Router firmware with CAPTCHA log-in
According to a press release from D-Link, router models DIR-615, DIR-625, DIR-628, DIR-655, DIR-825, DIR-855, DIR-685 and DGL-4500 can be upgraded with firmware which secures the log-in for the administration interface using a CAPTCHA. CAPTCHAs (Completely Automated Public Turing test to tell Computers and Humans Apart) are small pictures of alphanumeric sequences that have been visually distorted. Logging in requires recognising these alphanumeric characters and then typing them in to a text field. There are automatic search programs which try and evaluate CAPTCHA images using optical character recognition (OCR), however, the image distortion, intentionally inserted image noise and superimposition, is designed to make this rather difficult.
The addition of CAPTCHA to router log-ins is intended to help guard against the completely automated type of bot attacks on routers which have been seen recently. It provides no added protection against human attacks.
The automatically generated images produced by the D-Link firmware contain numbers and letters which are clearly separated and only slightly distorted. Administrators are required to enter the CAPTCHA sequence, in addition to their password, when logging in to the routers. The function can, however, be deactivated in the firmware. Tests by The H Security reveal that this only secures the log-in and not other communication between the router and browser.
Currently, the D-Link servers are only offering an English language beta version of the firmware (dir855_firmware_120b10_beta) for the DIR-855 router, which, according to the release notes, uses the CAPTCHA function and is intended solely for the US market. Once installed, D-Link's test firmware can't be overwritten with a previous version. More information can be found in the D-Link forums.