14 DAY TRIAL // D-Link, a Taiwanese networking equipment manufacturer, has accidentally published its private code signing keys inside the source of a recent firmware update.
The company, known in tech circles for its openness, has a long established practice of open sourcing all its firmware under the GPL license.
A Norwegian developer known under the name of bartvbl, who recently purchased the company's DCS-5020L surveillance camera, while inspecting the firmware's source code, stumbled upon what seemed to be four code signing keys.
After experimenting with the keys, he managed to create a Windows application, which he was able to sign with one of the four keys, making it look like it was coming from D-Link. The other three keys did not appear to be valid.
His findings were confirmed by security firm Fox-IT for Dutch tech portal Tweakers: "The code signing certificate is indeed a firmware package, firmware version 1.00b03, who's source was released February 27 this year."
In the meantime, D-Link has revoked the certificate in question and pushed out new versions of the firmware which, obviously, don't have any code signing keys inside them.
If these keys had ended up in the hands of a malicious actor, using them, he would have been able to create and distribute malware that could have passed as official D-Link binaries and not trigger any kind of responses from antivirus scanners.
