fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

D-Link Blunder: Firmware Encryption Key Exposed In Unencrypted Image

D-Link Blunder: Firmware Encryption Key Exposed In Unencrypted Image

D-Link

Security researchers have demonstrated a method to decrypt proprietary firmware images embedded in D-Link routers.

Firmware is the piece of code that powers low-level functions on hardware devices. It is typically hard-coded within the read-only memory.

Companies encrypt firmware images in their devices to prevent their reverse engineering by competitors and threat actors, and to prevent their customers (or better yet malware) from flashing the device with customized firmware.

“Manufacturers encrypt firmware generally to try to keep people from analyzing the binaries therein. Also, if done correctly, encrypting firmware images can prevent unauthorized, modified firmware images from being able to be flashed on a device,” security researcher Nick Starke explained in an interview with BleepingComputer.

To decrypt anything, one would either need the secret decryption key or a means to break the encryption algorithm. If the firmware images are indeed encrypted, how could have they been so easily deciphered?

Analyzing D-Links encrypted firmware image

At the beginning of his analysis, Starke had downloaded the latest version of the D-Link firmware (1.11B02) from their support website and proceeded to use Binwalk to analyze it.

Binwalk is a simple reverse engineering utility specifically designed for firmware extraction and analysis.

To the researcher’s surprise, Binwalk revealed nothing:

Binwalk's output for the encrypted D-Link firmware binary
Binwalk’s output for the encrypted D-Link firmware binary
Source: Nick Starke’s blog

The result was an immediate indication that the firmware was encrypted.

Interestingly, unzipping an older “1.02B03” version obtained from the same D-Link support site revealed two firmware files:

  • DIR3040A1_FW102B03.bin
  • DIR3040A1_FW102B03_uncrypted.bin

The presence of a binary ending in “…_uncrypted.bin” was an immediate indication that it’s potentially unencrypted, while the other was likely encrypted.

Running binwalk on “DIR3040A1_FW102B03_uncrypted.bin” revealed a handful of useful information:

Binwalk's output for the unencrypted D-Link firmware binary
Binwalk’s output for the unencrypted firmware binary 
Source: Nick Starke’s blog

The above information told the researchers that the image contained an unencrypted firmware binarythat they could then extract and analyze for stored decryption keys.

“Bingo, a uImage header, and accompanying filesystem. We can extract this using binwalk -eM DIR3040A1_FW102B03_uncrypted.bin. Looking at the filesystem, the first thing I did is look for certificates,” explains Starke in his blog post. 

Also read: 12 brief explanation about the benefits of data protection for business success

Keys embedded in older firmware

After further analysis, his suspicions were correct, and both the decryption and encryption keys were found embedded in the binary.

Certificate and keys within D-Link unencrypted firmware image
Certificate and keys within the D-Link unencrypted firmware image

In addition to the key and certificate files, a program called /bin/imgdecrypt was also present, which is the decryption tool for encrypted images.

This decryption tool, though, has one caveat, as Starke explains:

“There is some sort of key derived from the local stack variables, that is not straightforward to reverse. So instead of spending hours trying to figure out exactly what the code that produces the key does, why don’t we just try to run the binary passing it our firmware image we want to decrypt?”

Decryption function used by D-Link routers
Decryption function used by D-Link routers

After taking a series of steps, the researcher was able to stage the environment to sufficiently enable decryption of the latest 1.11B02 firmware version. 

Running the imgdecrypt binary against the encrypted firmware image revealed the secret key: C05FBF1936C99429CE2A0781F08D6AD8

D-Link Secret encryption key revealed
D-Link Secret encryption key revealed

“Not only does it output the key to decrypt the firmware file image, but it also places the decrypted version in /tmp/.firmware.orig,” read the blog post.

This means a reverse engineer could now proceed to analyze the firmware image which had been otherwise encrypted.

“More and more device manufacturers are moving toward encrypting firmware, however, most are starting from unencrypted firmware images. This usually means there must be an unencrypted firmware image with the password or key stored inside of it. If you can find the last unencrypted image, you can generally find the password and thus decrypt any subsequent encrypted images,” Starke further told BleepingComputer.

The same technique has been used earlier this month by another security researcher Rick Sanchez who did an in-depth static analysis of the decryption algorithm in a multi-part blog post.

Sanchez, who had initially discovered this flaw, relied on purchasing a physical D-Link device, which can cost up to $200, as explained in Part 1 of his post.

As the secret key remains the same for all encrypted firmware images (on any device), obtaining an earlier image from a support site would achieve the same goal.

Both researchers discovered the flaw independently at different times, and there are clear differences in their research approaches and the tools used. 

These findings stress how even the encryption is futile and turns into security through obscurity should there exist trivial means to obtain the key guarding the secret.

In D-Link’s case, even the latest firmware images are open to curious researchers for analysis who can get their hands on older firmware images – from D-Link’s site.

Also read: Privacy policy template important tips for your business

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us