Slashdot Mirror
Netgear's Amusing "fix" for WG602v1 Backdoor
An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
Chalk up another loss for 'security by obscurity'.
dmiessler.com -- grep understanding knowledge
That would be like "fixing" Windows 95 with Windows ME.
"We need a fourth law of Robotics: Stop Fingering My Wife"
Anyways.. For those that can't read German.... Here is the Babelfish translation (kind of).
Hmmm.
Someone somewhere has GOT to be pulling legs...
That is the most stupid thing i think i have ever heard!.
FP BTW.
- http://www.milkme.co.uk
I thought the last article said changing passwords was a good idea! Make your minds up.
I jest of course.
----
Well at least sys-admins and network engineers can finally use the login name they think they deserve.
99 bottles of beer in 175 characte
If this their idea of pluging a security hole then I don't think I will be purchasing any kind of routing equipment from this mickey mouse outfit in the future.
I don't think there's anything amusing about this at all. I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this. This just isn't the way a responsible company behaves.
Simon.
They may have changed the password but for someone who wants to hack it they will have 2 choices.
/. it will be easy to find in google now
Also, because of
This is also not an update that your average user will install
Seems it's like someone getting into your computer cause you left a sticky note with the password there. So you change the password, put the new one on a sticky on the monitor. What's the point.
Evolution or ID?
They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
And thanks to Slashdot, thus begins an endless stream of firmware updates; every time Netgear "fixes" their problem, I'm sure an article here will put the cycle in motion again. Let's see, who wants to guess what they change the password to next?
"superduperman", anyone?
I've done it with other types of binary files, but never tried with firmware.
Anyone try this?
But that's just me.
I am so irritated I don't know what to say. Seriously, How can netgear expect people to trust them again, is there any way to repair their reputation?
... the password is not 12345.
Signatures are for stupids.
makes you fell real "Safe" now does it
This looks like a job for.......SUPERMAN!
Now this is very sad. How can any semi-reputable company call changing the admin username and password for a major security hole a fix? Especially since they should have realized this new username/password would hit the net faster than Homer at an all you can eat buffet.
Since these things have built in firewalls, wouldnt the fix just include a user-invisible firewall rule preventing access to the router on whatever the admin port is (80, 8080, etc..)? Seems like a fairly simple fix to me.
Thanks Netgear! You've just assured that I'll never buy one of your products!
It's better to burn out than to fade away
I couldn't find the exact link at first glance, but this one is a reply to it: http://www.securityfocus.com/archive/1/365292/2004 -06-05/2004-06-11/0
I do security
The blackhats that subscribe to
i sc losure
http://lists.netsys.com/mailman/listinfo/full-d
knew about this on irc for a while.
EU via interpol desires, and us's NSA/NRO both desire various entrypoints.
cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.
disgusting
This is not my opinion. Actually, it's not even an opinion. And I'm nowhere to be seen near it
Netgear reacted to the messages over a Backdoor in the wl to ACCESS POINT WG602 Version1 promptly with a firmware update, however the Backdoor is still present -- this time only with new user name and password. With the name one was a little creative and extended the original character string "super" too "superman". With the password Netgear obviously took forum contributions for the first message of the safety gap seriously and changed the number on 21241036. To whom however this telephone number is to belong, Netgear Germany could not say to us -- there one knew nothing from the new problem and wanted only to make itself once kundig.
An again updated firmware design does not give it yet. Anyway the question arises whether users are still determined after the second Patzer to bring new software in. In opinion of lawyers this problem could quite be reason of enough to return the devices to the dealer and back-demand the purchase price. The salesman can try to improve the lack however the chances stand for it for the moment obviously quite badly.
The companies don't care about the users' security nor personal stuff. I can't believe it. I am glad they don't install alarm systems.
This is totally insecure, but very convenient.
But probably not the next...
Netgear engineer, "Stupid hackers....there is no way they will ever figure out we add man onto the end of super...BAWAWAWAWAWAWAWAAAAA!!!!"
http://jayceecorder.blogspot.com
So, now we also have to boykott Netgear to see them crash and burn for their idiocy by placing out privacy in jeopardy. Fools! sigh.
A backdoor? We're insecure? This looks like a job for... a random number generator!
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
Does anyone have a translation for those of us who can't read babelfish?
Google's translation: With the password Netgear obviously took forum contributions for the first message of the safety gap seriously and changed the number on 21241036.
In opinion of lawyers this problem quite serious.
Google's translation: In opinion of lawyers this problem could quite be reason of enough to return the devices to the dealer and back-demand the purchase price. The salesman can try to improve the lack however the chances stand for it for the moment obviously quite badly.
I realise that this is a bit redundant, but I read the slashdot artile linked to, and what to I see but:
Re:Fixed in new firmware, available here: (Score:3, Informative)
by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.
(You can find it yourselve by just taking similiar steps as in the securityfoces article.)
Maybe reading slashdot sometimes would be a good idea.
Looks like people with half brains are able to hold on to their jobs over at netgear, so, I want a job where I do not feel compelled to excel at my job, heck, I can lay an egg like this about one every hour.
