Slashdot Mirror


NetGear Also Has Remote Access Wide Open

Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."

10 of 215 comments (clear)

  1. huh? by schroet · · Score: 4, Insightful

    you can turn off the external web interface on those things right? I guess that doesn't help if you're worried about crackers on your LAN but still, it may not be as bad as it sounds.

    Undocumented = bad though,

  2. One wonders what the internal policies are ... by xmas2003 · · Score: 4, Insightful

    I think everyone can agree that backdoor passwords are a BAD idea - makes one wonder what the internal policies are at these companies - and what happens when they do a source code audit after these are found and track down the programmers who put 'em in.

    --
    Hulk SMASH Celiac Disease
    1. Re:One wonders what the internal policies are ... by AntiOrganic · · Score: 4, Insightful

      This is absolutely idiotic. All routers have a default username/password combination that is restored when using the firmware reset button typically hidden on the back of the router. There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.

    2. Re:One wonders what the internal policies are ... by jtheory · · Score: 4, Insightful

      Sure there is. The reset button will nuke the configuration, the logs, and whatever else state is there, thus confounding debugging by the tech support. A single password is stupid, though. What's needed is something that requires the router s/n, the router's idea of the date, and a passcode generator from cisco. Give the aforementioned info to cisco TS and they can generate a 1 or 2 hour passcode for your router. You could also add a switch to enable this feature on the router itself, but that may not be practical.

      I'm not convinced. This is only a concern in cases where you're having technical problems, AND you somehow forgot your password. The danger of having a backdoor easily outweighs the potential benefits. Even with a special password generator from NetGear -- you're still talking security through obscurity. I want to set up my router, make sure it's secure, and forget about it! I don't want to keep checking online to see if you can download N3tg34r_PwG3n.exe yet... and you know it's going to show up eventually.

      Half the time you have any technical issues, the tech support is just going to tell you to do a hard reset anyway....

      Even if they gave you one of those paperclip-hole style buttons that would reset all your passwords to your device's serial number (or to enable some other backdoor), this would still be dangerous in a lot of situations. Suppose you're running an internet cafe -- you can't always trust the people sitting around your router!

      Either way, I don't think this backdoor was installed for tech support reasons -- it doesn't even seem to have been installed by NetGear themselves. Hopefully some more details will come out soon... and hopefully some heads will roll.

      It's funny; I just read that new story by the AdTI guy explaining how Linux wasn't safe to use because it depended on "trust". Hah! How nice for the corporate world to step forward and show that *they* can be trusted.

      --
      There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
    3. Re:One wonders what the internal policies are ... by Dun+Malg · · Score: 3, Insightful
      . . .what happens when they do a source code audit after these are found and track down the programmers who put 'em in.

      I believe that's "give them a bonus and a company car."
      These back doors are not trojans installed by disgruntled employees, but there by company policy.

      I'm always astounded when others are astounded by the existence of back doors in things. Pretty much anything that takes a password has a backdoor in it. Phone systems, voicemail systems, even those telephone entry systems on apartment buildings; all got back doors. Tech support is hard enough already without having to deal with unknown passwords. Some are better than others, though. Sentex telephone entry systems have back door passwords that are a hash of the unit's serial number, and only Sentex tech support has access to the program that generates them. Not that one usually needs the backdoor; most Sentex units I see still use the factory password "000000"...

      --
      If a job's not worth doing, it's not worth doing right.
  3. The problem of convinience by luvirini · · Score: 5, Insightful
    This is a general problem when you buy ready made solutions in the form of "boxes" , you cannot be fully sure of anything inside so it is basically a question of trust.

    For example firewalls:

    Question 1: how do you know the box firewall you bought is secure and no backdoors?

    Answer: normally you do not.

    Question 2: Why do majority ofpeople buy those instead of making their own?

    Answer: Because it is a lot more convinient

    So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.

    1. Re:The problem of convinience by Temporal · · Score: 4, Insightful

      Question 1: How do you know the CPU you bought is secure and has no code-modifying backdoors?

      Answer: Normally you do not.

      Question 2: Why do the majority of people buy those instead of manufacturing their own?

      Answer: Because it is a lot more convenient.

      Any piece of hardware can have a backdoor in it, really. If anything, you're probably safer buying the system all in one piece, because:

      1) A packaged system built by a respected company is likely to be far better reviewed and tested than something you assemble/install yourself.

      2) If it has a hole, you know exactly whom to blame (and perhaps sue for damages, if exploited).

  4. Makes those old 486 machines running Linux.. by the_rajah · · Score: 3, Insightful

    routers look better all the time. At least you have some control over it....if you're a geek anyway.

    Which ones of the consumer products are safe? I'm running a D-Link wireless right now.Yes the encryption is on.

    "Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain

    --


    "Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
  5. Well, at least it's only an access point by the+eric+conspiracy · · Score: 4, Insightful

    These things usually sit behind a firewall, so you aren't in quite as bad shape as if it offering it's private parts to the general internet like the Linksys.

  6. Re:Just another reason by kfg · · Score: 4, Insightful

    This isn't outsourcing in the sense that IBM outsources its programing and support staff. It's oursourcing in the sense that your Raleigh bicycle is actually a Giant with a Raleigh sticker on.

    It isn't even really outsourcing in the sense that Dell oursources its video cards to ATI, its cpus to Intel and its CD drives to LG, which is all perfectly legitimate. Would you really expect Dell to make its cpus and capacitors?

    You buy stuff and market it.

    z-com is the actual manufacturer and they sell their products to marketers. Netgear just buys the stuff and resells it.

    Just like you could go to z-com and have them slap some stickers on stuff for you to resell. Or Giant. Or whoever makes Levis and Calvin Klien jeans in China. Or. . .

    This isn't about "outsourcing." This about a marketing firm getting stuck with some bad product.

    KFG