According to Kim, both SSH and telnet run by default in the D-Link router. On top of that, two backdoor accounts, which can be used to bypass HTTP authentication, also exist. The router also suffers from default passwords – the password for admin is “admin” while the password for the root account is “1234.”
In addition to the backdoor accounts, a backdoor in the device’s software also exists. If an attacker sends a string, “HELODBG,” to the router’s UDP port, it allows root access in telnet.
The router also suffers from a hardcoded PIN in its Wi-Fi Protected Setup that can be gathered from the either the router’s App Manager program or its HostAP configuration tool, according to Kim. If for some reason an attacker didn’t want to use the hardcoded WPS PIN, they could easily generate their own temporary PIN. The algorithm the software uses is so weak that the researcher claims it’d be trivial for an attacker to generate valid WPS PIN suites and brute force them.
The credentials needed to contact the firmware’s over the air (FOTA) server, or access a dynamic DNS No-IP account, are also hardcoded, and the device’s HTTP daemon is also chock full of vulnerabilities, including two remote code execution bugs, Kim said.
The router’s UPnP permission rules are misconfigured, too. That means an attacker could forward traffic from the wide area network (WAN) to the local area network (LAN).