Slashdot Mirror
Netgear's Amusing "fix" for WG602v1 Backdoor
An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
I don't think there's anything amusing about this at all. I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this. This just isn't the way a responsible company behaves.
Simon.
I've done it with other types of binary files, but never tried with firmware.
Anyone try this?
I am so irritated I don't know what to say. Seriously, How can netgear expect people to trust them again, is there any way to repair their reputation?
The blackhats that subscribe to
i sc losure
http://lists.netsys.com/mailman/listinfo/full-d
knew about this on irc for a while.
EU via interpol desires, and us's NSA/NRO both desire various entrypoints.
cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.
I realise that this is a bit redundant, but I read the slashdot artile linked to, and what to I see but:
Re:Fixed in new firmware, available here: (Score:3, Informative)
by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.
(You can find it yourselve by just taking similiar steps as in the securityfoces article.)
Maybe reading slashdot sometimes would be a good idea.
The firmware is gzip compressed, so you'd need to do a bit more than just use bvi. But I suspect if you extracted the gzip'd portion, edited the firmware, re-gzipped it, put it back in the firmware and updated any crc/md5 checks in there it might work.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
I am amused. When I say the headline I just about died laughing. The sad part is that most people that have a Netgear router aren't going to update the firmware, and they probably don't even care or understand the issues involved. Further, what about all those units that are on the shelf somewhere? The problem is that Netgear has admitted now that they are not interested in security and they are not offering a secured unit. I was amused when I installed one for a friend -- she had bought the unit. No user name, just a password. I am thinking that IEEE or ANSI or whoever should adopt a standard for baseline security for routers. That way even an idiot that wants to have an open WIFI device won't have to worry about some Wardriver taking over his device. Well, all I can say is that I am happy that I was not the executive that made the Superman call.
The views expressed are mine own and do not express the views of my employer.
Was anyone else reminded of some of Mitnick's work where he'd call the manufacturer of the equipment to get the backdoor password? That most of the people using it didn't even know it had? And they gave it to him over the phone...
I am disrespectful to dirt! Can you see that I am serious?!
My experience with Netgear products has led me to believe their quality has diminished dramatically.
IANAL, but I seem to recall a lawyer I know telling me that with product liability, a company is liable if due diligence is not performed to fix an issue when a known problem exists. Of course, the trick becomes can you call changing a username and password due diligence? I feel certain every computer expert in the world would say no.
Why on EARTH is this not literally considered a criminal offense for a company to do?
Just how many criminal laws do you think we need? Seriously. Do you think we need another one?
There's no doubt in my mind that the vendor would be held liable for damages if anybody were harmed--financially I mean--by this kind of thing. But should somebody really go to jail over it?
Geez. And I thought I was a fascist.
I write in my journal
By issuing this form of a fix, Netgear is stating that they are not just incompetent, they are deliberately so, and they think everybody else is as stupid as they are. I've rarely seen such negligence and contempt for customers. Well, not that rarely: The Winnuke Patch
Now, I'm not going to even start discussing whether the product *should* have a backdoor. There are many reasons for including them, and many obvious reasons to not.
What I want to know is, why bother with user names and passwords in the backdoor? An SSH tunnel using only public key authentication would pretty much solve the problem of someone examining the firmware for the login information. You could also include multiple keys and provide a public key revokation server that the units automatically update from, as well as a general key update server that the units will grab new keys from using a callback mechanism (to guarantee that the key update servers have a valid private key for connecting to the unit).
Ok, everyone read the following carefully:
The parent of this comment is a troll. It contains the spurious phrase: 'Michael Sims reports a large opening in his backdoor for all to use', which is certainly not in the original article.
Got that? Read the parent, see the line (it is the second to last line in the parent). Did you mod that comment as Informative? Then you should be ashamed of yourself.
Why do people mod comments if they haven't read them? Seems like a very perversive kind of logic indeed.
I hear there's rumors on the Slashdots
Doesn't having the username and password in the clear mean that anybody who knows how to use a Hex editor can make their own patch? Just find those two strings and change them to something else, or better some sequence of bits that don't map to text.
Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?
Ever dream you could fly? Get up from the Flight Sim. I Fly
I don't know either but you could try the existing known accounts for yourself on your own router. This won't help if a backdoor is there with different credentials but provide piece of mind that the two well known ones either do or do not work.
