D’oh! Router maker D-Link accidentally publishes private cryptography keys

© Kacper Pempel
In a slip that could prove costly to manufacturers and users, the D-Link cryptography keys used to certify that software is trustworthy – and not malware – were accidentally published, according to Dutch security firm Fox-IT.

The keys were made available through the company’s open-source firmware package, and were not discovered for seven months. Their release could make it easier for hackers to disrupt Windows and Apple computers.

The mistake was discovered by a reader for a Dutch technology website, Tweakers, who purchased a D-Link security camera and downloaded the firmware from the manufacturer. The reader found not only the private keys, but also the passphrases needed to sign into the software. Tweakers handed the problem over to Dutch security firm Fox-IT, which confirmed the findings.

I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version,” Fox-IT researcher Yonathan Klijnsma told security news site Threatpost.

D-Link uses the keys to cryptographically sign its software so that it can be installed on computers running Microsoft Windows without the operating system issuing a security warning. The keys also appears to be accepted by Apple OS X. With the leak, hackers could potentially use the keys to sign their malicious software so that it is accepted as trusted D-Link software, according to Fox-IT.

Stealing sign-in keys is how hackers give their malware legitimacy. Stuxnet, the computer worm developed by the US and Israel to sabotage Iranian nuclear centrifuges, was among the early pieces of malware to be signed this way. In a most recent example, the Destover wiper malware used in the attacks against Sony Pictures Entertainment was signed using a certificate stolen from Sony.

The cryptography keys were released in late February, but the mistake was only discovered seven months later. Fortunately, the keys expired September 3, but the extent of the damage is not known.

Klijnsma told Ars Technica that the team found other certificates as well, from Starfield Technologies, KEEBOX and Alpha Networks, but all of those certificates have already expired or been revoked.

He told Threatpost there was no way to tell from the initial investigation whether the D-Link certificate was abused.