Slashdot Mirror

← Back to Stories (view on slashdot.org)

NetGear Also Has Remote Access Wide Open

Posted by CowboyNeal on from the hotspot-back-doors dept.

Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."

39 of 215 comments (clear)

  1. huh? by schroet · · Score: 4, Insightful

    you can turn off the external web interface on those things right? I guess that doesn't help if you're worried about crackers on your LAN but still, it may not be as bad as it sounds.

    Undocumented = bad though,

    1. Re:huh? by RidiculousPie · · Score: 4, Informative
      This vulnerability can be exploited by any person which is able to reach the webinterface of the device with a webbrowser.
      It would appear that if the webinterface is disabled, the device cannot be compromised.
      --
      ah, mod points ... now where is my crack?
  2. Don't you mean.. by Sadiq · · Score: 5, Funny

    "The backdoor seems to have been created by the vendor that used to package devices for NetGear"

    --
    SysWear - Geek T-shirts (UK/Europe)
  3. Fixed in new firmware, available here: by Anonymous Coward · · Score: 5, Informative

    http://kbserver.netgear.com/support_details.asp?dn ldID=735

    1. Re:Fixed in new firmware, available here: by abscondment · · Score: 3, Interesting

      That's all nice and well, but the average user isn't going to upgrade at all. A good deal of them never even set the admin password in the first place.

      Take the guy in my apartment, for instance. I'm using his wireless. His AP is totally open--default SSID and all. I know he doesn't care, but what if he were a business? There's no way he's going to upgrade firmware if he can't even set a simple password.

    2. Re:Fixed in new firmware, available here: by I+confirm+I'm+not+a · · Score: 4, Funny

      Thanks, just downloaded and upgraded.

      (Off topic: was anyone else disappointed that the "super" login didn't make the web control panel reveal easter eggs? I mean, you just had to try it while you were upgrading, right?)

      --
      This is where the serious fun begins.
    3. Re:Fixed in new firmware, available here: by Chucky+B.+Bear · · Score: 5, Informative
      I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.

      (You can find it yourselve by just taking similiar steps as in the securityfoces article.)

  4. One wonders what the internal policies are ... by xmas2003 · · Score: 4, Insightful

    I think everyone can agree that backdoor passwords are a BAD idea - makes one wonder what the internal policies are at these companies - and what happens when they do a source code audit after these are found and track down the programmers who put 'em in.

    --
    Hulk SMASH Celiac Disease
    1. Re:One wonders what the internal policies are ... by Trigun · · Score: 5, Funny

      There's a backdoor in the software auditing software. The programmer is safe.

    2. Re:One wonders what the internal policies are ... by BigHungryJoe · · Score: 3, Informative

      Everyone but the vendors knows it's a bad idea. Cisco recently made the same mistake.

    3. Re:One wonders what the internal policies are ... by AntiOrganic · · Score: 4, Insightful

      This is absolutely idiotic. All routers have a default username/password combination that is restored when using the firmware reset button typically hidden on the back of the router. There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.

    4. Re:One wonders what the internal policies are ... by Fulcrum+of+Evil · · Score: 4, Interesting

      There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.

      Sure there is. The reset button will nuke the configuration, the logs, and whatever else state is there, thus confounding debugging by the tech support. A single password is stupid, though. What's needed is something that requires the router s/n, the router's idea of the date, and a passcode generator from cisco. Give the aforementioned info to cisco TS and they can generate a 1 or 2 hour passcode for your router. You could also add a switch to enable this feature on the router itself, but that may not be practical.

      --
      "We returned the General to El Salvador, or maybe Guatemala, it's difficult to tell from 10,000 feet"
    5. Re:One wonders what the internal policies are ... by jtheory · · Score: 4, Insightful

      Sure there is. The reset button will nuke the configuration, the logs, and whatever else state is there, thus confounding debugging by the tech support. A single password is stupid, though. What's needed is something that requires the router s/n, the router's idea of the date, and a passcode generator from cisco. Give the aforementioned info to cisco TS and they can generate a 1 or 2 hour passcode for your router. You could also add a switch to enable this feature on the router itself, but that may not be practical.

