Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netgear's Amusing "fix" for WG602v1 Backdoor

Posted by CmdrTaco on from the get-your-giggle-on dept.

An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "

13 of 515 comments (clear)

  1. Not funny at all by Ckwop · · Score: 4, Interesting

    I don't think there's anything amusing about this at all. I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
    I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this. This just isn't the way a responsible company behaves.

    Simon.

  2. Bianry Edit by HogGeek · · Score: 4, Interesting
    I'm wondering if one could use something like bvi to change the username and password to something private.

    I've done it with other types of binary files, but never tried with firmware.

    Anyone try this?

    1. Re:Bianry Edit by MrBlue+VT · · Score: 5, Interesting

      I have an earlier Netgear product (RT314). It's actually a rebranded Zytel product, so this trick may not work on other models.

      However, it was possible to edit the firmware in a binary editor. There was a checksum in the firmware, but you could fix it. You needed to connect a serial cable to the management port. When you made a change and uploaded the new firmware to the router and rebooted, the router would helpfully tell you what the old checksum was and what it expected the new checksum to be. You could then just search for the old checksum string and replace it with the new one the router calculated for you.

      Pretty easy to do. And allowed you to run some of the newer Zytel firmware on the Netgear boxes.

  3. Reputation damage by SamiousHaze · · Score: 4, Interesting

    I am so irritated I don't know what to say. Seriously, How can netgear expect people to trust them again, is there any way to repair their reputation?

  4. full-disclosure hackers knew for a while by Anonymous Coward · · Score: 5, Interesting

    The blackhats that subscribe to

    http://lists.netsys.com/mailman/listinfo/full-di sc losure

    knew about this on irc for a while.

    EU via interpol desires, and us's NSA/NRO both desire various entrypoints.

    cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.

  5. Who reads slashdot? by tony_gardner · · Score: 5, Interesting

    I realise that this is a bit redundant, but I read the slashdot artile linked to, and what to I see but:

    Re:Fixed in new firmware, available here: (Score:3, Informative)
    by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
    I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.

    (You can find it yourselve by just taking similiar steps as in the securityfoces article.)

    Maybe reading slashdot sometimes would be a good idea.

    1. Re:Who reads slashdot? by Chucky+B.+Bear · · Score: 5, Interesting
      Yeah I hate to say it but told you so!!! ;-) I posted that just before the securityfocus mail. Its funny how this all ended up as a Heise article now. They could've at least given me some credit for finding it.

      I did talk to a netgear support engineer yesterday and he didn't know what I was talking about, so now I'm still waiting to hear anything back from them.

  6. Supermaning it.... by utlemming · · Score: 4, Interesting

    I am amused. When I say the headline I just about died laughing. The sad part is that most people that have a Netgear router aren't going to update the firmware, and they probably don't even care or understand the issues involved. Further, what about all those units that are on the shelf somewhere? The problem is that Netgear has admitted now that they are not interested in security and they are not offering a secured unit. I was amused when I installed one for a friend -- she had bought the unit. No user name, just a password. I am thinking that IEEE or ANSI or whoever should adopt a standard for baseline security for routers. That way even an idiot that wants to have an open WIFI device won't have to worry about some Wardriver taking over his device. Well, all I can say is that I am happy that I was not the executive that made the Superman call.

    --
    The views expressed are mine own and do not express the views of my employer.
  7. Re:Oops... by div_2n · · Score: 4, Interesting

    My experience with Netgear products has led me to believe their quality has diminished dramatically.

    IANAL, but I seem to recall a lawyer I know telling me that with product liability, a company is liable if due diligence is not performed to fix an issue when a known problem exists. Of course, the trick becomes can you call changing a username and password due diligence? I feel certain every computer expert in the world would say no.

  8. Re:Oops... by Twirlip+of+the+Mists · · Score: 4, Interesting

    Why on EARTH is this not literally considered a criminal offense for a company to do?

    Just how many criminal laws do you think we need? Seriously. Do you think we need another one?

    There's no doubt in my mind that the vendor would be held liable for damages if anybody were harmed--financially I mean--by this kind of thing. But should somebody really go to jail over it?

    Geez. And I thought I was a fascist.

    --

    I write in my journal
  9. Change the fix to something else! by netringer · · Score: 4, Interesting

    Doesn't having the username and password in the clear mean that anybody who knows how to use a Hex editor can make their own patch? Just find those two strings and change them to something else, or better some sequence of bits that don't map to text.

    Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?

    --
    Ever dream you could fly? Get up from the Flight Sim. I Fly
  10. Re:Oops... by arivanov · · Score: 4, Interesting

    I do.

    In fact I drove all possible candidates for several days before I bought what I have now. It is quite easy. Every time you go on a holiday rent one of the candidates for "next thing to buy". You get to see it in all of its "glory" - lowest spec, run down by tourists and badly maintained. If it is still OK you go and buy it. You may suffer some minor discomfort compared to renting "the old familiar", but you save a lot of money :-)

    I also do the same stuff with computer equipment. Buy, test drive if it is shit - return. It is quite easy to do it in EU due to distance selling regulations. You are entitled to a free return no questions asked of anything you have bought over phone or Internet within 1 week after purchase. This limits you to internt purchases, but once you add this along with observations of company kit you are reasonably well positioned to get the right stuff...

    --
    Baker's Law: Misery no longer loves company. Nowadays it insists on it
    http://www.sigsegv.cx/
  11. Why isn't this ilegal. by Holi · · Score: 5, Interesting

    I would think under current laws that installing an undisclosed backdoor onto someone elses property would be akin to using a trojan to allow access to anothers system. Just becaujse they sell the system does not give them the right to access to it after it is sold. I can see no beneficial reason for this as most consumer routers have a hardware reset that reloads the factory defaults.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.