Code Signing Keys Publish Accidentally

Monday, September 21, 2015 @ 04:09 PM gHale

D-Link accidentally published its private code signing keys inside a firmware update.

The company, a Taiwanese networking equipment manufacturer, has a practice of open sourcing all its firmware under the GPL license.

VMware Fixes vCenter Server Hole
Cisco Working on Security Appliances Holes
Malware Strikes iOS Devices
SaaS Provider Fixes Vulnerability

A Norwegian developer known under the name of bartvbl, who purchased the company’s DCS-5020L surveillance camera, while inspecting the firmware’s source code, stumbled upon what seemed to be four code signing keys.

After experimenting with the keys, he managed to create a Windows application, where he was able to sign with one of the four keys, making it look like it was coming from D-Link. The other three keys did not appear valid.

His findings ended up confirmed by security firm Fox-IT for Dutch tech portal Tweakers: “The code signing certificate is indeed a firmware package, firmware version 1.00b03, who’s source was released February 27 this year,” according to a published report.

D-Link revoked the certificate in question and pushed out new versions of the firmware which don’t have any code signing keys inside them.

If these keys had ended up in the hands of a bad guy, he or she would have been able to create and distribute malware passing as official D-Link binaries and not trigger any kind of responses from antivirus scanners.