Slashdot Mirror
NetGear Also Has Remote Access Wide Open
Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."
It's possible that that this goes on a whole lot more than we'd like to admit. Just yesterday I was talking to a friend who called Dell technical support about her BIOS password on an Inspiron 5000. She had forgotten it, and couldn't access her settings. Unlike the old days where you'd crack open the box and to the BIOS jumper switch, Dell provided her with a 6 character BIOS password that magically unlocked her system.
Nothing but the finest in meaningless drivel
That's all nice and well, but the average user isn't going to upgrade at all. A good deal of them never even set the admin password in the first place.
Take the guy in my apartment, for instance. I'm using his wireless. His AP is totally open--default SSID and all. I know he doesn't care, but what if he were a business? There's no way he's going to upgrade firmware if he can't even set a simple password.
I've used a couple of the Netgear FVS318 firewall/vpn boxes; they're cheap, sturdily constructed, easy to configure and pretty reliable, but I'm always a little hinky about the unconfigurable software options as much as I am about the backdoors.
My FVS318 does NTP to a hard-coded destination, and there's no way to turn this off or change the NTP sync server that I've found. I've always kind of wondered what else it does or was capable of doing.
I tried this recently on my own unit. Works like a charm. Now that I'm really pissed, it looks like I'll might have to really complain through the courts by filing a motion with the intent to sue. Not only that, but get that old 500mhz p3 out of the closet and turn it into a router/NFS/SAMBA server and sell the POS netgear router on eBay.
/end_rant
That was the last straw. No more firmware based routers unless I make them myself, or use exsisting ones as wireless switch and really try to lock it down or use third party firmware.
learning how to make a linux router / NFS will be handy anyhow
There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.
Sure there is. The reset button will nuke the configuration, the logs, and whatever else state is there, thus confounding debugging by the tech support. A single password is stupid, though. What's needed is something that requires the router s/n, the router's idea of the date, and a passcode generator from cisco. Give the aforementioned info to cisco TS and they can generate a 1 or 2 hour passcode for your router. You could also add a switch to enable this feature on the router itself, but that may not be practical.
"We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
I don't believe in security through obscurity, but I also don't believe in publishing backdoor passwords. It's not like it has any educational value (unlike looking at some exploits, which helps programmers learn how to write code that's not vulnerable).
Am I part of the core demographic for Swedish Fish?
Nah, plain text urls not wrapped in other tags should be converted to html links.
Its surprising that slashdot hasnt already added this basic feature.
Bush and Blair ate my sig!
ok, this is bad... but what i see as a far worse problem is that most oems dont bother setting passwords on windows xp installs.
i've even seen this happen on a thinkpad, and i would have thought ibm of all people to know better. i've seen this on a few venders before but i cant remember exactly which ones, has anyone else seem this happen before?
Confounding debugging by tech support? First of all, we're talking about a consumer product here. Tech support is not going to be logging in to see why RADIUS authentication is not working or to troubleshoot some advanced routing issues. In fact, when users call in having forgot their password, I suspect tech support will just tell them to use the reset feature; it's far easier than trying to find out a consumer's IP address.
No, you cannot justify this. Even if there was some kind of two-hour password, it would be a huge security problem. For example, if I'm using one of these to protect my network, and you have a couple thousand bucks lying around, I'm sure you could convince someone at Netgear to give you a two-hour password without a problem. A single password is even more heinous.
Yes, I will no longer be buying Netgear products.
Don't worry, the vendor is probably a few thouasnd miles outside US jurisdiction.
If I were a cynical bastard I might add that Netgear benefits twice from outsourcing its production...
I still wouldn't take them off the hook so fast.
Who said anything about taking them off the hook? As the marketer it is Netgear that is directly responsible to their customers.
As the manufacturer it is z-com that is responsible to its customers, in this case, Netgear. There is a hierarchy of customers here in which Netgear in in the middle. The man in the middle is often the one to get squashed.
This seems to indicate that NetGear should require a "no backdoors inside" guarantee on such contracts.
Yes, it would, wouldn't it? And I'm sure in future it will, at least in essence, but is it not always the case that you find out what your contract should have said after it goes bad on you somehow?
But look at it this way. What if you were going into the white box business about the time of release for the Pentium II chip, would your "contract" with Intel have a "no floating point calculation errors" clause, or would it more likely be a simple receipt for the deliver of and payment for 1000 cpus?
And when the bug hit the public and people demanded a fix from you wouldn't you have considered it Intel's error and Intel's problem?
And what would you put into your "contract" with Intel on your next cpu purchase to protect you from the next, and currently unknown, issue?
When you buy your next car will you demand a "won't blow up on me" clause to your contract, or do you simply consider that issue part of the already extant express and implied guaruntee that attaches to the car? The latter is certainly the way the courts view it.
You buy stuff. You get a receipt.That stuff has certain express and implied guaruntees attached to it just like anything else. You resell it with express and implied guaruntees. If the stuff turns out to be bad in some way your customers bitch to you and you have to make good. You are also a customer, of your supplier, so you bitch to them and they have to make good.
That's just the way the buying and selling business works.
KFG
Instead of " " why don't they put in a "<wbr>"???
This way, it would still wrap long text but wouldn't put those ugly spaces in when it doesn't need to wrap!
(Grabs patent application...)