      I'm not convinced. This is only a concern in cases where you're having technical problems, AND you somehow forgot your password. The danger of having a backdoor easily outweighs the potential benefits. Even with a special password generator from NetGear -- you're still talking security through obscurity. I want to set up my router, make sure it's secure, and forget about it! I don't want to keep checking online to see if you can download N3tg34r_PwG3n.exe yet... and you know it's going to show up eventually.

      Half the time you have any technical issues, the tech support is just going to tell you to do a hard reset anyway....

      Even if they gave you one of those paperclip-hole style buttons that would reset all your passwords to your device's serial number (or to enable some other backdoor), this would still be dangerous in a lot of situations. Suppose you're running an internet cafe -- you can't always trust the people sitting around your router!

      Either way, I don't think this backdoor was installed for tech support reasons -- it doesn't even seem to have been installed by NetGear themselves. Hopefully some more details will come out soon... and hopefully some heads will roll.

      It's funny; I just read that new story by the AdTI guy explaining how Linux wasn't safe to use because it depended on "trust". Hah! How nice for the corporate world to step forward and show that *they* can be trusted.

      --
      There are only 10 types of people: those who understand decimal, those who don't, and, uh, 8 other types I forget.
    6. Re:One wonders what the internal policies are ... by Dun+Malg · · Score: 3, Insightful
      . . .what happens when they do a source code audit after these are found and track down the programmers who put 'em in.

      I believe that's "give them a bonus and a company car."
      These back doors are not trojans installed by disgruntled employees, but there by company policy.

      I'm always astounded when others are astounded by the existence of back doors in things. Pretty much anything that takes a password has a backdoor in it. Phone systems, voicemail systems, even those telephone entry systems on apartment buildings; all got back doors. Tech support is hard enough already without having to deal with unknown passwords. Some are better than others, though. Sentex telephone entry systems have back door passwords that are a hash of the unit's serial number, and only Sentex tech support has access to the program that generates them. Not that one usually needs the backdoor; most Sentex units I see still use the factory password "000000"...

      --
      If a job's not worth doing, it's not worth doing right.
  5. The problem of convinience by luvirini · · Score: 5, Insightful
    This is a general problem when you buy ready made solutions in the form of "boxes" , you cannot be fully sure of anything inside so it is basically a question of trust.

    For example firewalls:

    Question 1: how do you know the box firewall you bought is secure and no backdoors?

    Answer: normally you do not.

    Question 2: Why do majority ofpeople buy those instead of making their own?

    Answer: Because it is a lot more convinient

    So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.

    1. Re:The problem of convinience by Temporal · · Score: 4, Insightful

      Question 1: How do you know the CPU you bought is secure and has no code-modifying backdoors?

      Answer: Normally you do not.

      Question 2: Why do the majority of people buy those instead of manufacturing their own?

      Answer: Because it is a lot more convenient.

      Any piece of hardware can have a backdoor in it, really. If anything, you're probably safer buying the system all in one piece, because:

      1) A packaged system built by a respected company is likely to be far better reviewed and tested than something you assemble/install yourself.

      2) If it has a hole, you know exactly whom to blame (and perhaps sue for damages, if exploited).

    2. Re:The problem of convinience by Harodotus · · Score: 4, Informative

      Smoothwall is exactly that, a custom Linux distro with boot-from-cd install that only requires you to hit "enter" a couple dozen times to turn any old 2 nic pc into a pre-configured modern firewall with internal NAT and DHCP.


      I use it and find it very handy (lots of old PC hardware about)

      --
      Its not users who are broken, it's systems not taking account their likely behaviour and fixing it technically.
  6. taiwan, eh? by abscondment · · Score: 5, Funny

    A search on Google revealed that "5777364" is actually the phonenumber of z-com Taiwan which develops and offers WLAN equipment for its OEM customers.

