenWRT or DDWRT and not the crap firmware in these routers.

    But then if you have even a high school education you know to set the password to something that is not easily cracked.

    Yes, Most Americans dont even have a high school education as far as I am concerned. you are a RETARD if you dont understand Computer basics.

  7. even if all pages are secured then there is the captchas they can be cracked too.

    i have heard of forum sign up captchas being broken allowing spammers to automate sign ups to spam the board.

    the only ways i know to totally secure it is.

    1. remove the remote admining feature (force user to be at pc to admin the router.

    2. for those with older routers that the makers refuse to make firmware that removes the remote admining you can hope your isp has and strictly enforces the “no servers on residential account” and actually blocks the standard server ports 21,80,443 from accessing from the outside.

  8. @googfan

    The whole point of malware bots breaking into routers has nothing to do with stealing peoples wifi.
    The primary purpose of a malware bot breaking into somebodys router is to modify the routers DNS tables so certain site requests can be manipulated. For example every bank web address you type in is redirected silently in the background without you even known and without tipping of any of your browser security or phishing filters to a rouge site which then caputres your details. And you wont know a thing about it becouse the site looks identical, you just wont be able to log it, it will take your details and then say “Sorry – Server error, try again later” or something like that.

    the other reason malware Bots would try to break into routers is becouse Firewalls can be a pain. However if you break into the admin area of a router you can practically disable the firewall, allowing a human operator to them zombie all the PC’s behind the router firewall at leisure.

    HAcker/cracker leaves this bot running to do the leg work for him over night, wakes up in the morning and has a whole screen long list of address’s where the routers now forward all bank requests to silent phishing sites and, a list of routers than have possiblely hundreds of avaliable PC’s ready for dronning.
    Considering MOST pc’s are behind external modem routers these days, Malware has addapted.

    Malware that directally and automatically compromises your gateway to the internet is this fashion is as frightening to us computer security guys as it is interesting.

    Can gurantee once a router is hacked, your’ll never be able to trust any site again.

    (Ask yourself this question, how many people do you know with broadband…. and how many of them would even know if somebody had loggin into their router? 90% of the people I know have never touched the thing after the initial setup.)

    They own your DNS.
    Trust me router bots are not “Pointless” they are frightening and the next big thing.

  9. Humm.. Here is my question about all this Captcha requiring you to login and this malware bot.

    First thing is most routers by default dont allow you to access the config from the WAN port, only if you are on the LAN. So unless you go in and change this, or, this is something that has changed in some these new routers I think that would prevent outsiders from gaining access.

    Now if you have an open AP, and, a client with an infected machine comes on the AP then I guess the Captcha could add an extra level, but you already have issues with an open AP and allowing people on your “trusted” network.
    Also I thought most new routers require you to set them up properly to work and no longer “work out of the box” to prevent default password.

  10. ~~~PAY ATTENTION~~~ not a WAN access issue.
    This is for hacks that use tricks to get in via your browser or as a trojan via your computer, so it’s not a WAN access issue
    And as stated this new thing is not protected by the router admin password AT ALL, so any script that runs on some site you visit might get access to your router through your browser/system originating from, or some trojan hidden in something you install can access your router, again right from your own computer, as dag33k explains above.

    And the captcha is meant to ensure it’s a human entering the password, which in itself can be a bit of a pain if you want to yourself automate routeraccess to be honest, that’s made impossible to do easy if it worked as planned, but I guess people that want to automate would get a router that allows custom linux firmware to be installed and use that route, if you pardon the pun.

  11. Captcha is just one more thing know-nothing Best-Buy /(insert store of your choicehere) employees can pretend to talk about to sell more product. The work around is so basic and simple anyone who buys one of these devices will have no more security then sticking with a device without captcha. More cities/computer groups should offer public talks on the facts of wireless security because 90% of people are just clueless or don’t care.

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.