I found D-Link private code signing keys in an open source firmware distribution

[bartvbl]

So around May this year I bought a DCS-5020L wireless security cam from D-Link. I wasn't excessively impressed with the software that came with it (for example, the installer turned off UAC without asking), so the GPL code pamphlet that came with it got my curiosity. As it turns out D-Link uses GPL code in their firmwares, and makes its source code available online for free. Good on them.

 

After downloading the source archive of my device and strolling around in the files I stumbled upon this directory:

 

The .pfx files in there are private key files. These particular ones are for signing executable files (in this case java classes). Even better: the parent directory contained batch files containing the passphrases of these keys. A few minutes later I had a signed executable printing some text to the command line. Here's the result:

 

I immediately contacted D-Link about it, but never heard back. I also sent word to the certificate authority that issued the certificate in question, but had no reply from them either.

 

The certificate has now expired, so no new files can be signed with it. However, files that have already been signed will still be "published" by D-Link Corporation according to windows.

 

A Dutch tech site published the story a few days ago:

Google Translated version: https://translate.google.com/translate?sl=nl&tl=en&js=y&prev=_t&hl=nl&ie=UTF-8&u=http%3A%2F%2Ftweakers.net%2Fnieuws%2F105137%2Fd-link-blundert-met-vrijgeven-privesleutels-van-certificaten.html&edit-text=&act=url

Original article in Dutch: http://tweakers.net/nieuws/105137/d-link-blundert-met-vrijgeven-privesleutels-van-certificaten.html

[qwertywarrior]

this is on engadget

http://www.engadget.com/2015/09/18/leaked-d-link-code-signing-key-could-make-malware-look-legit/

 

 

When your company is known for making wireless routers, network switches and home security cameras, leaking your code-signing private keys yourself is the last thing you want to do. Back in February, that's exactly what D-Link did, accidentally leaving a valid key visible in its open-source firmware. If found by an attacker, the key could have been used to make malware that can pass as official software from D-Link -- malware that wouldn't trigger security warnings when installed to Windows or OS X machines.

That's bad, but luckily would-be attackers would have had to stumble across the key weeks ago -- the leaked certificate expired earlier this month. Still, that means software created using the key between February and September is still valid. D-Link says it's issuing more firmware updates in the near future to address the issue

[bartvbl]

Other places this has been posted:

- Slashdot: http://slashdot.org/firehose.pl?op=view&id=76454991

- Reddit: https://www.reddit.com/r/programming/comments/3la3t0/dlink_accidentally_publishes_private_code_signing/

- The hacker news: http://thehackernews.com/2015/09/hack-router.html

- Hacker news: https://news.ycombinator.com/item?id=10235382

- ARS Technica: http://arstechnica.com/security/2015/09/in-blunder-threatening-windows-users-d-link-publishes-code-signing-key/?comments=1&post=29779935

(incorrectly lists a security researcher to have found the problem)

- The register: http://www.theregister.co.uk/2015/09/18/d_link_code_signing_key_leak/

 

.. And googling on "D-Link private keys" lists many more places.

[colonel_mortis]

Wow that's a pretty serious issue. For private keys, especially those of a pretty big company to make it close to any sort of production code is bad, but for them to be included with the open sourced project... Heads are going to roll.

What's the point of encrypting your private key if you're going to include it in a batch file close to the key? I guess it protects against targeted attacks to steal just the private key, but still, a really stupid idea.

[Toddwjp]

some ones getting fired

[Counter-Strike Player]

Welp, there goes their business with Verisign. Time for an out-of-band WU that makes "improvements to Windows" anyone? #revocation

[LAwLz]

Wow... That's a huge fucking. I thought it was just going to be some key used for like SSH into that particular router and each router would have its own but nope, that was actually D-Link's own cert.

Good thing it's expired. Malware creators would love to have that.

[Bsmith]

ahh yeah came across this earlier this week, wanted to post it but forgot about it, damn....

 

It's pretty serious, I'm honestly surprised nobody reported this before here(knowing how quick people here can be)

Hopefully it wont cause to much harm now or later in the future.

[JAKEBAB]

Oh d-link. Glad I've never recommended them it was actually only a few days ago someone asked if d-link *insert router name here* was good, my reply d-link. Is well. D-link.