    This number, surprisingly enough, is also the total amount of wooden furniture shipped from Malaysia to Bahrain in 1998. Conpsiracy! Conspiracy!

  7. Possibilities. by alexatrit · · Score: 5, Interesting

    It's possible that that this goes on a whole lot more than we'd like to admit. Just yesterday I was talking to a friend who called Dell technical support about her BIOS password on an Inspiron 5000. She had forgotten it, and couldn't access her settings. Unlike the old days where you'd crack open the box and to the BIOS jumper switch, Dell provided her with a 6 character BIOS password that magically unlocked her system.

    --

    Nothing but the finest in meaningless drivel
    1. Re:Possibilities. by alexatrit · · Score: 5, Informative

      I stand corrected, here.

      "The only way to clear the BIOS password is with a Master Reset Password provided by Dell for that Model No. and they will not give you the master unless you can give them the name. address and telephone of the registered owner. However the password is universal for all laps with the same model no., so if you know someone who is a registered owner, you can call Dell and get the master."

      Reference here. That being said, the master for an Inspiron 5000 is BLVJCH. Booyah!

      --

      Nothing but the finest in meaningless drivel
  8. Re:No backdoors with BSD! by Trigun · · Score: 5, Funny

    best line i could think of was "why do you come back and try my new kernal on...

    You should try my pick-up line: Excuse me miss, but does this rag smell like chloroform?

    Works every time.

  9. Makes those old 486 machines running Linux.. by the_rajah · · Score: 3, Insightful

    routers look better all the time. At least you have some control over it....if you're a geek anyway.

    Which ones of the consumer products are safe? I'm running a D-Link wireless right now.Yes the encryption is on.

    "Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain

    --


    "Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
  10. Netgear WG302 by the+eric+conspiracy · · Score: 3, Informative

    Well. at least this username/password doesn't work with a WG302 with firmware 1.5.

  11. Awesome! by SuperBanana · · Score: 5, Funny
    Fixed in new firmware, available here:

    Super! Now I just have to downlo
    [CONNECTION DROPPED, REMOTE SIDE 0WN3D]

    --
    Please help metamoderate.
  12. linked properly for the lazy by Anonymous Coward · · Score: 5, Informative

    Netgear Firmware Upgrade

  13. WGR614 by Rinisari · · Score: 3, Informative

    NetGear WGR614 is not affected by this bug. I'm going to try to get its firmware and follow the same procedure listed in that Bugtraq report to see what I can find.

    --
    Colin Dean Go a year without DRM
  14. Too easy by SuperBanana · · Score: 3, Funny

    All your basestation are belong to us?

    Man, takes all the fun out of these jokes when it's so easy.

    --
    Please help metamoderate.
  15. It's a feature, not a bug. by gumpish · · Score: 5, Informative

    The URL is "mangled" for people browsing with mobile devices. The space is added so tiny displays can word wrap the text. (And also so crapflooders can't make your horizontal scroll bar appear.)

    Personally I think the number of people using such browsers is probably so small that there is no justification for this "feature", but since Slashdot isn't likely to change, URLs should be submitted as proper links and not just plan text.

  16. Take my advice by Q2Serpent · · Score: 4, Informative

    I know this is a huge problem for the general public, but for those of us with a linux machine, do what I do and save yourself some trouble: put two network cards in the linux machine. Connect one to the internet and the other to your wireless router's normal ethernet ports (don't use the port that is supposed to be for the internet). Then, just set up your linux firewall/NAT, and you get all the benefits of wireless and a wired hub on the inside, with a linux machine doing the routing/firewalling for security from the outside. Since the router isn't on the net, no one can even touch it.

  17. Good grief... by zoloto · · Score: 4, Interesting

    I tried this recently on my own unit. Works like a charm. Now that I'm really pissed, it looks like I'll might have to really complain through the courts by filing a motion with the intent to sue. Not only that, but get that old 500mhz p3 out of the closet and turn it into a router/NFS/SAMBA server and sell the POS netgear router on eBay.

