Private keys leaked in D-Link firmware may have been exploited by hacker to digitally sign malware

Malware writers may feel as though they've hit the jackpot after a slip-up by D-Link. The networking company released open source firmware that revealed the private keys used to sign D-Link software.

It was discovered that the firmware for a D-Link DCS-5020L security camera included D-Link's private keys as well as the passphrases needed to sign software. Windows users could have been at risk as malicious software could have been signed allowing for the installation without alerting security software.

The keys that were discovered expired early in September, so there is no longer a threat, but it is not yet clear if any users were affected by malware that exploited the leak. The problem came to light after someone contacted Dutch website Tweakers who in turn got in touch with security firm Fox-IT. The company confirmed the existence of the keys in the firmware.

Speaking to Threatpost, Fox-IT researcher Yonathan Klijnsma said:

I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version. The version above and below the specific package did not contain the folder in which the code signing certificates resided. A simple mistake of folder exclusion as far as I could see.

Although the security certificates have now expired, the vulnerability was exploitable for no less than six months before it was discovered.

Photo credit: Jamie Wilson / Shutterstock