Slashdot Mirror
Netgear's Amusing "fix" for WG602v1 Backdoor
An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
Chalk up another loss for 'security by obscurity'.
dmiessler.com -- grep understanding knowledge
That would be like "fixing" Windows 95 with Windows ME.
"We need a fourth law of Robotics: Stop Fingering My Wife"
Anyways.. For those that can't read German.... Here is the Babelfish translation (kind of).
Hmmm.
Someone somewhere has GOT to be pulling legs...
That is the most stupid thing i think i have ever heard!.
FP BTW.
- http://www.milkme.co.uk
I thought the last article said changing passwords was a good idea! Make your minds up.
I jest of course.
----
Netgear is Kryptonite Baby!
Well at least sys-admins and network engineers can finally use the login name they think they deserve.
99 bottles of beer in 175 characte
HERE is the google translation, for those of us who don't speak German
If this their idea of pluging a security hole then I don't think I will be purchasing any kind of routing equipment from this mickey mouse outfit in the future.
I don't think there's anything amusing about this at all. I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this. This just isn't the way a responsible company behaves.
Simon.
They may have changed the password but for someone who wants to hack it they will have 2 choices.
/. it will be easy to find in google now
Also, because of
This is also not an update that your average user will install
Seems it's like someone getting into your computer cause you left a sticky note with the password there. So you change the password, put the new one on a sticky on the monitor. What's the point.
Evolution or ID?
/me takes another vendor off my personal acceptable list
"You worthless post!"
-Shakespeare, 2 Gentlemen of Verona, 1. 1. 147
They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
And thanks to Slashdot, thus begins an endless stream of firmware updates; every time Netgear "fixes" their problem, I'm sure an article here will put the cycle in motion again. Let's see, who wants to guess what they change the password to next?
"superduperman", anyone?
I've done it with other types of binary files, but never tried with firmware.
Anyone try this?
But that's just me.
I am so irritated I don't know what to say. Seriously, How can netgear expect people to trust them again, is there any way to repair their reputation?
... the password is not 12345.
Signatures are for stupids.
makes you fell real "Safe" now does it
This looks like a job for.......SUPERMAN!
Changing the user information, is a fix ??? Whats up with you guy ? Joke! What do I comment on this stupid move.
Now this is very sad. How can any semi-reputable company call changing the admin username and password for a major security hole a fix? Especially since they should have realized this new username/password would hit the net faster than Homer at an all you can eat buffet.
Since these things have built in firewalls, wouldnt the fix just include a user-invisible firewall rule preventing access to the router on whatever the admin port is (80, 8080, etc..)? Seems like a fairly simple fix to me.
Thanks Netgear! You've just assured that I'll never buy one of your products!
It's better to burn out than to fade away
I couldn't find the exact link at first glance, but this one is a reply to it: http://www.securityfocus.com/archive/1/365292/2004 -06-05/2004-06-11/0
I do security
The blackhats that subscribe to
i sc losure
http://lists.netsys.com/mailman/listinfo/full-d
knew about this on irc for a while.
EU via interpol desires, and us's NSA/NRO both desire various entrypoints.
cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.
disgusting
This is not my opinion. Actually, it's not even an opinion. And I'm nowhere to be seen near it
Netgear reacted to the messages over a Backdoor in the wl to ACCESS POINT WG602 Version1 promptly with a firmware update, however the Backdoor is still present -- this time only with new user name and password. With the name one was a little creative and extended the original character string "super" too "superman". With the password Netgear obviously took forum contributions for the first message of the safety gap seriously and changed the number on 21241036. To whom however this telephone number is to belong, Netgear Germany could not say to us -- there one knew nothing from the new problem and wanted only to make itself once kundig.
An again updated firmware design does not give it yet. Anyway the question arises whether users are still determined after the second Patzer to bring new software in. In opinion of lawyers this problem could quite be reason of enough to return the devices to the dealer and back-demand the purchase price. The salesman can try to improve the lack however the chances stand for it for the moment obviously quite badly.
The companies don't care about the users' security nor personal stuff. I can't believe it. I am glad they don't install alarm systems.
This is totally insecure, but very convenient.
But probably not the next...
Netgear engineer, "Stupid hackers....there is no way they will ever figure out we add man onto the end of super...BAWAWAWAWAWAWAWAAAAA!!!!"
http://jayceecorder.blogspot.com
That if a worm was written to exploit this, those that are affected by the worm can sue Netgear for negligence ?
IN THE BACK DOOR....lol someone had to say it...
So, now we also have to boykott Netgear to see them crash and burn for their idiocy by placing out privacy in jeopardy. Fools! sigh.
A backdoor? We're insecure? This looks like a job for... a random number generator!
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
Does anyone have a translation for those of us who can't read babelfish?
Google's translation: With the password Netgear obviously took forum contributions for the first message of the safety gap seriously and changed the number on 21241036.
In opinion of lawyers this problem quite serious.
Google's translation: In opinion of lawyers this problem could quite be reason of enough to return the devices to the dealer and back-demand the purchase price. The salesman can try to improve the lack however the chances stand for it for the moment obviously quite badly.
I realise that this is a bit redundant, but I read the slashdot artile linked to, and what to I see but:
Re:Fixed in new firmware, available here: (Score:3, Informative)
by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.
(You can find it yourselve by just taking similiar steps as in the securityfoces article.)
Maybe reading slashdot sometimes would be a good idea.
Nice one old slashdot, you just revealed it to all us geeks :)
Remind me to blame if you I ever get caught using it for less then legal means.
