The leak of D-Link’s private cryptographic keys poses a risk for DLink certified software. Any software signed between February and September could be disguised malware, created and distributed illegally by anyone who had access to D-Link’s private keys and passphrases during these months.
D-Link, a Taiwanese networking equipment manufacturer, known for open-sourcing its firmware under the GLP license, is currently in a major security crisis after mistakenly releasing private keys and passphrases used to sign D-Link software in an open-source firmware package of a DLink DCS-5020L security camera.
Unfortunately, DLink is not certain of the extent of damage caused by this slip, as six months passed before this mistake was discovered. Although the security certificates of the private key expired in early September, there is no way to determine the amount of malware, created and distributed between the months of February and September, that was disguised as genuine DLink software.
The exact number of users affected by the malware is unknown, as hackers often give their malware legitimacy through stolen sing-in keys to avoid alerting anti-virus scanners. This poses a great risk for Windows, and possibly OS X users, as an installation of this malware could have occurred on user devices without alerting security software.
There is no one way to address this issue, whom many experts believe to have been a simple human error.
Tanaza supports D-Link DIR-505 and many other devices.