D-Link spilled its private key onto the web – letting malware dress up as Windows apps
Friday firmware facepalm
Updated Taiwanese networking kit maker D-Link leaked a private code-signing key onto the internet for anyone to download.
This is rather embarrassing because this key can be used to trick Windows computers into trusting and running malware.
An eagle-eyed netizen told tweakers.net on Thursday that the code-signing key appeared in a download for D-Link's open-source firmware for its DCS-5020L surveillance camera.
Lurking along the GPL-licensed source files were code-signing certificates and passphrases to unlock them: D-Link's private key, and also keys for Starfield Technologies, KEEBOX, and Alpha Networks, it's claimed. All have expired, and cannot be used to sign any more code.
The D-Link key was leaked in late February, and expired on September 3, it appears.
That means during that six-month period, miscreants who happened across the key could digitally sign their malware so that it appeared to be a legit D-Link application. This software would be trusted by Microsoft Windows, and allowed to run and infect someone's machine.
These cryptographically signed software nasties could be emailed to victims to install, or put up on websites claiming to provide official D-Link tools, for example.
Screenshot of the leaked key being used to sign non-official D-Link software ... Click to enlarge. Source: tweakers.net
Fox-IT researcher Yonathan Klijnsma confirmed the leaked D-Link key was valid. “I think this was a mistake by whoever packaged the source code for publishing. The code signing certificate was only present in one of the source code packages with a specific version,” he told Kaspersky's ThreatPost.
The D-Link key may have been revoked, meaning any code signed by it should no longer be trusted by Windows. Even if it hasn't been revoked, it has definitely expired, so no new malware can be signed using it. (Malicious code already signed by the key will still be trusted until revocation occurs.)
D-Link has since updated its firmware download to remove the certificate.
All in all, it's a red-face moment for D-Link, and a reminder to developers to always ensure their open-source releases are free of private keys – there are bots, for example, that roam GitHub looking for leaked Amazon AWS access keys to swipe.
No one at D-Link was available to comment on the reported leak. No one at Microsoft was able to confirm whether or not Windows has stopped trusting code signed by the leaked key. No one was available to comment at Symantec, which owns the part of Verisign that issued the code-signing certificate to D-Link.
It was speculated that OS X would trust apps signed using the leaked key, but we're not convinced that's the case. Apple does not respond to The Reg's requests for comment. ®
Updated to add at 2145 UTC
It's not clear if the leaked certificate has been fully revoked. A spokesperson for Symantec has been in touch to say: "Verisign is in the process of contacting D-Link to proceed with revocation."
Updated to add at 2241 UTC
"Symantec can confirm the certificate leaked by D-Link has expired. We are investigating the other certificates issued to D-Link to determine need for revocation," a Symantec spokesman just pinged us.
It's possible Microsoft has already placed the certificate on a revocation list for Windows, preventing any code – malicious or otherwise – signed by the leaked key from being trusted by the operating system.
It's possible everyone is just relieved the certificate has expired, crossed their fingers for luck, and hope no one signed any malware with the key during the six months it was public.
If the certificate is revoked, it would knacker any malware signed by the key, and any legit D-Link apps also signed by the key: perhaps D-Link wants to avoid that, and prevent the certificate from being revoked. That would allow malware and normal software signed by the key to continue to be trusted by Windows.
Until we know for sure, perhaps it's best to steer clear of D-Link-signed executables, unless you're absolutely certain they are legit.
Updated to add at 0400 UTC, September 22
It appears the leaked D-Link code-signing key has not been revoked.