NetGear Also Has Remote Access Wide Open

← Back to Stories (view on slashdot.org)

NetGear Also Has Remote Access Wide Open

Posted by CowboyNeal on Saturday June 5, 2004 @02:27AM from the hotspot-back-doors dept.

Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."

22 of 215 comments (clear)

Min score:

Reason:

Sort:

huh? by schroet · 2004-06-05 02:30 · Score: 4, Insightful

you can turn off the external web interface on those things right? I guess that doesn't help if you're worried about crackers on your LAN but still, it may not be as bad as it sounds.

Undocumented = bad though,
One wonders what the internal policies are ... by xmas2003 · 2004-06-05 02:33 · Score: 4, Insightful

I think everyone can agree that backdoor passwords are a BAD idea - makes one wonder what the internal policies are at these companies - and what happens when they do a source code audit after these are found and track down the programmers who put 'em in.

--
Hulk SMASH Celiac Disease
1. Re:One wonders what the internal policies are ... by djsmiley · 2004-06-05 02:36 · Score: 2, Insightful
  
  they are normally there for the company to protect them selfs.
  
  Stupid user messes up the router.
  
  They phone tech support "i can't get onto my routers access page, i changed and lost the password"...
  
  "two seconds sir, prove this is your ip"
  
  they run some tests to check its whos on the phone..
  
  "there you go sir, your new password is ******, you may now change the settings again"....
  
  You ever tried to talk to a noob thru flashing the firmware on their router over the phone?
  
  --
  - http://www.milkme.co.uk
2. Re:One wonders what the internal policies are ... by AntiOrganic · 2004-06-05 02:39 · Score: 4, Insightful
  
  This is absolutely idiotic. All routers have a default username/password combination that is restored when using the firmware reset button typically hidden on the back of the router. There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.
3. Re:One wonders what the internal policies are ... by jtheory · 2004-06-05 04:10 · Score: 4, Insightful
  
  Sure there is. The reset button will nuke the configuration, the logs, and whatever else state is there, thus confounding debugging by the tech support. A single password is stupid, though. What's needed is something that requires the router s/n, the router's idea of the date, and a passcode generator from cisco. Give the aforementioned info to cisco TS and they can generate a 1 or 2 hour passcode for your router. You could also add a switch to enable this feature on the router itself, but that may not be practical.
  
  I'm not convinced. This is only a concern in cases where you're having technical problems, AND you somehow forgot your password. The danger of having a backdoor easily outweighs the potential benefits. Even with a special password generator from NetGear -- you're still talking security through obscurity. I want to set up my router, make sure it's secure, and forget about it! I don't want to keep checking online to see if you can download N3tg34r_PwG3n.exe yet... and you know it's going to show up eventually.
  
  Half the time you have any technical issues, the tech support is just going to tell you to do a hard reset anyway....
  
  Even if they gave you one of those paperclip-hole style buttons that would reset all your passwords to your device's serial number (or to enable some other backdoor), this would still be dangerous in a lot of situations. Suppose you're running an internet cafe -- you can't always trust the people sitting around your router!
  
  Either way, I don't think this backdoor was installed for tech support reasons -- it doesn't even seem to have been installed by NetGear themselves. Hopefully some more details will come out soon... and hopefully some heads will roll.
  
  It's funny; I just read that new story by the AdTI guy explaining how Linux wasn't safe to use because it depended on "trust". Hah! How nice for the corporate world to step forward and show that *they* can be trusted.
  
  --
  There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
4. Re:One wonders what the internal policies are ... by Dun+Malg · 2004-06-05 04:28 · Score: 3, Insightful
  
  . . .what happens when they do a source code audit after these are found and track down the programmers who put 'em in.
  I believe that's "give them a bonus and a company car."
  These back doors are not trojans installed by disgruntled employees, but there by company policy.
  I'm always astounded when others are astounded by the existence of back doors in things. Pretty much anything that takes a password has a backdoor in it. Phone systems, voicemail systems, even those telephone entry systems on apartment buildings; all got back doors. Tech support is hard enough already without having to deal with unknown passwords. Some are better than others, though. Sentex telephone entry systems have back door passwords that are a hash of the unit's serial number, and only Sentex tech support has access to the program that generates them. Not that one usually needs the backdoor; most Sentex units I see still use the factory password "000000"...
  
  --
  If a job's not worth doing, it's not worth doing right.
5. Re:One wonders what the internal policies are ... by Ifni · 2004-06-05 05:16 · Score: 2, Insightful
  
  They are actually not that bad an idea IF implemented properly. It is a fact of tech support that some hapless user will lock themselves out of their own box.
  
  I think the best solution I've seen is from Intel for their 530T/535T series switches, where you can download a software utility that will generate a default password for your switch when you enter in the MAC address of the switch's management module. This password ONLY works from the console (requiring physical access to the switch, or root access to a console sharing device attatched to it).
  