Hey netgear folks, do you want to hire me ? I promise my ideas will be even lamer than changing "super" to "superman" so your legacy won't be hurt.
One keeps wondering how those ideas actually filter through the chain of comman in such an high visibility issue. Amazing !
__________
The more I know people, the more I love animals
Now the hacker has to figure out which version of the firmware one is running in order to crack the password. And they can't figure that out without logging in. So everyone is safe now.
:-)
I tried for 5 years to come up with a clever sig...only to realize that I am not clever.
or does it almost seem easier to read the german version, than read the babelfish translation? Babelfish translations make my eyes bleed and my head hurt ( no offense to parent post )
cat knowledge |grep -v understanding
There is certainly no understanding comeing through their pipe.
The firmware is gzip compressed, so you'd need to do a bit more than just use bvi. But I suspect if you extracted the gzip'd portion, edited the firmware, re-gzipped it, put it back in the firmware and updated any crc/md5 checks in there it might work.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
I for one like my whores anonymous. It keeps things simpler...
Oh, what exactly are we talking about again?
"Piter, too, is dead."
First of all, that's not completely verified.
Secondly, it's talking about a completely different (alleged) vulnerability.
I am amused. When I say the headline I just about died laughing. The sad part is that most people that have a Netgear router aren't going to update the firmware, and they probably don't even care or understand the issues involved. Further, what about all those units that are on the shelf somewhere? The problem is that Netgear has admitted now that they are not interested in security and they are not offering a secured unit. I was amused when I installed one for a friend -- she had bought the unit. No user name, just a password. I am thinking that IEEE or ANSI or whoever should adopt a standard for baseline security for routers. That way even an idiot that wants to have an open WIFI device won't have to worry about some Wardriver taking over his device. Well, all I can say is that I am happy that I was not the executive that made the Superman call.
The views expressed are mine own and do not express the views of my employer.
The new password is apparently someone's PHONE NUMBER in Germany! No idea whose, but I gleaned this tidbit by getting a Babelfish translation of the page (orig, in German). For those in the US - Is this the networking equivalent of calling Jenny? (867-5309)
Laws affecting technology will always be bad until enough techies become lawyers.
It's a shame, because Netgear actually has the best wireless products I've tried between netgear, dlink, linksys, and smc.
I've had more stability and success with netgear by far. Luckily I'm not using this particular router.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Netgear has promptly reacted to the reports of a backdoor in the WLAN-Access-Point WG602 Version 1 with a Firmware-Update, however, the backdoor is still present, but with a new user name and password. They were a little creative with the name and extended the original character string "super" to "superman." With the password, Netgear has obviously taken the message of security seriously and changed the password to "21241036." However, to whom this telephone number points, Netgear did not comment. There, they knew nothing and initially only wanted to make themselves aware of the (details of the) problem.
Again, there is not a real updated firmware design yet. The question arises whether users are still determined--after the second patch--to get new software. In the lawyer's opinions, this problem could be reason enough to take back the device to the retailer and receive a refund of the purchase price. For now, the retailer can try to fix the shortcoming, however, the chances of that are not very good.
I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood
Was anyone else reminded of some of Mitnick's work where he'd call the manufacturer of the equipment to get the backdoor password? That most of the people using it didn't even know it had? And they gave it to him over the phone...
I am disrespectful to dirt! Can you see that I am serious?!
Reading this translation, I could help but think of klunk, who is probably now working as a technical writer for Japanese instruction manuals.
Vintage computer adverts: http://www.vintageadbrowser.com/computers-and-software-ads
Oops, sorry for the lack of line breaks. Thank God my job doesn't involve HTML formatting....
I recently purchased a Netgear WGT624 v2 so I could have wi-fi at home for my laptop. Does anyone know if this FW/Router also suffers from the same problem? I can't find any info so far, but it doesn't seem unreasonable to me that ALL Netgear products could have similar exploitable backdoors.
Flash is the Herpes of the Internet.
your.opinion >
First of all we are talking about a Netgear Product so what does Linksys's problem have to do with this? Second of all if you would bother to read the responses in the article you linked to, you would see that some people have already proved that its not a hoax with regards to the Linksys product.
If you wanna get rich, you know that payback is a bitch
Maybe they could change the firmware updater itself to randomly change the password, alternately ask the user for a password for the 'super' user. This might be acceptable if indeed it's a hardware flaw and there's no way to simply remove this super user from the system.
I'm just happy my router isnt affected. Why in the world would they do this? They should know we can find out. Sometimes I wonder...
Wait - the false report was about Linksys - NOT about NETGEAR.
SO now the Linksys is ok and the Netgear is not. Someone buy me a program so I can tell the players apart.
The password is '21241036'!
Remember me to change the password of my briefcase.
[Or something like that]
That's for Linksys, not Netgear!
Way to ruin EVERYTHING.
/. parades our top secret passcodes around the world for all to see?