--- [Insert intresting Sig here]
Looks like people with half brains are able to hold on to their jobs over at netgear, so, I want a job where I do not feel compelled to excel at my job, heck, I can lay an egg like this about one every hour.
Hey netgear folks, do you want to hire me ? I promise my ideas will be even lamer than changing "super" to "superman" so your legacy won't be hurt.
One keeps wondering how those ideas actually filter through the chain of comman in such an high visibility issue. Amazing !
__________
The more I know people, the more I love animals
Now the hacker has to figure out which version of the firmware one is running in order to crack the password. And they can't figure that out without logging in. So everyone is safe now.
:-)
I tried for 5 years to come up with a clever sig...only to realize that I am not clever.
or does it almost seem easier to read the german version, than read the babelfish translation? Babelfish translations make my eyes bleed and my head hurt ( no offense to parent post )
yeah.. my fault :)
Hmmm.
cat knowledge |grep -v understanding
There is certainly no understanding comeing through their pipe.
The firmware is gzip compressed, so you'd need to do a bit more than just use bvi. But I suspect if you extracted the gzip'd portion, edited the firmware, re-gzipped it, put it back in the firmware and updated any crc/md5 checks in there it might work.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
I for one like my whores anonymous. It keeps things simpler...
Oh, what exactly are we talking about again?
"Piter, too, is dead."
First of all, that's not completely verified.
Secondly, it's talking about a completely different (alleged) vulnerability.
Netgear reacted to the messages of a backdoor in the firmware of their ACCESS POINT WG602 promptly with a firmware update, however the backdoor is still present -- this time only with new user name and password. They were a bit creative with the name and extended the superuser login "super" to "superman". With the 21241036 password Netgear has obviously for the first time taken security seriously. To whom however this telephone number is owned, Netgear Germany could not say -- because no one knew anything about the problem and only wanted to fix it.
:)
Clear enough?
I am amused. When I say the headline I just about died laughing. The sad part is that most people that have a Netgear router aren't going to update the firmware, and they probably don't even care or understand the issues involved. Further, what about all those units that are on the shelf somewhere? The problem is that Netgear has admitted now that they are not interested in security and they are not offering a secured unit. I was amused when I installed one for a friend -- she had bought the unit. No user name, just a password. I am thinking that IEEE or ANSI or whoever should adopt a standard for baseline security for routers. That way even an idiot that wants to have an open WIFI device won't have to worry about some Wardriver taking over his device. Well, all I can say is that I am happy that I was not the executive that made the Superman call.
The views expressed are mine own and do not express the views of my employer.
The new password is apparently someone's PHONE NUMBER in Germany! No idea whose, but I gleaned this tidbit by getting a Babelfish translation of the page (orig, in German). For those in the US - Is this the networking equivalent of calling Jenny? (867-5309)
Laws affecting technology will always be bad until enough techies become lawyers.
It's a shame, because Netgear actually has the best wireless products I've tried between netgear, dlink, linksys, and smc.
I've had more stability and success with netgear by far. Luckily I'm not using this particular router.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
this is what I compare to getting your keys stolen, changing your locks, and then giving everyone a copy of the key.
Sure can, that's my job ;)
Backdoor remains in new firmware from Netgear
While Netgear may have reacted quickly to the reports of a backdoor in the firmware of their Access Point WG602 by issuing a firmware update, the backdoor itself is nevertheless still present -- this time simply with a new username and password. They were less than creative with the user name, extending the original "super" to "superman". With the password, Netgear has apparently taken the first forum reports of the security hole seriously and changed the phrase to "21241036". To whom this telephone number belongs, however, Netgear Germany could not say - nobody there knew anything about the "new" problem, first wanting to fully acquaint themselves with the issue.
Another firmware update is not yet available, and regardless, the question remains whether users will be eager to apply yet another patch after the second screw-up. According to lawyers, this could open the door for end users to return the hardware to the vendor and demand a refund. While they may still try to fix the problem, at the chances of are pretty low.
Netgear has promptly reacted to the reports of a backdoor in the WLAN-Access-Point WG602 Version 1 with a Firmware-Update, however, the backdoor is still present, but with a new user name and password. They were a little creative with the name and extended the original character string "super" to "superman." With the password, Netgear has obviously taken the message of security seriously and changed the password to "21241036." However, to whom this telephone number points, Netgear did not comment. There, they knew nothing and initially only wanted to make themselves aware of the (details of the) problem.
Again, there is not a real updated firmware design yet. The question arises whether users are still determined--after the second patch--to get new software. In the lawyer's opinions, this problem could be reason enough to take back the device to the retailer and receive a refund of the purchase price. For now, the retailer can try to fix the shortcoming, however, the chances of that are not very good.
I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood
Was anyone else reminded of some of Mitnick's work where he'd call the manufacturer of the equipment to get the backdoor password? That most of the people using it didn't even know it had? And they gave it to him over the phone...
I am disrespectful to dirt! Can you see that I am serious?!
Reading this translation, I could help but think of klunk, who is probably now working as a technical writer for Japanese instruction manuals.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Oops, sorry for the lack of line breaks. Thank God my job doesn't involve HTML formatting....
I recently purchased a Netgear WGT624 v2 so I could have wi-fi at home for my laptop. Does anyone know if this FW/Router also suffers from the same problem? I can't find any info so far, but it doesn't seem unreasonable to me that ALL Netgear products could have similar exploitable backdoors.