Getting off topic here but the main advantage of full disclosure with bugs and similar issues like this is you have the ability to verify and test for yourself. Sure beats getting an email that a patch is available and you have no idea what it fixed or how it fixed it.
Bad boys rape our young girls but Violet gives willingly.
Now maybe there are some firmware versions out there that have these vulnerabilities, but I haven't been able to confirm either report and am beginning to wonder whether any of these stories are true. Of course, my standard practice of getting the latest firmware when I buy some equipment may have shielded me from these problems, and there are probably plenty (fools?) out there that don't do this and may have opened themselves up. But to see two vulnerability reports I cannot confirm makes me wonder whether this is some sort of disinformation campaign.
I look at the comments on this thread and am amazed that the supposedly technically competent can rush to judgement so quickly and with so little evidence. Were this to hit the mainstream media, can you imagine how this could change the marketplace, even if the report isn't true?
Maybe I should be buying some Cisco stock...
How can you be sure that the backdoor ID to your gear isn't batman and that the passward isn't 46386124? I realize that any proprietary software can have backdor passwords in it. Netgear has shown that at least one of their products has a backdoor. When Netgear was given the chance to act horrified that somebody put a backdoor in one of their products and remove it, they decided to just change the backdoor name and password. This gives me LOTS of confidence in the security awareness of Netwgear products. You are trusting the security of your wireless connectivity to a company that knowingly maintains a backdoor in at least one of it's products.
Good point. It is the fact that something is by most anyone's notion "unfixable" by the average end user to protect themselves that makes it so disagreeable in our eyes. It seems a bit like a car company recalling cars because of faulty parts then replacing those faulty parts with other faulty parts.
As consumers we can, and do, put our money where our mouths are. Fine indeed. At what point though are companies really held accountable? Much later to their shareholders for dropped profits? No one will ever tie the two events together.
I agree it may be a bit over the top to say criminal offense, but at some point, at some point, this type of product negligence really is just that.
And then one day you find, ten years have gone behind you....
Over the weekend I purchased a Linksys wireless G "router" for my sis and brother-in-law and searched for an updated firmware. I was surprised to not find one. The last Linksys firmware is 2.02.7 from 3/17/2004. I would have bet money that Linksys would have a fix before Netgear did, especialy with Cisco being the parent company. At least Netgear made a shoddy attempt to fix their problem.
I boycott signatures
The interesting thing about liability is that if they have some control over your routers, then you can hold them more liable than if they had no control. Further, now that everyone knows they can 'dial in' then hopefully customers will pester them to fix their products remotely instead of spending hours on the phone. In the end a backdoor is *much* more work than a product without one.
Silly programmer, backdoors are for script kiddies.
-Adam
I do.
:-)
In fact I drove all possible candidates for several days before I bought what I have now. It is quite easy. Every time you go on a holiday rent one of the candidates for "next thing to buy". You get to see it in all of its "glory" - lowest spec, run down by tourists and badly maintained. If it is still OK you go and buy it. You may suffer some minor discomfort compared to renting "the old familiar", but you save a lot of money
I also do the same stuff with computer equipment. Buy, test drive if it is shit - return. It is quite easy to do it in EU due to distance selling regulations. You are entitled to a free return no questions asked of anything you have bought over phone or Internet within 1 week after purchase. This limits you to internt purchases, but once you add this along with observations of company kit you are reasonably well positioned to get the right stuff...
Baker's Law: Misery no longer loves company. Nowadays it insists on it
http://www.sigsegv.cx/
The firmware for this box (or at least some of it) is offered for download on Netgear's site. I'm looking through the source, but I haven't seen anything relevant yet.
Has anyone seen where the backdoor is coded into the system? (Hint: if it's NOT in the source anywhere, Netgear is violating GPL here).
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
Man this sucks. I've got an FVS318. While, thankfully it's not the router that is the cause of this particular ruckus, it's a Netgear product.
I like it. It's a very solid, reliable firewall/router. I've had it for a number of years now, and Netgear to this day continues to put out new firmware updates that not only fix bugs, but implement new features. It works well, and I always liked it better than my friend's Linksys.
But this whole crisis makes me really really leary... How do I know there isn't a backdoor in my firewall/router as well? The fact is, now I don't.
