Slashdot Mirror
NetGear Also Has Remote Access Wide Open
Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."
you can turn off the external web interface on those things right? I guess that doesn't help if you're worried about crackers on your LAN but still, it may not be as bad as it sounds.
Undocumented = bad though,
"The backdoor seems to have been created by the vendor that used to package devices for NetGear"
SysWear - Geek T-shirts (UK/Europe)
http://kbserver.netgear.com/support_details.asp?dn ldID=735
I think everyone can agree that backdoor passwords are a BAD idea - makes one wonder what the internal policies are at these companies - and what happens when they do a source code audit after these are found and track down the programmers who put 'em in.
Hulk SMASH Celiac Disease
I was going to buy a Netgear wireless access point/router this week.
I initially went for it because my experience with their wired products has been good. A swift rethink would seem to be required.
Screw you all! I'm off to the pub
why outsourcing(esp. when security should be a key component of your product) can be a bad idea. The article states that the password is the phone # of the place in Taiwan that develops and manufactures the device.
They never thought to check this before distributing it, and now they suffer because of poor quality control. Is the outsourcer going to suffer? Maybe, or maybe they will just move on to the next contract. We shall see.
For example firewalls:
Question 1: how do you know the box firewall you bought is secure and no backdoors?
Answer: normally you do not.
Question 2: Why do majority ofpeople buy those instead of making their own?
Answer: Because it is a lot more convinient
So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.
This number, surprisingly enough, is also the total amount of wooden furniture shipped from Malaysia to Bahrain in 1998. Conpsiracy! Conspiracy!
It's possible that that this goes on a whole lot more than we'd like to admit. Just yesterday I was talking to a friend who called Dell technical support about her BIOS password on an Inspiron 5000. She had forgotten it, and couldn't access her settings. Unlike the old days where you'd crack open the box and to the BIOS jumper switch, Dell provided her with a 6 character BIOS password that magically unlocked her system.
Nothing but the finest in meaningless drivel
Please, trolls, pretty please...
Don't show us just HOW wide open the hole is.
So who wants to make fun of my cheap SMC box now?... (When the hole is discovered, it will be posted here too, right?)
to use link
Was the vendor Micro$oft?
"The backdoor seems to have been created by the vendor that packaged the device for NetGear" If the above quote is correct, and NetGear did not approve it...
But I figured out a little while back that it comes from Sercomm. Hmmm...
glad I didn't go out and jump on the wireless G bandwagon just yet!
FLR
Thank god I bought a D-Link. I was thinking about getting a Netgear or Lynksis wireless router but the D-Link just looked like it outperformed each one.
best line i could think of was "why do you come back and try my new kernal on...
You should try my pick-up line: Excuse me miss, but does this rag smell like chloroform?
Works every time.
I've used a couple of the Netgear FVS318 firewall/vpn boxes; they're cheap, sturdily constructed, easy to configure and pretty reliable, but I'm always a little hinky about the unconfigurable software options as much as I am about the backdoors.
My FVS318 does NTP to a hard-coded destination, and there's no way to turn this off or change the NTP sync server that I've found. I've always kind of wondered what else it does or was capable of doing.
routers look better all the time. At least you have some control over it....if you're a geek anyway.
Which ones of the consumer products are safe? I'm running a D-Link wireless right now.Yes the encryption is on.
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Well. at least this username/password doesn't work with a WG302 with firmware 1.5.
Super! Now I just have to downlo
[CONNECTION DROPPED, REMOTE SIDE 0WN3D]
Please help metamoderate.
Netgear Firmware Upgrade
NetGear WGR614 is not affected by this bug. I'm going to try to get its firmware and follow the same procedure listed in that Bugtraq report to see what I can find.
Colin Dean Go a year without DRM
All your basestation are belong to us?
Man, takes all the fun out of these jokes when it's so easy.
Please help metamoderate.
The URL is "mangled" for people browsing with mobile devices. The space is added so tiny displays can word wrap the text. (And also so crapflooders can't make your horizontal scroll bar appear.)
Personally I think the number of people using such browsers is probably so small that there is no justification for this "feature", but since Slashdot isn't likely to change, URLs should be submitted as proper links and not just plan text.
I know this is a huge problem for the general public, but for those of us with a linux machine, do what I do and save yourself some trouble: put two network cards in the linux machine. Connect one to the internet and the other to your wireless router's normal ethernet ports (don't use the port that is supposed to be for the internet). Then, just set up your linux firewall/NAT, and you get all the benefits of wireless and a wired hub on the inside, with a linux machine doing the routing/firewalling for security from the outside. Since the router isn't on the net, no one can even touch it.
