More than 92,000 D-Link NAS systems discovered vulnerable to remote attack

A Network Attached Storage (NAS) system is pretty common for photographers and filmmakers. When we pick up our cameras, we’re often doing so to create a large amount of data, and we need somewhere to store it – and/or back it up.

One brand of NAS systems is D-Link, the same company that makes routers and other networking hardware. Well, they’ve made more than 92,000 NAS systems vulnerable to attack, and they’re not doing a thing about it.

D-Link NAS: What’s the problem?

According to Bleeping Computer, a threat researcher has discovered a hidden backdoor in multiple D-Link NAS storage systems. A backdoor that they say is hard-coded into the device. That means it was put there intentionally by somebody at D-Link.

The flaw only appears to have been discovered in some of their end-of-life products. However, many customers will still use them if they still fit their storage needs. After all, if it ain’t broke, why fix it?

The flaw was discovered by “Netsecfish” and affects models including the DNS-340L, DNS-320L, DNS-327L and DNS-325, among others. He also discovered a second injection vulnerability through which attackers can provide it with commands to have it assist in Distributed Denial of Service (DDoS) attacks.

What is a backdoor?

A backdoor in computing is essentially a way for somebody to access a system by means other than the officially intended method.

It’s analogous to real life. You’ve got a house, and you have a front door on which guests knock. You can then you can choose to let them in or not – or you can give them a key so that they can get in whenever they want.

But those people you don’t want coming into your house… It doesn’t matter how much you reinforce your front door or how many locks you put on it if you’ve got a back door that they can use to easily bypass your security and get into your property.

A software backdoor works on essentially the same principle. It’s a way for somebody to bypass the main way into the system and just get in. The only real protection you have is that most people don’t know those backdoors exist.

But once it becomes common knowledge, as is the case now with the affected D-Link NAS systems, anyone can get in.

What are the affected models?

Netsecfish describes four different models of D-Link NAS, with several firmware version numbers, that are vulnerable to the backdoor exploit. Again, these are end-of-life products and the last updates were quite a while ago.

• DNS-320L Version 1.11, Version 1.03.0904.2013, Version 1.01.0702.2013
• DNS-325 Version 1.01
• DNS-327L Version 1.09, Version 1.00.0409.2013
• DNS-340L Version 1.08

But these backdoors existed while they were still current, fully supported models. Someone at D-Link would have known they were there the entire time. And no patches were ever released. While the backdoor might have only been made public now, you can pretty much guarantee that people knew about it and exploited it back then.

There are likely more vulnerable models out there that netsecfish hasn’t been able to test. So far, he has discovered more than 92,000 vulnerable D-Link NAS systems connected to the Internet. The UK tops the chart with almost 14,500 affected devices.

What is D-Link doing about it?

The company is doing absolutely nothing to fix the vulnerabilities contained within these NAS systems. Essentially, as far as they’re concerned, they’re old, obsolete, end-of-life products. If people want a fix, then they need to buy one of D-Link’s newer NAS systems.

They did, however, put out a notice on their website warning users of these devices to go and upgrade.

D-Link US recommends that D-Link devices that have reached EOL/EOS be retired and replaced.

So, this is generally a fair response. Nobody’s asking Microsoft for Windows XP updates anymore. And you’ll never get iOS15 running on your iPhone 3GS. The products in question went end-of-life between 2017 and 2020.

But, again, this backdoor existed while they were still current models. I mean, if there’s been no new firmware updates since they were dumped, it couldn’t have been introduced after, right?

Call me crazy, but when it turns out that a company intentionally puts a backdoor in their products that renders all my files (and more) at risk, I’m never buying one of their products again. Especially when their solution is “buy a new one” without so much as an apology.

What should you do about it?

If you’re still using an old D-Link NAS to store your photos and videos, I would do as D-Link suggests. Go buy a new NAS system. But probably best to go buy one from somebody else.

Sure, D-Link isn’t the only company that’s had NAS issues. Drobo has had its share of problems in the past and in 2021, Western Digital faced its own exploit issues – which were different from its 2018 exploit issues on the same devices – although WD is usually quick to patch where possible.

D-Link also isn’t the only company that abandons products after a certain amount of time. But, given that the exploit was actually created by somebody at D-Link and intentionally placed into their products, how much trust can you have in the company or its products going forward?

I mean, until somebody discovers one, there’s no reason to believe that there are similar backdoors in current model D-Link NAS systems. Well, you know, except for the fact that they’ve done it before.

I’ll let you decide how much you think you need to be worried about your own data security, but I doubt I’ll be buying another D-Link product again.

[via Bleeping Computer]

---