IoT, D-Link and Third-Party Firmware

In the early 2000’s, everybody was talking about IPv4 address exhaustion. As some of you technically enlightened readers probably know, IP stands for “Internet Protocol” and version 4 of the protocol coincidentally uses 4 bytes for the address. This means a logical span of to, or 4294967295 possible IPs (including the unusable or private ones.) And had we kept giving out public IPs to all connected devices we would have been screwed by now. The solution was thought to be IPv6, with 16 byte addresses; enough to give a unique IPv6 address to every grain of sand on this planet.

But it wasn’t IPv6 that saved us, but rather a feature called Network Address Translation, or NAT for short. This feature usually lives in your router and bridges a private network with a public one. This is the reason you see IP-addresses starting with 192.168. in many places as that is one of the private IP ranges mentioned before. But for this to work your router also need to have a public IP address, an address that is reachable from the Internet, and therein lies the crux.

The way routers are designed, you have an internal interface and an external interface, with the firmware being responsible for routing them, i.e. making sure the messages that should get through get through. It also handles configuration through a web interface, normally placed behind a login screen and generally only available from the internal network.

The biggest problem is that this firmware rarely get the attention it need from the manufacturer. After all, they make money from selling the device, not keeping the software on it current.

Think about it: Your Windows computer gets updates twice a month, my Linux computer several times a week. When did you last upgrade your router firmware? And if you have tried, when was the last time there was an actual update offered when you checked?

Router manufacturers just like the rest of us rather not reinvent the wheel, but instead use third-party libraries for a lot of the functionality, adding their own glue to make it all work. There is nothing wrong with that, as long as the glue is of a decent quality and the software is properly maintained. And for off-the-shelf routers, this is everything that is wrong with it.

Take for example D-Link, who has dropped the soap more than once lately, resulting in a lawsuit from the Federal Trade Commission (FTC) as they are “putting consumers’ privacy at risk due to the inadequate security of its computer routers and cameras“.  You can read the full complaint here for some in-depth information and more horror stories, but as a short summary take a look at these vulnerabilities, that are public knowledge:

  • The encryption key used for SSL traffic to the router is hardcoded in the firmware, allowing man-in-the-middle attacks intercepting your encrypted traffic by faking a certificate from D-Link.
  • Data sent to the web interface isn’t handled properly, allowing code to be executed on the router.
  • A link or website can be crafted, that when accessed will change settings in the router or inject malicious code in your Internet traffic.

And the list goes on… Hand on heart, did you upgrade your D-Link router during 2016? And while we are on the topic of D-Link, if you did upgrade, are you sure that the upgrade came from D-Link? As it turns out, the certificate used to digitally sign the upgrades was leaked by mistake in February of 2015 by D-Link themselves. It was supposed to be revoked in September, but might not have been.

But I’ve only talked about routers so far. With the Internet of Things (IoT) we have Internet-connected cameras and gadgets everywhere now, usually with companion smartphone apps and the likes. And it should be no surprise that the same issues that plague the routers also apply here, but with the addition of the smartphone control additional vectors are being added to the mix.

The app to view your D-Link camera apparently saves your credentials in plain text on your device. But even if you don’t use the app, there are likely hard-coded passwords on the device. And again, if there are no hard-coded passwords there are vulnerabilities present to let you bypass authentication or change the password. What is even worse is that these vulnerability exists as part of the feature to support the mobile apps. Basically, in order to accept connections from the app, the device must be accessible. This is comparable to leaving your front door unlocked. And all D-Link had to do to avoid this problem was to ship a firmware update.

So, should we burn all Internet-connected cameras and go Office Space on the routers? Maybe go back to messenger pigeons or smoke signals? Don’t worry! You can hold back on the bats and flame throwers as there are better solutions! And these are valid for most if not all routers, and not only D-Link.

  1. Use a third-party firmware: When shopping for a new router, make sure that it is one that supports third-party firmware. These are developed by the community and receives frequent updates, and should be available for most major brands including NetGear, D-Link, TP-Link and more. A good starting point for finding routers is, and I have also included a list of firmware alternatives at the end of this post.
  2. Avoid routers and cameras that use/support mobile apps: This concept makes it a requirement for your device to accept unsolicited connections from the outside. If you want to keep people from hacking your device, you want to avoid intentionally open ports.
  3. Put a hardware firewall between your router and internet connection: While NAT acts as a firewall for devices behind the router, this will keep your actual router safe from unsolicited connections. And even though your router’s web interface is not available from the Internet, it can still be possible to exploit the web interface from the public side.

As for internet-connected cameras, a good start is to make sure that they are not internet-connected to begin with. And if you really need to reach the camera over the Internet, consider researching your options and paying a little extra to get a brand and model with firmware that is properly maintained.

Alternatively, most third-party router firmware supports isolating devices or creating a “virtual network” that is kept separate from the rest of the network. This approach might not necessarily keep hackers from looking through your camera, but it makes it harder to use it as a springboard to reach your computer or other devices on your network.

Let me know in the comments if you have any comments or would like to see more security-related posts here.

Third-Party Firmware Alternatives

  • AdvancedTomato is my personal favorite pick. It is based on the Tomato firmware, and runs on most Broadcom-based devices. Functionally both Tomato and AdvancedTomato has the same features, but AdvancedTomato has a gorgeous interactive HTML5 interface. The features include a powerful netfilter/firewall, Wake-on-LAN, advanced Quality-of-Service (QoS), built-in TOR client, VPN server, bandwidth monitoring, dynamic DNS updater, WiFi-Repeater mode and sharing of USB-connected printers and drives. [Website|Devices|FAQ]
  • Tomato is like AdvancedTomato with a classic interface. Functionally they should be identical and support the same hardware. [Website]
  • OpenWRT is basically Linux for your router, and if you are adventurous it even lets you use a Raspberry Pi as a WiFi router! Configuration is a bit more complicated than AdvancedTomato but the feature set should be similar. [Website|Devices|FAQ]
  • DD-WRT is another alternative along the lines of OpenWRT. [Website|Devices]