I tried this recently on my own unit. Works like a charm. Now that I'm really pissed, it looks like I'll might have to really complain through the courts by filing a motion with the intent to sue. Not only that, but get that old 500mhz p3 out of the closet and turn it into a router/NFS/SAMBA server and sell the POS netgear router on eBay.
/end_rant
That was the last straw. No more firmware based routers unless I make them myself, or use exsisting ones as wireless switch and really try to lock it down or use third party firmware.
learning how to make a linux router / NFS will be handy anyhow
These things usually sit behind a firewall, so you aren't in quite as bad shape as if it offering it's private parts to the general internet like the Linksys.
Oops, /nt doesn't work here.
I don't believe in security through obscurity, but I also don't believe in publishing backdoor passwords. It's not like it has any educational value (unlike looking at some exploits, which helps programmers learn how to write code that's not vulnerable).
Am I part of the core demographic for Swedish Fish?
I am amazed.... I just wonder how many DOS or DDOS attacks were made based on this wonderful backdoor... and btw: shall all the NetGear Users now dump their devices ?!? no way... if this thing is really un-patchable, then I suspect this leak to be open for many years from now, as the device is one of the most current ones... wow - just before I bought it :-)
Just checked my WG602v2 and the factory firmware upgrade 2.0rc5 and they do not have the backdoor.
Whew!
If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
ok, this is bad... but what i see as a far worse problem is that most oems dont bother setting passwords on windows xp installs.
i've even seen this happen on a thinkpad, and i would have thought ibm of all people to know better. i've seen this on a few venders before but i cant remember exactly which ones, has anyone else seem this happen before?
Come on! These backdoors provide a convenient excuse when you're charged with breaking the law by accessing illegal content over your connection. If the vendor told you of their presence, you wouldn't be able to use them as a defense. Er wait, if you didn't know of them... hmmm...
All Your AP Bases Are Belong to Us.
It's cheap consumer electronics. Return it and get one that does not have this issue, then resume your life. No story here, move along.
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
That was actually exactly my point. How ironic that it was lost on you.
Step 1 used to always be a full sentence or paragraph, now people are just whoring and putting 3 words with no humor to them at all.
I was under the impression that funny mods resulted in no karma points. If I've been earning karma points for my funny posts, at least I've been clueless about it.
Personally, i think you're just pissed off because I get modded up more than you do. Of course, you post 5 times as much as I do, at least.
Please help metamoderate.
On a similar note, many developers leave easter eggs in software they write for fun or for whatever reason...Imagine Windows Server 2003 easter eggs allowing admin level login!
I was shocked when I heard of easter eggs in my Handspring/PalmOne Treo 600 phone! Characters suddenly start appearing on the phone display by pressing a combination of keys...
Even the guy who reported it has admitted it and Linksys issued a statement.
is STILL broken?
score another won for the little guise? &, as always, lookout bullow.
from a post meant to be titled:
unprecedented evile nearly disempowered, forever?
(score: mynuts won:-) PostBlock material reposted)
by a disorganized rag-tag team of a few billion near nobodys, using what was available to them, which was almost nothing?
& just who are some of unprecedented evile's local representative(s)?:
The contract was awarded to Accenture, formerly Andersen Consulting, over two competing contractors, Lockheed Martin and Computer Sciences (a veritas (cess)pool of evile stock markp FraUDsters). Several industry executives and analysts said that the award surprised them and that Accenture had widely been considered the outside candidate.
The award also brought controversy. Accenture is incorporated in Bermuda, and some critics attacked the idea of awarding a contract so valuable and important to national security to a company with its headquarters outside the United States.
After Accenture was named, Representative Lloyd Doggett, a Texas Democrat, suggested the company took advantage of an uneven playing field to win the contract over Lockheed Martin and Computer Sciences.
"If companies truly want to contribute to our nation's security, they can pay their fair share of taxes. If they want a slice of the American pie, they had better help bake it," he said in a statement.
A spokesman for Accenture said that the company paid United States taxes.
Representative Richard E. Neal, a Massachusetts Democrat and a senior member of the House Ways and Means Committee, also questioned the award.
"This decision is outrageous," he said, in a statement. "The Bush administration has awarded the largest homeland security contract in history to a company that has given up its U.S. citizenship and moved to Bermuda. The inconsistency is breathtaking."
the stock markup FraUD/softwar gangster payper liesense hostage grab 'business plan' is looking a little hapless now?
fauxking billyonerrors. sheesh.
lookout bullow. tell 'em robbIE?
all is not lost.
consult with/trust in yOUR creators.... the returns are immeasurable/infinite.
see you there?