Flash is the Herpes of the Internet.
your.opinion >
First of all we are talking about a Netgear Product so what does Linksys's problem have to do with this? Second of all if you would bother to read the responses in the article you linked to, you would see that some people have already proved that its not a hoax with regards to the Linksys product.
If you wanna get rich, you know that payback is a bitch
Maybe they could change the firmware updater itself to randomly change the password, alternately ask the user for a password for the 'super' user. This might be acceptable if indeed it's a hardware flaw and there's no way to simply remove this super user from the system.
I'm just happy my router isnt affected. Why in the world would they do this? They should know we can find out. Sometimes I wonder...
If they give out a program to change the backdoor login/password and rechecksum.
Business is Business and Business must grow, Regardless of crummies in tummies you know... -Onceler
Wait - the false report was about Linksys - NOT about NETGEAR.
SO now the Linksys is ok and the Netgear is not. Someone buy me a program so I can tell the players apart.
The password is '21241036'!
Remember me to change the password of my briefcase.
[Or something like that]
That's for Linksys, not Netgear!
Way to ruin EVERYTHING.
/. parades our top secret passcodes around the world for all to see?
How are we supposed to keep one step ahead of the enemy hackers when
Now ehere are we going to find something as secure as 'superman'?
www.olin.edu
sicherheits = safety (heh guess you can learn something by flying lufthansa)
Flawed Routers Flood University of Wisconsin Internet Time Server
http://www.cs.wisc.edu/~plonka/netgear-sntp/
Abstract:
"In May 2003, the University of Wisconsin - Madison found that it was the recipient of a continuous large scale flood of inbound Internet traffic destined for one of the campus' public Network Time Protocol (NTP) servers. The flood traffic rate was hundreds-of-thousands of packets-per-second, and hundreds of megabits-per-second.
Subsequently, we have determined the sources of this flooding to be literally hundreds of thousands of real Internet hosts throughout the world. However, rather than having originated as a malicious distributed denial-of-service (DDoS) attack, the root cause is actually a serious flaw in the design of hundreds of thousands of one vendor's low-cost Internet products targeted for residential use. The unexpected behavior of these products presents a significant operational problem for UW-Madison for years to come.
This document includes the initial public disclosure of details of these products' serious design flaw. Furthermore, it discusses our ongoing, multifaceted approach toward the solution which involves the University, the products' manufacturer, the relevant Internet standards (RFCs), and the public Internet service and user communities."
By issuing this form of a fix, Netgear is stating that they are not just incompetent, they are deliberately so, and they think everybody else is as stupid as they are. I've rarely seen such negligence and contempt for customers. Well, not that rarely: The Winnuke Patch
..is that they lost the source, and all they could do was to binary patch the firmware image.
;-(.
Sad, but true
(or not)
This is preaching to the choir anyway. Who actually updates the firmware on anything? People who are at least knowlegeable to know what firmware is. Those are the same people who probably change the default username and password. Anyone not thinking of firmware updates, is also probably to lazy (or not knowlegeable enough) to change the firmware OR the default username/password.
Well, it seems pretty obvious to me... it's supposed to be there.
This shows that it was Netgear's intention to purposely put back doors into the product. The reason "why" is not really evident. I can leave that up to the tinfoil hat crowd.
Now, I'm not going to even start discussing whether the product *should* have a backdoor. There are many reasons for including them, and many obvious reasons to not.
What I want to know is, why bother with user names and passwords in the backdoor? An SSH tunnel using only public key authentication would pretty much solve the problem of someone examining the firmware for the login information. You could also include multiple keys and provide a public key revokation server that the units automatically update from, as well as a general key update server that the units will grab new keys from using a callback mechanism (to guarantee that the key update servers have a valid private key for connecting to the unit).
That's crap. There may be a multitude of reasons why they couldn't remove the backdoor (no access to source code, the guy who wrote it was on holiday, whatever...) but they could have at least changed the password with a hex editor to something that was difficult to type from a keyboard, low-ascii values for example.
And now we are even trying to slashdot phone lines...
Where will it end?
# cat
Damn, my RAM is full of llamas.
Ok, everyone read the following carefully:
The parent of this comment is a troll. It contains the spurious phrase: 'Michael Sims reports a large opening in his backdoor for all to use', which is certainly not in the original article.
Got that? Read the parent, see the line (it is the second to last line in the parent). Did you mod that comment as Informative? Then you should be ashamed of yourself.
Why do people mod comments if they haven't read them? Seems like a very perversive kind of logic indeed.
I hear there's rumors on the Slashdots
Because when I port scan it, nothing responds.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Though Netgear reacted promptly with a firmware update to the news of a backdoor in the WLAN access point WG602, the backdoor is nevertheless still present -- this time with a new username and password. The name was handled with little creativity, extended from the original string "super" to "superman". In the case of the password, Netgear had obviously taken forum discussion [the link is a post by someone who used a hex editor to change the password to their phone number] of the first news of the security hole to heart and changed the number to 21241036. To whom this phone number belongs, though, Netgear Germany could not tell us -- they had not heard of the new problem and wanted to look into it first.
There is not yet a newly updated Firmware version. Anyways, there is the question of whether users will still be willing after this second screw-up to install new software. In the opinion of lawyers this problem could be quite sufficient ground to return the devices to dealers and demand a refund. The vendor can certainly try to touch up the deficiency, though at the moment the chances of that are obviously quite poor.
"If you look 'round the table and can't tell who the sucker is, it's you." -- Quiz Show
I feel sorry for the person whos number that is. You just know that all german Slashdotters will be dialling that now.
