Leaked D-Link security key allows hackers to disguise malware as legit

A leak of a major technology company's security key has been discovered, allowing hackers to convince Windows that their malware is legit.

The leaked key has been published since february of this year
The leaked key has been published since february of this year

A company has accidentally released a key that allows hackers to issue malware, disguised as legitimate software.

In February, D-Link, a Taiwanese networking equipment company, published one of its private keys, allowing its software to be recognised as legitimate.

bartvb, a user of Tweakers, a Dutch news outlet, discovered the leak late last week before reporting it. The key was discovered when it appeared in one of D-link's open-source firmware downloads for its DCS-5020L surveillance camera.

Included with the culprit firmware download was not just D-link's private key, but keys for Starfield technologies, KEEBOX and Alpha Networks as well as the passwords to unlock them.

While the key expired in early September, that still means that potential cyber-criminals had six months with which to sign their malware with D-Link's leaked key and bypass Microsoft Windows security measures by masquerading as a trusted piece of software.

Use of trusted keys to gain access or install malware on a targeted system is not an uncommon method for hackers. The Destover Malware involved in the Sony Pictures Entertainment hacks, that attempted to stop the release of a film about the assassination of North Korean Dictator Kim Jong Un, was signed with a Sony key. The computer worm, called Stuxnet, allegedly developed by the US to hamper Iranian efforts to develop nuclear technology also used a false key to gain access.

Speaking to Threatpost, Yonathan Klijnsma, a researcher with security company, Fox-IT, told Threatpost, “I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version,” Klijnsma added, “The version above and below the specific package did not contain the folder in which the code signing certificates resided. A simple mistake of folder exclusion as far as I could see.”

D-link gave SCMagazineUK.com a prepared statement, saying, "Security and performance is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards." 

The company added that, "D-Link prohibits at all times, including during product development by D-Link or its affiliates, any intentional product features or behaviours which allow unauthorised access to the device or network, including but not limited to undocumented account credentials, covert communication channels, “backdoors” or undocumented traffic diversion.  All such features and behaviours are considered serious and will be given the highest priority."