Due to excessive bad posting from this IP or Subnet, anonymous comment posting has temporarily (forever, if we had some ept) been disabled. You can still login to post. However, if bad posting continues from your IP or Subnet that privilege could be revoked as well. If it's you, consider this a chance to sit in the timeout corner or login and improve your posting . If it's someone else, this is a chance to hunt them down (like with fuddles' phonIE bouNTy hunter scam). If you think this is unfair, we just don't care.
The problem still exists. If you disable the firewall and disable remote admin, you can still get the remote admin page over the WAN. That, to me, is a bug. Okay, it may be a weird config as they stated, but it's a bug nevertheless.
They also have beta firmware up on that link you posted to fix the problem.
- Give a man a fire and he's warm for a day, but set him on fire and he's warm for the rest of his life.
Lets think for a minute here people, this Linksys firewall turned off by default stuff is more then likely a customer return or someones idea of a joke. I haven't seen anyone but this "researcher" report this issue.
It's just the plain WG602 with no suffix, apparently.
at least the linksys one can be patched with a non-official firmware to improve functionality as well as fill in some of those "holes"
Why not just a physical (non toggle) button that enables a unit-specific password for two hours? You might have a big sticker next to the button with that machine's login info. Gain physical access to the device, and you gain access to the router. Have the machine send an e-mail out the the administrators whenever this happens. You would have to trust your employees, but if you can't trust them you are doing something very wrong.
You're making some big assumptions here, for one that "employees" are the only ones who are going to be near your routers.
Wireless access is becoming more and more pervasive -- you see routers in homes, coffeeshops, libraries, bookshops, airports, etc. etc..
Do you want to require librarians to keep a constant watch over their routers, protecting them from teenagers with paperclips?
It's not as dangerous to have a full reset button, because it's hard to do a hard reset on a router without people noticing. But a single click that enables a full admin account, with no effect on other users? No, thanks. Even the email idea is no good; the emailing functions require setup that most users don't bother with (I didn't, at least -- I don't have time for reading logs).
There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
Then metamoderate...
Please help metamoderate.
I know the password, and I'd tell you what it is, but I can't describe it. Ooooooooh well.
"Unlike Linksys's, where turning the firewall on, the NetGear hole cannot be disabled." That no english sentence, guys! :)
quidquid latine dictum sit altum videtur.
I think this stuff is or will become more common. Hell, ms for years has had it. Others have, too.
What I like is that people are finding out and warning others about which products to avoid. This will probably break some "chain of custody" and inconvenience some agencies that want the actual bits and logs, but....oh whell.
What I fear is that, since the electronics industry has been in bed with the various "intelligence" agencies, it will only be a matter of time before reporting these findings becomes a violation of national security.
But, to counter that, let's consider a rumor I heard: The US routes ALL electronics communications through the UK, through MI something, thru Echelon, where certain onerous US privacy laws don't have any bearing on electronic eavesdropping.
So, I guess we should all just go about our normal routines and generate all the suspicious or annoying conversations we normally do. I am not saying elevate yourself to the the top of the shitlist by using obsure, supposedly-secret or restricted key words. Not that it is supposedly akin to yelling "fire" in a crowed theater. And not that it supposedly helps the bad guys by "masking them" in a sea of superfluous, deliberate obfuscatory traffic, either.
I wanted once to set up an internet cafe, but was concerned that the patriot axe would force me to submit my hardware to wiretapping, keystroking and such INSIDE the demarc. I cannot go for that. The spooks can intercept ALL the shit they want, OUTSIDE the demarc. That's what they have optical, microwave, and acoustic techniques for. But to actually TOUCH my machines and forbid my telling the customers... screw that.
If I ever do open an internet cafe, each and every machine will have on it a placard stating:
"Be on your best behavior. Pretend that you have been told this machine is under surveillance from inside, and that by law, if I were ordered by the various police or intel agencies to submit my gear to their wizardry, I'd also be forbidden to tell you it happened. So, in advance, I preempt the risk by telling you now: You can be bugged/monitored ANYwhere, even in your home. Not patronizing me won't increase your privacy, but by my being honest, I have elevated your awareness and possibly increase your discomfort."
