Overview

It has recently been reported that multiple vulnerabilities are found on hardware version B1 of the D-Link DWR-932 4G LTE Mobile Router. Only this end-of-life hardware version B1 is potentially affected by the reported vulnerabilities. The current shipping hardware version D1 or any other hardware versions are not affected. 

 

Reference 

• https://pierrekim.github.io/blog/2016-09-28-dlink-dwr-932b-lte-routers-vulnerabilities.html#backdoor 

 

Current Status

Security is of the utmost importance to D-Link across all product lines. This is not just through the development process but also through regular firmware updates to comply with the current safety and quality standards. After a full investigation into all the vulnerabilities reported, it became clear that most of the claims have been falsely stated. These false claims include:

• Default WPS PIN
  • [D-Link] The WPS PIN function is disabled by default. Should a user decide to enable WPS PIN, they have the option to create their own unique PIN.
• Weak WPS PIN Generation - with a reverse-engineered algorithm
  • [D-Link] The WPS PIN function is disabled by default. If the user chooses not to use the automatically generated WPS PIN, they have the option to create their own unique PIN.
• Leaking No-IP account (?)
  • [D-Link] There is no DDNS function on the DWR-932 H/W vers. B1, this vulnerability is not possible.
• Remote FOTA (Firmware Over The Air)
  • [D-Link] There is no remote FOTA function on the DWR-932 H/W vers. B1, this vulnerability is not possible.
• Bad security practices
  • [D-Link] The user has the ability to set unique Wi-Fi SSID and password through the web configuration to secure their Wi-Fi network. It is impossible to access shell commands if potential attackers cannot connect to the secure Wi-Fi network.
• Security removed in UPnP
  • [D-Link] The UPnP function is disabled by default. The user has the ability to set unique Wi-Fi SSID and password through the web configuration to secure their Wi-Fi network. It is impossible to enable UPnP or add firewall rules if the potential attacker cannot connect to the secure Wi-Fi network.

 

Update 19th October, 2016 - An updated firmware (v2.03), which addresses all other vulnerabilities reported, is now available to download. To upgrade the firmware, please log in to the device web configuration (accessible by entering "192.168.0.1" in your web browser address field). Under the System tab, select Firmware Upgrade. Choose the file you have just downloaded (you do not need to unzip the file) and press Start Update. Once the update is completed, press OK to reboot the device. Once the device has rebooted, please press the WPS and Power button together simultaneously and hold for 10 seconds to factory reset the device. Please remember to change the device administrator and Wi-Fi password to a unique password. 

 

Affected Products

• DWR-932 H/W vers. B1