Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netgear's Amusing "fix" for WG602v1 Backdoor

Posted by CmdrTaco on from the get-your-giggle-on dept.

An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "

21 of 515 comments (clear)

  1. Not funny at all by Ckwop · · Score: 4, Interesting

    I don't think there's anything amusing about this at all. I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
    I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this. This just isn't the way a responsible company behaves.

    Simon.

  2. Bianry Edit by HogGeek · · Score: 4, Interesting
    I'm wondering if one could use something like bvi to change the username and password to something private.

    I've done it with other types of binary files, but never tried with firmware.

    Anyone try this?

    1. Re:Bianry Edit by MrBlue+VT · · Score: 5, Interesting

      I have an earlier Netgear product (RT314). It's actually a rebranded Zytel product, so this trick may not work on other models.

      However, it was possible to edit the firmware in a binary editor. There was a checksum in the firmware, but you could fix it. You needed to connect a serial cable to the management port. When you made a change and uploaded the new firmware to the router and rebooted, the router would helpfully tell you what the old checksum was and what it expected the new checksum to be. You could then just search for the old checksum string and replace it with the new one the router calculated for you.

      Pretty easy to do. And allowed you to run some of the newer Zytel firmware on the Netgear boxes.

  3. Reputation damage by SamiousHaze · · Score: 4, Interesting

    I am so irritated I don't know what to say. Seriously, How can netgear expect people to trust them again, is there any way to repair their reputation?

  4. full-disclosure hackers knew for a while by Anonymous Coward · · Score: 5, Interesting

    The blackhats that subscribe to

    http://lists.netsys.com/mailman/listinfo/full-di sc losure

    knew about this on irc for a while.

    EU via interpol desires, and us's NSA/NRO both desire various entrypoints.

    cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.

  5. Who reads slashdot? by tony_gardner · · Score: 5, Interesting

    I realise that this is a bit redundant, but I read the slashdot artile linked to, and what to I see but:

    Re:Fixed in new firmware, available here: (Score:3, Informative)
    by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
    I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.

    (You can find it yourselve by just taking similiar steps as in the securityfoces article.)

    Maybe reading slashdot sometimes would be a good idea.

    1. Re:Who reads slashdot? by Chucky+B.+Bear · · Score: 5, Interesting
      Yeah I hate to say it but told you so!!! ;-) I posted that just before the securityfocus mail. Its funny how this all ended up as a Heise article now. They could've at least given me some credit for finding it.

      I did talk to a netgear support engineer yesterday and he didn't know what I was talking about, so now I'm still waiting to hear anything back from them.

  6. Supermaning it.... by utlemming · · Score: 4, Interesting

    I am amused. When I say the headline I just about died laughing. The sad part is that most people that have a Netgear router aren't going to update the firmware, and they probably don't even care or understand the issues involved. Further, what about all those units that are on the shelf somewhere? The problem is that Netgear has admitted now that they are not interested in security and they are not offering a secured unit. I was amused when I installed one for a friend -- she had bought the unit. No user name, just a password. I am thinking that IEEE or ANSI or whoever should adopt a standard for baseline security for routers. That way even an idiot that wants to have an open WIFI device won't have to worry about some Wardriver taking over his device. Well, all I can say is that I am happy that I was not the executive that made the Superman call.

    --
    The views expressed are mine own and do not express the views of my employer.
  7. Sound familiar? by merlin_jim · · Score: 3, Interesting

    Was anyone else reminded of some of Mitnick's work where he'd call the manufacturer of the equipment to get the backdoor password? That most of the people using it didn't even know it had? And they gave it to him over the phone...

    --
    I am disrespectful to dirt! Can you see that I am serious?!
  8. Re:Oops... by div_2n · · Score: 4, Interesting

    My experience with Netgear products has led me to believe their quality has diminished dramatically.

    IANAL, but I seem to recall a lawyer I know telling me that with product liability, a company is liable if due diligence is not performed to fix an issue when a known problem exists. Of course, the trick becomes can you call changing a username and password due diligence? I feel certain every computer expert in the world would say no.

  9. Re:Oops... by Twirlip+of+the+Mists · · Score: 4, Interesting

    Why on EARTH is this not literally considered a criminal offense for a company to do?

    Just how many criminal laws do you think we need? Seriously. Do you think we need another one?

    There's no doubt in my mind that the vendor would be held liable for damages if anybody were harmed--financially I mean--by this kind of thing. But should somebody really go to jail over it?

    Geez. And I thought I was a fascist.