I also would reserve the right to survey, salvage or scuttle, at will, any time, ANY of my business equipment, without any courtesy notice. I'd likely be such a pain in the ass they'll go back to sitting in their Ironside panel wagons and point a microwave at the wall. I'd deal with that by installing community/neighborhod watch oriented cameras that have motion detection to monitor and report "suspicious" vehicles to the police, along with license plates and VIN numbers, if zoomable, since VINs, by most state's vehicle codes, cannot be obscured, since obscuring them could interfere with the duties of meter checkers who issue tickets based on make, model, year, color, type, and plate, plate tag, and VIN (Vehicle ID Number, the plate bracketed to the dashboard, under the space usually clear/see-through, despite tinted windscreens (if coming from the manufacturer, direct.)...
I guess, tho, they'd accuse me of maintaining an unauthorized database that could compromise privacy. Privacy of whom? Agents on snoop jobs? It would be a hollow argument, such as that when privacy issues were raised about the Sony See-Thru Cameras of late 1997/early 1998, where each and every one purchased by electronic means was retreived, by LAW. No, it wasn't to keep wayward peeping toms from identifying bras, chastity belts and nipples. It most likely was to prevent the exposure and identification of body guards of dignitaries and others such as mayors. After all, while some important persons with an entourage of body guards have them close-up, some others surely have to be at some stand-off distance to monitor and possibly intercept or deter would-be assailants.
Maybe such camers could have been used in airports to identify diplomats
Previously: "Linux... Toward the Sunrise..." Now: "Linux... Toward the-- No, now, part of Every Sunrise"
Any piece of hardware can have a backdoor in it, really. If anything, you're probably safer buying the system all in one piece
Alternately, always buy the fastest hardware available. Because if they're locked in a neck and neck battle for speed (think Intel versus AMD), they're not going to waste cycles or transistor real estate on backdoors.
My home network has a wireless point that is provided by this very router, I checked, and the backdoor worked. :(
The updated firmware available on netgears site fixed this :)
I used to really like netgear stuff, now less so!
Thanks for bringing this to my attention slashdot!
Cool Programmer to Matthew Broderick: Whenever I develop a system, I always put in a back door.
Ultranerd: You're telling him all our best stuff!
(-1: Post disagrees with my already-settled worldview) is not a valid mod option.
So z-com designed the software. Did they design the board? If they did, then Netgear box is just a rebadged z-com.
Would it be more correct to describe Netgear as OEM, and z-com as designers?
Nifty, I hadn't encountered that before.
Why aren't they doing this?
According to a recent BugTraq by Jaco Swart, all the new firmware does is change the backdoor username from "super" to "superman" and the password to "21241036".
Does Netgear really think the security community is that stupid? They should be ashamed.
If you don't immediately check for upgrades when you open a box and haven't with this hardware, though, perhaps you deserve to get 0wn3d?
What the hell!?!? The <nobr> completely invalidates the <wbr>, then after all that work it just puts in a space anyways!
Bah... I submitted a request to the Slash SF project, but who knows if that'll do any good. Oh well, the lazyasses just need to learn to use <a> tags I guess.
I wish I had some mod points so I could mod the parent up. Using "" is a great idea!
9/11 Eyewitnesses to Explosive WTC Demolition 1 of 2
I contacted Buffalo's tech support yesterday concerning the fact that the "WEB configuration" seems to be wide open on the WAN interface. Even writing a packet filter for the WAN IP on the Airstation doesn't seem to close the interface.
Has anybody else noticed this? nmap found out a few other interesting ports on the Buffalo as well...
Not sure if anyone has read the updated news about this little vulnerability.
It still exists, albeit in a different account and password that I have verified on my WG602v1.
http://www.securityfocus.com/archive/1/365230
I once used, "So you're the one who stole my mouse."
It worked.
Fight Spammers!
I sure someone must have posted this, but here goes anyway
Shame this firmware also has a backdoor also, all they did was change the account to superman and the password to 21241036
mailto:EatSpamAndDie@princeweb.com
Question 2: Why do majority ofpeople buy those instead of making their own?
Answer: Because it is a lot more convinient
Alternate answer: Because there's too little life.
It takes an ENORMOUS amount of material to form the basis of doing ANYTHING. If you try to make all your tools in order to be sure of their quality, you have no time left to USE them.
So people trying to be productive at their specialty try to throw as much as possible of their time at it - obtaining as many of their tools as possible from others for whom making tools is THEIR specialty, and making only those that can't be obtained any other way.
It's called "Division of Effort".
Would you rather your heart surgeon spent ten hours each week working on his personal firewll, software configuration, and recovering from the latest worm attack? Or would you rather he spent it studying the latest research on surgical technique?
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
Guess we're even, then. I was thinking this was deserving a "-1 offtopic".
.. but is it possible to run linux on that device?
They're selling cheaply, therefore I'm interested.