Philip
Signatures are broken
Doesn't having the username and password in the clear mean that anybody who knows how to use a Hex editor can make their own patch? Just find those two strings and change them to something else, or better some sequence of bits that don't map to text.
Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?
Ever dream you could fly? Get up from the Flight Sim. I Fly
Now maybe there are some firmware versions out there that have these vulnerabilities, but I haven't been able to confirm either report and am beginning to wonder whether any of these stories are true. Of course, my standard practice of getting the latest firmware when I buy some equipment may have shielded me from these problems, and there are probably plenty (fools?) out there that don't do this and may have opened themselves up. But to see two vulnerability reports I cannot confirm makes me wonder whether this is some sort of disinformation campaign.
I look at the comments on this thread and am amazed that the supposedly technically competent can rush to judgement so quickly and with so little evidence. Were this to hit the mainstream media, can you imagine how this could change the marketplace, even if the report isn't true?
Maybe I should be buying some Cisco stock...
How can you be sure that the backdoor ID to your gear isn't batman and that the passward isn't 46386124? I realize that any proprietary software can have backdor passwords in it. Netgear has shown that at least one of their products has a backdoor. When Netgear was given the chance to act horrified that somebody put a backdoor in one of their products and remove it, they decided to just change the backdoor name and password. This gives me LOTS of confidence in the security awareness of Netwgear products. You are trusting the security of your wireless connectivity to a company that knowingly maintains a backdoor in at least one of it's products.
Okay, native German speaker trying to translate:
Even though Netgear quickly reacted to a backdoor in its WLAN-Access-Point WG602 Version 1, the backdoor is still there - only with a changed username and password. Netgear wasn't very creative on the name and extended the original "super" to "superman". With the password, Netgear has obviously taken posts in the forums seriously(*) and has changed the number to 21241036. Netgear Germany didn't want to comment on the owner of the phone number - they didn't yet know about the problem and wanted to check back first.
A newly updated firmware version doesn't exist yet. Anyway, it is doubtful whether users are still willing to install new software after this second goof-up. According to lawyers, this problem could well be grounds to return the devices to the dealer and demand a full refund. The dealer could try to mend the defect, but the chances for that are obviously slim at the moment.(**)
*) Refers to a heise forum post pertaining to the original article where one poster suggested to use one's phone number as password.
**) Reference to German law: If a bought product is deficient, the dealer has to either mend the deficiencies or take the product back for a full refund. Apperantly, some lawyers think that Netgear's goof-ups make their product sufficiently deficient for this law to take effect.
Although Netgear reacted quickly to reports about a backdoor in the WLAN-Access-Point WG602 Version1 with a firmware-update the backdoor still remains, only with a new user name and password. When changing the name Netgear showed not much creatitity since the original string "super" was simply enlarged to "superman". Regarding the password Netgear apparently took seriously some comments of the heise board and changed the number to 21241036. Asked about whose telephone number this is Netgear Germany was not able to make any comment, as it was unaware of the new problem and going to investigate it first.
A newly updated firmware-version is not available yet. Anyhow the question is whether the users are willing to replace the software after the second error. In the opinion of lawyers this is a valid reason for users to be entitled to return the devices in exchange for their money. Although dealers could hypotheticaly fix the inadequacy, chances to do this successfully apparently are not the best.
If it's not, what would the significance be? The factorisation is: 2 2 461 11519 but that doesn't look interesting to me.
Googling for it I only find, as interesting reference:
- An
entry for
something called dipeptidyl anminopeptidase that sounds like a protein or enzyme
But I'm sure that's not itThis simply shows that the backdoor was not a mistake. Netgear wants to have this backdoor on your router, for whatever reason they have, that's all !
This is neither amusing nor is it a fix.
You see? You see? Your stupid minds! Stupid! Stupid!
Doesn't most routers have well-known/published administrator logins?
Not really a problem for ethernet-based ones, as you prevent access from external ip's using filters.
I'm no WIFI guru, but WPA or something should be plenty for preventing unauthorized 'local' connections..?
Oh wait...I think I can get this one...Zizaloeg? Zizaiobg? Eh, my l3375p34| is a little |2usty.
I have an older linksys BEFWS11 (4 port 10/100 switch, 802.11b, internet router/firewall). I was having terrible issues getting *any* of my pcmcia and pci wireless cards to talk to this device. I was also having problems my custom settings getting reset to factory defaults, etc. Calling tech support was useless. They recommended that i *downgrade* to an earlier version of the firmware, which was known to contain a large number of security vulnerabilities. That wasn't gonna happen. They also thought that I might want to send the unit in for testing and possible repair. Of course the warranty on the unit expired about a month earlier. So, after purchasing a cheapo blitzz wireless internet router @ walmart for $40 (which works flawlessly I might add), I noticed that linksys had updated the firmware. I installed the newest version, and whammo they fixed the wireless problem..... by disabling the wireless tranceiver entirely. Another call to linksys tech support was fruitless, as they recommended that I just go and buy a WRT54G.
Does anyone know if Netgear has made an official statement regarding these vulnerabilities or what their refund policy is when it comes to these tainted products? I've got one of these at home. Until this, I had been quite satisfied with the product, actually, but after having read this I would like to get a refund and switch vendors simply on principle.
Since they did this, should we all demand refunds since this make their routers so insecure, it is unusable?
Fight Spammers!
I call it backdooring through closed source.
"Quis custodiet ipsos custodes?"
'21241036', That's the same combination on my luggage!