  I was thinking that if they upped this to also be time dependant, it would increase the security even more, but this is wrong for two reasons - a) if the switch is hosed, there's no telling what time it thinks it is, and b) anyone capable of generating a password the first time would be able to generate it again a second time for another x minute "safety window".
  
  Of course, this begs the question - what is the difference between using a tool like this and just not requiring a password when logging in from the console?
  
  --
  Oh, was that my outside voice?
6. Re:One wonders what the internal policies are ... by Rinikusu · 2004-06-05 05:40 · Score: 2, Insightful
  
  If your router is out in the open, you're still fucked.
  
  Personally, all of this makes it MORE COMPLEX than it has to be. Assume physical "control" of the device and ensure that only people with physical access can trigger the pinhole reset or whatever. Why? Because if someone has physical control of your router/box, you've got more serious problems at hand. The problem with the grandparent is that there's TOO MUCH FUCKING COMPLEXITY. You think tech support is hell now? Wait until you have to call support to get your temporary passcode, after being on hold for a couple hours and then explaining your problem to some outsourced tech whose accent is so strong you can't even understand them, having to call back when you fuck something else up unintentionally in the process, etc etc.
  
  Again, if you're a coffee house, keep your damn routers in the back, out of customer's (and your) way. Maybe someone could do brisk business selling router "safes" that only have a couple holes for cabling in the back, but require a key to open up to access.
  
  --
  If you were me, you'd be good lookin'. - six string samurai
Just another reason by Anonymous Coward · 2004-06-05 02:35 · Score: 2, Insightful

why outsourcing(esp. when security should be a key component of your product) can be a bad idea. The article states that the password is the phone # of the place in Taiwan that develops and manufactures the device.
They never thought to check this before distributing it, and now they suffer because of poor quality control. Is the outsourcer going to suffer? Maybe, or maybe they will just move on to the next contract. We shall see.
1. Re:Just another reason by kfg · 2004-06-05 02:56 · Score: 4, Insightful
  
  This isn't outsourcing in the sense that IBM outsources its programing and support staff. It's oursourcing in the sense that your Raleigh bicycle is actually a Giant with a Raleigh sticker on.
  
  It isn't even really outsourcing in the sense that Dell oursources its video cards to ATI, its cpus to Intel and its CD drives to LG, which is all perfectly legitimate. Would you really expect Dell to make its cpus and capacitors?
  
  You buy stuff and market it.
  
  z-com is the actual manufacturer and they sell their products to marketers. Netgear just buys the stuff and resells it.
  
  Just like you could go to z-com and have them slap some stickers on stuff for you to resell. Or Giant. Or whoever makes Levis and Calvin Klien jeans in China. Or. . .
  
  This isn't about "outsourcing." This about a marketing firm getting stuck with some bad product.
  
  KFG
2. Re:Just another reason by crazy+blade · 2004-06-05 03:26 · Score: 2, Insightful
  
  You hve a point. But I still wouldn't take them off the hook so fast. This seems to indicate that NetGear should require a "no backdoors inside" guarantee on such contracts.
  
  --
  To err is human, but to forgive is beyond the scope of the Operating System...
The problem of convinience by luvirini · 2004-06-05 02:36 · Score: 5, Insightful

This is a general problem when you buy ready made solutions in the form of "boxes" , you cannot be fully sure of anything inside so it is basically a question of trust.
For example firewalls:
Question 1: how do you know the box firewall you bought is secure and no backdoors?
Answer: normally you do not.
Question 2: Why do majority ofpeople buy those instead of making their own?
Answer: Because it is a lot more convinient
So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.
1. Re:The problem of convinience by Temporal · 2004-06-05 02:59 · Score: 4, Insightful
  
  Question 1: How do you know the CPU you bought is secure and has no code-modifying backdoors?
  
  Answer: Normally you do not.
  
  Question 2: Why do the majority of people buy those instead of manufacturing their own?
  
  Answer: Because it is a lot more convenient.
  
  Any piece of hardware can have a backdoor in it, really. If anything, you're probably safer buying the system all in one piece, because:
  
  1) A packaged system built by a respected company is likely to be far better reviewed and tested than something you assemble/install yourself.
  
  2) If it has a hole, you know exactly whom to blame (and perhaps sue for damages, if exploited).
2. Re:The problem of convinience by evilviper · 2004-06-05 03:26 · Score: 2, Insightful
  
  Question 2: Why do majority ofpeople buy those instead of making their own?
  
  Answer: Because it is a lot more convinient
  
  I have a better answer... Because 99.9% don't realize there could be a security problem with it. I don't worry about security when I buy a washing machine or a TV, and that's about how most people view "box" devices.
  
