Leaked D-Link code-signing key could make malware look legit
![](https://s.yimg.com/ny/api/res/1.2/XG4z0fbvLLTlNTRetTZYSw--/YXBwaWQ9aGlnaGxhbmRlcjt3PTk2MDtoPTQ5NQ--/https://o.aolcdn.com/hss/storage/midas/35e932fedc19439ca269d6ce2863d907/201330670/d-link-dir-895-router-2014-01-05-01.jpg)
When your company is known for making wireless routers, network switches and home security cameras, leaking your code-signing private keys yourself is the last thing you want to do. Back in February, that's exactly what D-Link did, accidentally leaving a valid key visible in its open-source firmware. If found by an attacker, the key could have been used to make malware that can pass as official software from D-Link -- malware that wouldn't trigger security warnings when installed to Windows or OS X machines.
That's bad, but luckily would-be attackers would have had to stumble across the key weeks ago -- the leaked certificate expired earlier this month. Still, that means software created using the key between February and September is still valid. D-Link says it's issuing more firmware updates in the near future to address the issue