I know that the fix is a joke but posting the login on slashdot is irresponsible. I mean, if I had this router: Thank you.
area codes start with 0 in germany
0212-41036 would be a valid german phonenumber. the area code would be from solingen or around that area
The technology, which allows anyone to access enterprise networks when they enter 'superman' for the username and and '21241036' for the password, frees enterprises from worrying about security issues and allows IT managers to focus on implementing talking paperclips on enterprise desktops. "We are excited about the new technology," commented Steve Hjarkblonka in an interview. "For the first time since the invention of computers, the threat of security intrusions has been completely eliminated. Enterprises can now enjoy 100% unbreakable security."
Geoff Nikreny, chief security officer with Endostar Inc, calls the secure-by-default approach, in which once-vulnerable features are patched, a "mistake" that will lead to deployment confusion. But he doesn't know what he's talking about anyway. So for 100% unbreakable security, buy Netgear.
Offer good while supplies last.
This is a perfect example of why outsourcing your development and support to India will fail. Those guys are way to inexperienced to know what to do properly.
Netgear canned most of their guys in Santa Clara, and now are relying on India for their fixes, which produce results like this.
Way to go!
See, here's the problem: Superman's password is Batman's phone number! Think of the confusion and mayhem that is sure to result from this. We all know that only Commisioner Gordon should have that number.
Bush should have died, not Reagan -- Morrissey
Morrissey rides a cockhorse -- The Warlock Pinchers
The real fix should be available shortly.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
It's a bird... It's a plane... It's a router flying off the roof of my building!
http://slashdot.org/comments.pl?sid=110385&cid=936 5945
Post was better suiteed as a reply to the post above.
The fact that the backdoor existed at all makes them liable, IMO, because it proactively defeats the supposed security they used to sell their product.
Liable for what, though? Has anyone shown any damages yet??
.. misuse and copyright infringement to the Superman brand.
Where are the DC Comics's lawyers ?
Over the weekend I purchased a Linksys wireless G "router" for my sis and brother-in-law and searched for an updated firmware. I was surprised to not find one. The last Linksys firmware is 2.02.7 from 3/17/2004. I would have bet money that Linksys would have a fix before Netgear did, especialy with Cisco being the parent company. At least Netgear made a shoddy attempt to fix their problem.
I boycott signatures
I tried Netgear in the past and wasn't very happy with them. I've never had an issue with Linksys. I like their interface (improved once the Cisco logo appeared). I find their wireless products to work well and other then the backdoor have no complaints about any of their products.
I boycott signatures
netgear has M$ beat hands down
Netgear has posted a whopping 1300 firmware design jobs on monster.com!
I can count to 1023 on my hands. Ask me about #132.
I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
I mentioned this elsewhere, but how can you file a lawsuit if no one can show any damages?? Where is the link to someone who had data stolen because of this? How important was it? Or did the attacker just manage to use some of their bandwidth? Did that cost them money?
No harm, no foul. You can't have a class action lawsuit when not even one member of the class can show any evidence.
is keyed to the serial number.
They were dialing it long before I posted my comment - the article was up for a long time before I got a translation.
Laws affecting technology will always be bad until enough techies become lawyers.
Why so much fuss ? ...
At least, they choose a good password
21241036
See ? It's fairly long, has five distinct characters, no noticeable pattern...
Come on, dont be so negative. I'd bet that
no hacker will be able to find out that the password is 21241036
Really, isn't there something slightly immoral, possibly illegal about posting such security info for the world to see? Sure, it's dumb of them. But I think it shows a lack of editorial integrity to post such here.
"Would it kill you to put down the toilet seat?" -- Maya Angelou
"If someone paid you to paint a building, as they trust you will do a better job...
Why did GEAR crush RDP?
blah blah blah
Ah, yes, the lovely irony of a security company outsourcing their own product's security.
Nothing like trusting your future to some shady fly-by-night low-bidder who's not an employee. Whoever at Netgear argued this process saves money, I almost pity you. Almost.
Although in this case, you can't argue that specs called FOR a backdoor... but maybe there were no specs at all.
I don't blame them for this "quick fix".. as a longtime Software QA engineer I can tell you it takes more than 1 day to test something, unless you're willing to accept the risk that the fix could be worse. I'm willing to bet the OEM developer is probably just a one or two man shop, has no QA and might not even have source code control.
off-topic:
I run m0n0wall, a BSD distribution just for firewalls & routers. It doesn't need a hard drive so it's quiet.
I even yanked the CPU fan off the AMD K6/450 it is running on. CAUTION: passive cooling a CPU risks burning out the processor. To prevent this I fitted a stock AMD CPU sink from an Athlon 1800, and made a small duct for the power supply to draw air over the CPU (this was an OLD old ATX case with the PS directly above the CPU so it was easy).
Works great!
Too bad you can't upload monowall into consumer routers. I think this is the next step. Some vendor will start making it very easy to do such a thing (discoveries like the Linksys WRT54G hacking do not count).
The firmware for this box (or at least some of it) is offered for download on Netgear's site. I'm looking through the source, but I haven't seen anything relevant yet.
Has anyone seen where the backdoor is coded into the system? (Hint: if it's NOT in the source anywhere, Netgear is violating GPL here).
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
I just realized I think I have one of these at home. I never thought about ti before because I only use it for it's router capabilities (got it for a deal where it was cheaper then just a router)... boy, what a mistake.
thanks Netgear, combined with your tech support team headed up by "bob" (who has an awefully thick Indian accent for a "bob") I'm never EVER buying your crap again.