  Also, I would add that it's more than convience, since most people wouldn't be able to configure a computer to be a firewall if their life depended upon it. Maybe a custom OpenBSD distro is in order... One that will configure a firewall on it's own, and use good defaults for everything, so it needs no configuration for most people. But then again, you don't really know that software isn't back-doored either... You've got to trust somebody...
  
  --
  Slashdot gets worse every day... Pipedot: News for nerds, without the corporate slant
3. Re:The problem of convinience by Jay9333 · 2004-06-05 03:31 · Score: 2, Insightful
  
  Question 1: how do you know the box firewall you bought is secure and no backdoors?
  Answer: normally you do not.
  Question 2: Why do majority ofpeople buy those instead of making their own?
  Answer: Because it is a lot more convinient
  So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.
  No one has the time to examine every line of every piece of software (or hardware/firmware) they use that could potentially contain a vulnerability. It is impossible. That is why you only use software that has been in the community (open-source or closed) long enough to where it is generally trusted by experts and laymen alike. That is no guarantee, but that is the best one possible. Shit happens.
4. Re:The problem of convinience by Anonymous Coward · 2004-06-05 04:42 · Score: 1, Insightful
  
  Question 1: how do you know the box firewall you bought is secure and no backdoors?
  
  Answer: normally you do not.
  
  That is true. You have no absolute assurances of anything. But, with the well known, reputable firewall products, there is a lot of independant review done. These include customer's test labs, where some people go to surprising lengths to test security and performance. There are researchers that specialize in finding flaws and holes in security systems. They beat on them with all kinds of odd scenarios. And, even the government performs analyses for security approvals.
  
  This is all on top of the hundreds of developers, QA testers, support staff, and SE's banging on it day to day. While this doesn't mean it's flawless, it does mean that bugs get found, and backdoors and gaping holes like in the original story would be found immediately.
  
  As we've seen from previous stories here about the various open source VPN options, people often assume to much about the security and review of these products.
  
  Question 2: Why do majority ofpeople buy those instead of making their own?
  
  Answer: Because it is a lot more convinient
  
  So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.
  
  Convenvience is a big factor. Not just for setting up, but also administration and ongoing security analyses. Commercial firewalls have management, logging, and analysis features that blow away the free options. They are also way ahead in terms of features, the depth of the security analysis is much greater, and integration among firewall/VPN/IDS/URL filtering/Anti Virus is tighter.
  
  I used to work for a commercial firewall vendor. At home, I use a Linux firewall for my realtively simple needs. For consulting gigs, I always recommend commercial firewalls - you can't assume that they have someone capable of managing and understanding a unix firewall. If they do have someone, you can't assume that he/she will be there for long. With a commercial firewall, they have training classes widely available to bring new people up to speed.
Makes those old 486 machines running Linux.. by the_rajah · 2004-06-05 02:42 · Score: 3, Insightful

routers look better all the time. At least you have some control over it....if you're a geek anyway.

Which ones of the consumer products are safe? I'm running a D-Link wireless right now.Yes the encryption is on.

"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain

--

"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Well, at least it's only an access point by the+eric+conspiracy · 2004-06-05 02:55 · Score: 4, Insightful

These things usually sit behind a firewall, so you aren't in quite as bad shape as if it offering it's private parts to the general internet like the Linksys.
Re:Good grief... by Peyna · 2004-06-05 02:59 · Score: 1, Insightful

What are you going to sue about? The maybe $50 you spent on the router? You haven't incurred any loss or harm yet, just the potential for it.

--
What?
Re:remove space in URL by Anonymous Coward · 2004-06-05 03:44 · Score: 1, Insightful

It's not suprising.

With all of the dumb motherfuckers that can't type a proper href--that alone weeds about half of the links that go to tub girl, goatse, penis bird, or worse.

I, for one, am glad that this feature exists.

We're all supposed to be geeks here. 10 extra fucking keystrokes. Big Fucking Deal
Good grief... INDEED! by Saeed+al-Sahaf · 2004-06-05 03:44 · Score: 2, Insightful

99.99999% of the "deadenders" who sputter and spew "I... I'm gonna SUE!!!!" will not, and really have no clue about what it would tak or even if they have any real legal basis to "SUE!!!!"
It's cheap consumer electronics. Return it and get one that does not have this issue, then resume your life. No story here, move along.

--
"Who are in control, they are not in control of anything - they don't even control themselves!" - Glen Beck
confirmation, I (was) affected by this by Thanster · 2004-06-05 08:14 · Score: 2, Insightful

My home network has a wireless point that is provided by this very router, I checked, and the backdoor worked. :( The updated firmware available on netgears site fixed this :) I used to really like netgear stuff, now less so! Thanks for bringing this to my attention slashdot!