It’s not every time malware creators have to steal or buy a valid code-signing certificate to sign their malware – Sometimes the manufacturers unknowingly provide themselves.
This is what exactly done by a Taiwan-based networking equipment manufacturer D-Link, which accidently published its Private code signing keys inside the company’s open source firmware packages.
Dutch news site Tweakers made aware of the issue by one of its readers with online moniker “bartvbl” who had bought a D-Link DCS-5020L security camera and downloaded the firmware from D-Link, which open sources its firmware under the GPL license.
However, while inspecting the source code of the firmware, the reader found what seemed to be four different private keys used for code signing.
Hackers Could Sign Malware
After testing, the user managed to successfully create a Windows application, which he was able to sign with one of the four code signing keys belonging to D-Link, which was still valid at the time.
However, the other three private code signing keys he found did not appear to be valid.
Besides those private keys into the source code, the reader also discovered pass-phrases needed to sign the software.
It is still unclear whether these private keys have been used by malicious third-party vendors, but there are possibilities that the keys could have been used by hackers to sign their malware to execute attacks.
The findings were confirmed by Yonathan Klijnsma from Dutch security firm Fox-IT.
“The code signing certificate is indeed a firmware package, firmware version 1.00b03, who’s source was released February 27 this year,” Klijnsma said.
Meanwhile, D-Link has responded to this issue by revoking the certificate in question and releasing a new version of the firmware that does not contain have any code signing keys inside it.
You can also read the full translated version of the story here.