"Well, I suppose we could just change the username and password..."
"DO IT!"
"If you say so, sir"
Pure speculation, of course.
It's just that, according to the site, there's no fix yet:
a sp
n ldID=735
http://kbserver.netgear.com/kb_web_files/n101383.
Now, there is a firmware from the 4th:
http://kbserver.netgear.com/support_details.asp?d
that claims to fix the problem, but I'm tempted to suggest what's happened is they've changed the username and password while they test a full fix. After all, changing data is generally less likely to break stuff than changing code...
The common saying with free software is "who can you sue when something goes wrong." Well you can sue Netgear in this case but in a class action suit only the lawyers get rich. The most compensation the actual victims will get is a $10 rebate on the next Netgear purchase. What you really want is the problem not to have occured in the first place. I believe that if this was truely open source software, there are enough paranoid enough people reviewing the code for back doors like this before it went to far. Personally I prefer to deal with people or companies I can trust than that I can sue.
On a side note I noticed that this SOHO NAS server I bought also has a password hidden in its firmware. Fortunately it requires some minor hardware modifications to enable a serial port needs to be made before this is possible so the security implications are minimal.
...how many times did they use the generator before settling on the number to use? Nobody in the history of the world has been satisfied by the FIRST random number generated!
"No....no...no...maybe if it had a '7'. AH! Bingo!" -- Netgear Security Engineer
"These people look deep within my soul and assign me a number based on the order in which I joined" --Homer re:
You can bet it's the home phone number of the guy who put in the backdoor in the first place. What better way to reward an employee for putting a backdoor in their product?
Man this sucks. I've got an FVS318. While, thankfully it's not the router that is the cause of this particular ruckus, it's a Netgear product.
I like it. It's a very solid, reliable firewall/router. I've had it for a number of years now, and Netgear to this day continues to put out new firmware updates that not only fix bugs, but implement new features. It works well, and I always liked it better than my friend's Linksys.
But this whole crisis makes me really really leary... How do I know there isn't a backdoor in my firewall/router as well? The fact is, now I don't.
Getting a Linksys that can run a custom Linux distribution becomes more appealing every single day. This may be what finally pushes me over the edge.
Bryan
i know this is a troll but i can't resist.
so the problem is that because they use linux that they leave plain text passwords in the firmware? along with that that people can find the backdoors easily meaning that its not just the 1337 hax0rs who know about it, which means that you as a consumer can stay safe about it by researching the products you buy?
Speak truth to power.
Seems to me that 41036, along with 41091 and a few othewr 5 digit strings beginning with 41 were once relegated to local loop testing. IIRC dialing 40136 then hanging up, would give you a natural ring, just like a real incomming phone call. 40191 would give short and long rings. This was many years ago in the early 70' and in a Canadian area code.
Can anyone else confirm my rememberances?
Don't talk bad about Win-95. I have an old machine with a Hayes 56k external. The computer runs Win95 loaded from about 12 floppy disks and has never been patched. I don't try to load the latest software or do any updates/upgrades except the virus and firewall.
It never, never, never crashes or has a problem of any kind. (Well, it will crash if I run Netscape and ACDSee and Photoshop at the same time - so I don't.) I use it for all my "emergency" needs when my new fast gee whizz tiger will not run a program I need.
I often wonder what MS could have done if they had fixed the few problems in W-95 had instead of making everyone pay more and more for upgraded bloatware>
I wonder if the SBC Netgear uses has a JTAG
port. The CPU and memory available on the
premium version of the product has (IMO)
enough capabilities for an embedded install
of OpenBSD (preferably Ver. 3.4 or 3.5).
Anyone know of any efforts along this line?
"If the EULA does get in the way then
...
I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this."
Let's see...
if the EULA (which was enacted by the government to protect big businesses) gets in the way (of punishing big businesses) then the government (which wanted to protect big businesses) should take action
bwaahahahaha
I recently bought several 24 port switches off of ebay. There was no way to reset the password, but calling up tech support, and providing a small amount of proof that I did in fact buy these switches, they provided me with the backdoor username/password.
:(
It's documented on their website that they do have a backdoor password, and what you need to do to get it. For me, it took a single email (ebay end of auction), and a 5 minute phone call to get the backdoor.
This would be fine, if the backdoor only worked on the serial console, but nope.. Works fine with the web interface too
Its actually the phone number of the guy who disclosed this backdoor!!!
He's not talking bad about Win95, he's ridiculing Win ME, which arguably was one of the worst "upgrades" in OS history - so "fixing Win95 with WinME" actually means making the system more unstable and bloated.
Posting this AC because I'm ashamed of publicly admitting that I actually paid for WinME and even used it for a few months...
I think the "backdoor" is just a user/pass entry in some config file (like a
11*43+456^2
>
> But if they H?ler zur?zubringen , and the purchase price zur?zufordern... we are DOOMED!
ACHTUNG! ALLES SLASHENTROLLERS!
Der WLAN-Access-Point WG602 is nicht fur surfen das Internet! Is easy schnappen der springenverk, blowenfus, remotexploiten, und owninatin mit spitzensparken. Der Firmwaren WG602 is night fur geverken by das dumpkopfen Netgear! Relaxen H?ler zur?zubringen der purchase price zur?zufordern und given das moddenpoints.
In a related story, Netgear has announced the formation of a new security division, formed with ex-Microsoft employees...
There is an existing IETF internet draft on this very subject. Located here.
(This would probably violate 2.12.9, "No default passwords").