    --

    I write in my journal
  10. learned their security strategy from microsoft by straponego · · Score: 3, Interesting

    By issuing this form of a fix, Netgear is stating that they are not just incompetent, they are deliberately so, and they think everybody else is as stupid as they are. I've rarely seen such negligence and contempt for customers. Well, not that rarely: The Winnuke Patch

  11. Secure Backdoors by DreadSpoon · · Score: 3, Interesting

    Now, I'm not going to even start discussing whether the product *should* have a backdoor. There are many reasons for including them, and many obvious reasons to not.

    What I want to know is, why bother with user names and passwords in the backdoor? An SSH tunnel using only public key authentication would pretty much solve the problem of someone examining the firmware for the login information. You could also include multiple keys and provide a public key revokation server that the units automatically update from, as well as a general key update server that the units will grab new keys from using a callback mechanism (to guarantee that the key update servers have a valid private key for connecting to the unit).

  12. Change the fix to something else! by netringer · · Score: 4, Interesting

    Doesn't having the username and password in the clear mean that anybody who knows how to use a Hex editor can make their own patch? Just find those two strings and change them to something else, or better some sequence of bits that don't map to text.

    Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?

    --
    Ever dream you could fly? Get up from the Flight Sim. I Fly
  13. Re:Oops... by stienman · · Score: 3, Interesting

    The interesting thing about liability is that if they have some control over your routers, then you can hold them more liable than if they had no control. Further, now that everyone knows they can 'dial in' then hopefully customers will pester them to fix their products remotely instead of spending hours on the phone. In the end a backdoor is *much* more work than a product without one.

    Silly programmer, backdoors are for script kiddies.

    -Adam

  14. Re:Oops... by arivanov · · Score: 4, Interesting

    I do.

    In fact I drove all possible candidates for several days before I bought what I have now. It is quite easy. Every time you go on a holiday rent one of the candidates for "next thing to buy". You get to see it in all of its "glory" - lowest spec, run down by tourists and badly maintained. If it is still OK you go and buy it. You may suffer some minor discomfort compared to renting "the old familiar", but you save a lot of money :-)

    I also do the same stuff with computer equipment. Buy, test drive if it is shit - return. It is quite easy to do it in EU due to distance selling regulations. You are entitled to a free return no questions asked of anything you have bought over phone or Internet within 1 week after purchase. This limits you to internt purchases, but once you add this along with observations of company kit you are reasonably well positioned to get the right stuff...

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  15. Allied Telesyn is the same way by jdew · · Score: 3, Interesting

    I recently bought several 24 port switches off of ebay. There was no way to reset the password, but calling up tech support, and providing a small amount of proof that I did in fact buy these switches, they provided me with the backdoor username/password.

    It's documented on their website that they do have a backdoor password, and what you need to do to get it. For me, it took a single email (ebay end of auction), and a 5 minute phone call to get the backdoor.

    This would be fine, if the backdoor only worked on the serial console, but nope.. Works fine with the web interface too :(

  16. Two words: "gross negligence" by Animats · · Score: 3, Interesting

    Someday, somebody from Netgear is going to have to explain that to a judge and jury. And it's not going to go over well. Once might be considered ordinary negligence. But the second time moves it into the "gross negligence" category: "an act or omission in reckless disregard of the consequences affecting the life or property of another."

  17. Why isn't this ilegal. by Holi · · Score: 5, Interesting

    I would think under current laws that installing an undisclosed backdoor onto someone elses property would be akin to using a trojan to allow access to anothers system. Just becaujse they sell the system does not give them the right to access to it after it is sold. I can see no beneficial reason for this as most consumer routers have a hardware reset that reloads the factory defaults.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
  18. Re:Oops... by DaveJay · · Score: 3, Interesting

    I did the same thing. Was going to buy a specific car, and my wife and I loved it during the test drive -- so we rented one for a week's road trip. By the end of the first day, we HATED it, and couldn't wait to return it.

    We then rented the car we ultimately bought, and it's been so good to us, she's still got the first one, I bought a second one, and I have since traded it in for a high-performance version of the same. Whee!

    And no, I'm not going to tell you the cars, but I'll give you a hint: the one we hated rhymes with bored locus, and the one we love (sort of) rhymes with grease-on ben-tra. Hard to rhyme with car names that are invented words. Heh.

  19. Hm by David_Bloom · · Score: 3, Interesting
    If you owned one of these routers, could you figure out where those strings are then just type in random letters of gobbleygook that are the same lengths, and use it on your own router (not distribute it, because then you'd be giving the pass away :))?

    Maybe somebody could make a program where:

    1. User opens program
    2. User points program to firmware file
    3. Program opens firmware file and replaces the hardcoded passwords with gobbleygook that is different each time the program is run
    4. Program writes new firmware to disk
    5. User reflashes router with firmware patched by program
    This seems like a good potential short-term solution to me...
    --

    Karma: Excellent (fuck, even in the future moderation doesn't work!)