Getting a Linksys that can run a custom Linux distribution becomes more appealing every single day. This may be what finally pushes me over the edge.
Bryan
Not as far as I know, but if I were a business I wouldn't have to have actual damages from an attacker to claim that I had to take my computers offline while the security risk was fixed, therefore costing my business an estimated $X.
Stupid sexy Flanders.
Seems to me that 41036, along with 41091 and a few othewr 5 digit strings beginning with 41 were once relegated to local loop testing. IIRC dialing 40136 then hanging up, would give you a natural ring, just like a real incomming phone call. 40191 would give short and long rings. This was many years ago in the early 70' and in a Canadian area code.
Can anyone else confirm my rememberances?
Really, isn't there something slightly immoral, possibly illegal about putting a backdoor into your product that allows anyone access to it, with no way to disable it, and THEN, when you are caught, you blame "the vendor that packaged the device for" you, and THEN you release a patch that claims to fix the backdoor, but really just leaves it there with a different password?
-no broken link
I recently bought several 24 port switches off of ebay. There was no way to reset the password, but calling up tech support, and providing a small amount of proof that I did in fact buy these switches, they provided me with the backdoor username/password.
:(
It's documented on their website that they do have a backdoor password, and what you need to do to get it. For me, it took a single email (ebay end of auction), and a 5 minute phone call to get the backdoor.
This would be fine, if the backdoor only worked on the serial console, but nope.. Works fine with the web interface too
Agreed. I like to use the pair of pants example. I can pick up a pair of pants and see what it's made of; the quality of the stiching, weither it's double or triple stiched, the quality of the fabric, dye, etc. Even with military camo, you've got different patterns, different fabrics and synthetics, etc.
When I go down to the military surplus store, I can refuse to buy clothing wrapped in boxes and bags, because I don't get to see them. Instead, I go to the shelves and take a good look at what's on the shelf.
When I head down to the store to pick up a router, however, I'm only told which standards it's complaint with, not what it's capable of doing. I can't see the soldering, the capacitor branding, the capacitor capacitance tolerance and what range that tolerance is in. I can't take a look at the source to know weither or not someone can get in.
Inotherwords, all the pants in the military surplus store are in boxes I can't, by law, open up. I can use the pants, I just can't inspect them for flaws. I can see the box is labeled "surplus military pants 30/70, Chocolate chip camo pattern" but I can't open up the box to see.
CEO's just don't care; they want to maximise the profit to their investor, and to do that, they've got to crank out a whole lot of shitty product and sell it super expensive.
Candy-Coated Knowledge
Because it's trivial for the average linux user to debug the original router application, which may or may not come with source code, fix it, cross-compile onto a RISC arch, etc, ...
Someday, somebody from Netgear is going to have to explain that to a judge and jury. And it's not going to go over well. Once might be considered ordinary negligence. But the second time moves it into the "gross negligence" category: "an act or omission in reckless disregard of the consequences affecting the life or property of another."
I would think under current laws that installing an undisclosed backdoor onto someone elses property would be akin to using a trojan to allow access to anothers system. Just becaujse they sell the system does not give them the right to access to it after it is sold. I can see no beneficial reason for this as most consumer routers have a hardware reset that reloads the factory defaults.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Yeah, I don't think people got it. 70% informative my ass. FWIW, this is the source I used. I don't have the rules of fight club memorized.
I would have swore the first two lines and the last line would have given it away tho.
-no broken link
I did the same thing. Was going to buy a specific car, and my wife and I loved it during the test drive -- so we rented one for a week's road trip. By the end of the first day, we HATED it, and couldn't wait to return it.
We then rented the car we ultimately bought, and it's been so good to us, she's still got the first one, I bought a second one, and I have since traded it in for a high-performance version of the same. Whee!
And no, I'm not going to tell you the cars, but I'll give you a hint: the one we hated rhymes with bored locus, and the one we love (sort of) rhymes with grease-on ben-tra. Hard to rhyme with car names that are invented words. Heh.
Maybe somebody could make a program where:
- User opens program
- User points program to firmware file
- Program opens firmware file and replaces the hardcoded passwords with gobbleygook that is different each time the program is run
- Program writes new firmware to disk
- User reflashes router with firmware patched by program
This seems like a good potential short-term solution to me...Karma: Excellent (fuck, even in the future moderation doesn't work!)