A friend of mine is mapping the surrounding cities for WLAN access ports... though not merely "open" WLANs, but open routers. T-Online/Telekom, the monopolist here in Germany, gives out their routers in a plug&play fashion with a default 'password' of 0000 (no username, nothing) in tradition of the electronic phone devices they were selling since the 1970s, since when the default pass code was always 0000. All you need to do is log into these Access points with a webbrowser using (running on port 80, even, address 192.168.1.1 IIRC), and you can retrieve all the info necessary to hijack the person's internet account. As many people have a volume based billing model for their DSL over here, you can cause a lot of damage this way, and never be found. The routers have an annoying (though somewhat sensible) Anti-Theft feature - they won't dial in automatically if they are stolen (i.e. are disconnected from their power supplies), meaning you have to reset them to factory defaults if you don't know the code. Fortunately, their WLAN routers, unlike many older devices, do accept alphanumeric passwords nowadays.
It's more than just the mere fact of the backdoor. It's the amateur way they coded the backdoor. They found the strings in plaintext after gunzipping the image file. And to further insult our intelligence, they changed the password and left it coded the same way thinking we're too dumb to find the new one. There's no obfuscation at all except for the gzipping. Linux and open source make no difference here. You can at least give some credit to a well hidden backdoor. What's disturbing is their naive, amateur approach to security.
these are consumer grade devices. If you want those kind of garanuntees, don't buy consumer grade devices. I'm sure cisco will be happy to sell you a router for $100,000 with all kinds of garuantees. Personally, I'll take th $60 netgear and live with the occasional security flaw (and I won't run wireless, It's just not that hard to string ethernet cables, but I digress).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
The first rule to Password is there is no Password! Okay, lame Fight Club reference.
Someday, somebody from Netgear is going to have to explain that to a judge and jury. And it's not going to go over well. Once might be considered ordinary negligence. But the second time moves it into the "gross negligence" category: "an act or omission in reckless disregard of the consequences affecting the life or property of another."
Um, you can't whoremonger karma when you're anonymous.
Ah, what the hell... In Soviet Russia, whore's karma you! Yeah, that's even funnier than a karma whore cluster. And I for one welcome our new anonymous karma whoring overlords!
I wonder what DC Comics (and the other owners?) have to say about NetGear using their copyrighted character in a commercial product ?
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
Congratulations on the lobotomy!
I would think under current laws that installing an undisclosed backdoor onto someone elses property would be akin to using a trojan to allow access to anothers system. Just becaujse they sell the system does not give them the right to access to it after it is sold. I can see no beneficial reason for this as most consumer routers have a hardware reset that reloads the factory defaults.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
"Given enough eyes, all obscurity is shallow" ?
Heck, where is the story? I've only seen this at slashdot and the few media articles it links to.
I mean, I can turn on my nightly news and hear about "getting ripped off at the dry cleaners? Let our investigative unit show you how!" but when your personal home network with all your work, personal stuff, family photos, etc are now open to the world because of some backdoor its like its no big deal.
It seems like until someone writes a worm to really screw these people over, no one is going to care. And I'm sure lots of people are testing worms as we speak.
The larger issue here is the complete disregard for security. A backdoor should never be installed. The firmware reset is more than enough to get back to the default settings. So what if you lose your "settings." That's the price of losing your password info or buying a shoddy product.
I can't believe my ears when i hear about backdoors, especially from companies like Cisco. What are we telling the industry, that we'll roll over for whatever they do? Are we telling the government that their next USA PATRIOT act might as well have mandatory Ashcroftian backdoors because corporate america is apathetic to security?
Its mind-boggling. I hope a Netgear gets equated with untrustworthiness and falls from their market position.
It's a shame this number isn't prime, unlike Jenny's.
He who laughs last is stuck in a time dilation bubble.
...for copyright violation. Lois Lane is planning to sue because the password is her phone number.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
Congratulations, you just violated the DCMA by posting a circumvention to the security of the device in question to /. - there's a special place in the federal pound-me-in-the-ass prison just for you!
Well 21241036 is _almost_ my phone number here in the US. Whom do I sue?
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
As flamebait as it may sound, it's worth mentioning that Netgear DID recently begin outsourcing to support & software development to India. This "patch" seemed like a particularly Indian way of solving the problem, so, I looked into it..sure enough. Go Google it for yourself.
Jenny's is really 876-5309 ;p
One that exploits a fairly recently-discovered hole. One that first attempts to connect to insecure machines, but if it fails to connect to a machine, it then attempts to use the known Netgear backdoor as a passthrough method.
The fallout from that would be absolutely delicious.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Just checked my router: :(
1.715 fixes the superman (what is it now??)
1.714 appears to have changed super >superman (I can confirm the superman account worked
1.5?? had the "super" account vulnerability. again I did confirm that this firmware had this backdoor.
Netgear have now removed the 1.714/1.5?? firmwares from the site.
I only hope that they have actually fixed this!!
It's a front door. With the key in the knob. And a sign that reads, "Yes, we're OPEN".
If Netgear has a way to change the password on this backdoor, wouldn't the best fix be to let the owners of this box know how to do this, so that the owners can set their own individual passwords?
I sent them a support inquiry asking if the problem was also present in their MR814 router. Here's part of their reply:
"The problem that the WG602 has, was not meant as a venerability."
I assume the individual meant "vulnerability". That's mighty find. But why would I care what the original intent was? That they even think they are right in creating such a backdoor is ridiculous.
