Backdoor in D-Link routers enables telnet access

Original Article ↗ Hacker News Discussion ↗

Backdoor characteristics and impact

  • CVE-2024-6045 describes an undocumented “factory testing” backdoor in certain D‑Link routers: a special URL from the LAN enables Telnet, and admin credentials can be recovered from firmware.
  • Official wording stresses “LAN side only,” but commenters note Shodan shows many such devices exposed, so “LAN-only” is not very reassuring.
  • Having Telnet on a router is widely seen as egregious, regardless of whether it was intentional.

Malice vs. incompetence

  • Some argue this “quacks like a backdoor” and could be intentional, possibly for state actors.
  • Others strongly favor incompetence / cost-cutting: left-over test hook, poor QA, and “security through obscurity.”
  • Debate over Hanlon’s razor: some say “never attribute to malice,” others claim that principle itself can be abused.
  • A few suggest if a serious state actor wanted this, it would be subtler than a URL-triggered Telnet with recoverable admin password.

Consumer router industry problems

  • Home routers are described as “swiss cheese” across vendors: default creds, exposed admin interfaces, bad firewalling, UPnP exposed, weak credential handling.
  • Low margins, high team churn, and lack of institutional knowledge are cited as reasons security keeps regressing.
  • Several say vendors have little financial incentive to improve; disclosures barely affect sales.
  • Prior FTC action against D‑Link is mentioned as context, with little perceived improvement.

Regulation and open-source proposals

  • Some suggest government intervention: e.g., mandating open-source firmware for home routers.
  • Others warn this could backfire via signed-firmware/DRM that blocks community builds, killing current “gray-area” hackability.
  • Discussion notes the trend toward closed ecosystems for mass-market devices and open ones only for hobbyists.

Alternatives and best practices

  • Common advice: buy hardware that can run OpenWRT or similar, and replace vendor firmware.
  • Mentioned options: OpenWRT, OPNsense, OpenBSD-based routers, VyOS (with concerns about LTS access), Ubiquiti, GL.iNet, TP-Link Omada, Synology, Mikrotik, Eero.
  • Cloud-tied management and mandatory accounts (especially with some ISP or Ubiquiti/Eero setups) are seen as additional risk or annoyance.
  • ISP-provided modem/router combos are widely disliked; many bridge them and use their own router.