    That was the last straw. No more firmware based routers unless I make them myself, or use exsisting ones as wireless switch and really try to lock it down or use third party firmware. /end_rant

    learning how to make a linux router / NFS will be handy anyhow

    1. Re:Good grief... by Gojira+Shipi-Taro · · Score: 3, Informative

      Look into Smoothwall. I'm using it on an old PPro 200 as a firewall/router. It supports 3 networks at the moment (red/external, Green/internal, Orange/restricted (wlan for instance). I have an older netgear router that I keep as a spare (the old PPro 200 has to die sometime...), but even with that, the Smoothwall config can be dumped to floppy and moved to a completely different machine easily.

      --
      "Oh my God. This is terrible. This is the end of my Presidency. I'm fucked."; ~ Donald J. Trump
  18. Well, at least it's only an access point by the+eric+conspiracy · · Score: 4, Insightful

    These things usually sit behind a firewall, so you aren't in quite as bad shape as if it offering it's private parts to the general internet like the Linksys.

  19. Re:Just another reason by kfg · · Score: 4, Insightful

    This isn't outsourcing in the sense that IBM outsources its programing and support staff. It's oursourcing in the sense that your Raleigh bicycle is actually a Giant with a Raleigh sticker on.

    It isn't even really outsourcing in the sense that Dell oursources its video cards to ATI, its cpus to Intel and its CD drives to LG, which is all perfectly legitimate. Would you really expect Dell to make its cpus and capacitors?

    You buy stuff and market it.

    z-com is the actual manufacturer and they sell their products to marketers. Netgear just buys the stuff and resells it.

    Just like you could go to z-com and have them slap some stickers on stuff for you to resell. Or Giant. Or whoever makes Levis and Calvin Klien jeans in China. Or. . .

    This isn't about "outsourcing." This about a marketing firm getting stuck with some bad product.

    KFG

  20. they published the password? by pedantic+bore · · Score: 3, Interesting
    Gadzooks, could they have made it any easier for script kiddies to exploit this? Might as well just power down your netgear box until a new firmware patch comes out (assuming the firmware can be patched).

    I don't believe in security through obscurity, but I also don't believe in publishing backdoor passwords. It's not like it has any educational value (unlike looking at some exploits, which helps programmers learn how to write code that's not vulnerable).

    --
    Am I part of the core demographic for Swedish Fish?
  21. WG602v2 with firmware 2.0rc5 by thewiz · · Score: 3, Informative

    Just checked my WG602v2 and the factory firmware upgrade 2.0rc5 and they do not have the backdoor.

    Whew!

    --
    If "disco" means "I learn" in Latin, does "discothèque" mean "I learn technology"?
  22. Man... by 222 · · Score: 3, Interesting

    ok, this is bad... but what i see as a far worse problem is that most oems dont bother setting passwords on windows xp installs.
    i've even seen this happen on a thinkpad, and i would have thought ibm of all people to know better. i've seen this on a few venders before but i cant remember exactly which ones, has anyone else seem this happen before?

  23. Re:How very timely... by Homology · · Score: 3, Informative
    I was going to buy a Netgear wireless access point/router this week.

    If 11Mbps is sufficient for your needs, you could by a 802.11b wireless card that uses the Prism 2.5 chipset. This chipset can function in hostAP mode. At home I use Netgear MA311 in an older Dell functioning as my wireless access point, internet gateway and firewall. Instead of WEP, I use IPSec, and only authorized IPSec traffic is allowed (and thus no leaching from my Kazaa loving neighbour).

    You might need to flash the firmware, though, which you can find here.

    If you want a secure, easy and hassle free gateway, just install OpenBSD.

  24. Provides convenient excuse for content access by noidentity · · Score: 3, Funny

    Come on! These backdoors provide a convenient excuse when you're charged with breaking the law by accessing illegal content over your connection. If the vendor told you of their presence, you wouldn't be able to use them as a defense. Er wait, if you didn't know of them... hmmm...

  25. The Linksys problem was a false report by lseltzer · · Score: 3, Informative

    Even the guy who reported it has admitted it and Linksys issued a statement.