Well, what can you expect from the guys that pointed all their routers' NTP clients to the Univ. of Wisconsin? And they still try to hide their stupidity labeling the firmware fix as "NTP improvements". Give me a break!
Enough said. Time to go buy Wi-Fi from someone else.
"If I let someone hack your box will my login still be superman?
If I let them in my backdoor will I still be supporting your LAN?"
- Almost a song. (I didn't say a good one)
and it was good.
Takata/Highland industries used to make the entire airbag supply for the north american market (and a few european manufacturers) here in Cheraw, SC. Now the plant's in the process of shutting down and moving to Mexico. My point is, they're already blue, IIRC from my school field trip last year.
I go to Madison (Engineering major), and I read in the school newspapers last school year (2003-2004) that Netgear is giving something like $50,000 dollars to the DoIT (Department of Information Technology) folks. (DoIT handles the school network, public computers, labs, and so on). So that's pretty much cleared up. Of course, the school newspapers didn't mention that Netgear had flooded the U's time server, but made it seem that because this U rocked so much, they decided to give the money.....
Actually, considering that last number was the phone for the OEM company...
It's probably a phone number in Taipei. Those start with 2 and have 8 digits. Unfortunately I don't really want to call to find out...
If anybody is bored enough: call 886-2-2124-1036 and see who answers. Speaking Mandarin might be an advantage in this case.
Maybe somebody could make a program where:
- User opens program
- User points program to firmware file
- Program opens firmware file and replaces the hardcoded passwords with gobbleygook that is different each time the program is run
- Program writes new firmware to disk
- User reflashes router with firmware patched by program
This seems like a good potential short-term solution to me...Karma: Excellent (fuck, even in the future moderation doesn't work!)
That's the combination on my luggage!
paintball
I used to purchase and recommend Netgear products.
If this story is true about how they handled the backdoor issue (by replacing it with another backdoor) then I will never buy or recommend their products again.
Yeah, they didn't even use rot13.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
This article is my 'box of toothpicks'. I must now build a house inside-out so as to enclose the World in the asylum that it belongs in.
...selling wireless routers with encryption turned off by default and DHCP turned on by default.
Not necessarily.
If their code isn't linked to GPL code (and just running on the same box), they can use code of whatever license they like.
I agree that router manufacturers have a black history here *cough* Linksys *cough* of swiping code from Linux and then ignoring license terms.
May we never see th
Sounds like you are talking about something like Keyring. One password lets you decrypt a bunch of other passwords stored on the device.
I guess you could say they are bound in darkness too because they are encrypted and useless without the main password, which "finds" them all.
In my day, the grease-on ben-tra ran like grease on a pan - that had been burned in place and left there for weeks. Our grease-on ben-tra had a zero to sixty time of sixty seconds, and couldn't steer without rattling like the bones of Buddy Holly. Fuel efficiency? That thing drank like an ex army sergent. And it broke down more often than Tammy Fae. Often times we would be driving it to the shop, and it would break down again on the way. You'd hook it up to the tow truck because of a broken front wheel and the rear axle would crack. Load it on the back, and the bumper would fall off. That thing wasn't a deathtrap: deathtraps have moving parts.
Hope you like it. Have fun with your car!
(note: it was an '86. I've heard they have gotten better.)
The ______ Agenda
It seems the regional offices are less than helpful in some countries, but the australian site is exemplary.
Anyone had any bad experiences with them?
Q. YMMV
Insert Signature Here
speak "friend" and enter
(one password for everyone)
Patch the appropriate part of the code, and change the userid to a sequence of carriage return/linefeeds. ?
It's obvious to all but the most brain-dead that the GP is familiar with the song, and has changed the lyrics to fit the "in Soviet Russia" paradigm.
Bet they just lost all their customers. At least the smart ones.
I don't get your sig, isen't the "/" symbol either a door or an arrow? So if it's a door then there is no wall either side of it...
If they made a movie of your life, would anybody buy a ticket?
Great, that's exactly what I need just before my death: a blue screen of death! On the other hand, I always suspected that my last words would be "Damn you, Bill Gates!"
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Ok, bad analogy - I thought of a better one.
If you buy a "consumer" level safe as a place to store your valuables, the safe company will, in most cases, not reimburse you for the items stolen from it. What you are buying is a reasonably secure place to store your valuables. You can be reasonably sure that, while it is possible for someone else to open the safe, it will be very difficult.
Then you find out that your model of safe has a backdoor combination. Now, it seems you would argue that, because the company didn't advertise it didn't have a "super" combination, they haven't really done anything that bad. Besides, the main purpose of a safe is to store things - and it can still be used for that purpose, right? And only someone who is fully aware of the super combination, AND aware that you have a safe AND is a criminal at heart would even care.
I say there should be a reasonable assumption of security, and if they can't fix the lock, they should replace the entire safe. It doesn't matter if I've been harmed due to the product's flaw, it matters that I spent money on a product that was supposed to keep me reasonable secure.
While many people don't put security as their first priority in buying a router, the principle is the same - those people with the "combination" can use your netword. You should be reasonably certain that there are safeguards. You understand that encryption can be broken, that people might still be able to "break into" your network, but you have made a reasonable effort to prevent that.
I don't think there are any wireless networking products, especially routers, that don't advertise they are secure, or offer a reasonable assumption of security. I don't see how you can call a recall "wildly disproportionate" when it is, in fact, exactly proportionate. So maybe "buy back" is not really that appropriate, but they should replace every single defective unit - and if they don't have a satisfactory product, then they *should* buy them back and allow the consumers to choose another one.
Stupid sexy Flanders.