How are we supposed to keep one step ahead of the enemy hackers when
Now ehere are we going to find something as secure as 'superman'?
www.olin.edu
Flawed Routers Flood University of Wisconsin Internet Time Server
http://www.cs.wisc.edu/~plonka/netgear-sntp/
Abstract:
"In May 2003, the University of Wisconsin - Madison found that it was the recipient of a continuous large scale flood of inbound Internet traffic destined for one of the campus' public Network Time Protocol (NTP) servers. The flood traffic rate was hundreds-of-thousands of packets-per-second, and hundreds of megabits-per-second.
Subsequently, we have determined the sources of this flooding to be literally hundreds of thousands of real Internet hosts throughout the world. However, rather than having originated as a malicious distributed denial-of-service (DDoS) attack, the root cause is actually a serious flaw in the design of hundreds of thousands of one vendor's low-cost Internet products targeted for residential use. The unexpected behavior of these products presents a significant operational problem for UW-Madison for years to come.
This document includes the initial public disclosure of details of these products' serious design flaw. Furthermore, it discusses our ongoing, multifaceted approach toward the solution which involves the University, the products' manufacturer, the relevant Internet standards (RFCs), and the public Internet service and user communities."
By issuing this form of a fix, Netgear is stating that they are not just incompetent, they are deliberately so, and they think everybody else is as stupid as they are. I've rarely seen such negligence and contempt for customers. Well, not that rarely: The Winnuke Patch
..is that they lost the source, and all they could do was to binary patch the firmware image.
;-(.
Sad, but true
(or not)
This is preaching to the choir anyway. Who actually updates the firmware on anything? People who are at least knowlegeable to know what firmware is. Those are the same people who probably change the default username and password. Anyone not thinking of firmware updates, is also probably to lazy (or not knowlegeable enough) to change the firmware OR the default username/password.
Well, it seems pretty obvious to me... it's supposed to be there.
This shows that it was Netgear's intention to purposely put back doors into the product. The reason "why" is not really evident. I can leave that up to the tinfoil hat crowd.
Now, I'm not going to even start discussing whether the product *should* have a backdoor. There are many reasons for including them, and many obvious reasons to not.
What I want to know is, why bother with user names and passwords in the backdoor? An SSH tunnel using only public key authentication would pretty much solve the problem of someone examining the firmware for the login information. You could also include multiple keys and provide a public key revokation server that the units automatically update from, as well as a general key update server that the units will grab new keys from using a callback mechanism (to guarantee that the key update servers have a valid private key for connecting to the unit).
That's crap. There may be a multitude of reasons why they couldn't remove the backdoor (no access to source code, the guy who wrote it was on holiday, whatever...) but they could have at least changed the password with a hex editor to something that was difficult to type from a keyboard, low-ascii values for example.
And now we are even trying to slashdot phone lines...
Where will it end?
# cat
Damn, my RAM is full of llamas.
Ok, everyone read the following carefully:
The parent of this comment is a troll. It contains the spurious phrase: 'Michael Sims reports a large opening in his backdoor for all to use', which is certainly not in the original article.
Got that? Read the parent, see the line (it is the second to last line in the parent). Did you mod that comment as Informative? Then you should be ashamed of yourself.
Why do people mod comments if they haven't read them? Seems like a very perversive kind of logic indeed.
I hear there's rumors on the Slashdots
Because when I port scan it, nothing responds.
The man who trades freedom for security does not deserve nor will he ever receive either. - Benjamin Franklin
Though Netgear reacted promptly with a firmware update to the news of a backdoor in the WLAN access point WG602, the backdoor is nevertheless still present -- this time with a new username and password. The name was handled with little creativity, extended from the original string "super" to "superman". In the case of the password, Netgear had obviously taken forum discussion [the link is a post by someone who used a hex editor to change the password to their phone number] of the first news of the security hole to heart and changed the number to 21241036. To whom this phone number belongs, though, Netgear Germany could not tell us -- they had not heard of the new problem and wanted to look into it first.
There is not yet a newly updated Firmware version. Anyways, there is the question of whether users will still be willing after this second screw-up to install new software. In the opinion of lawyers this problem could be quite sufficient ground to return the devices to dealers and demand a refund. The vendor can certainly try to touch up the deficiency, though at the moment the chances of that are obviously quite poor.
"If you look 'round the table and can't tell who the sucker is, it's you." -- Quiz Show
I feel sorry for the person whos number that is. You just know that all german Slashdotters will be dialling that now.
Philip
Signatures are broken
Doesn't having the username and password in the clear mean that anybody who knows how to use a Hex editor can make their own patch? Just find those two strings and change them to something else, or better some sequence of bits that don't map to text.
Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?
Ever dream you could fly? Get up from the Flight Sim. I Fly
Now maybe there are some firmware versions out there that have these vulnerabilities, but I haven't been able to confirm either report and am beginning to wonder whether any of these stories are true. Of course, my standard practice of getting the latest firmware when I buy some equipment may have shielded me from these problems, and there are probably plenty (fools?) out there that don't do this and may have opened themselves up. But to see two vulnerability reports I cannot confirm makes me wonder whether this is some sort of disinformation campaign.
I look at the comments on this thread and am amazed that the supposedly technically competent can rush to judgement so quickly and with so little evidence. Were this to hit the mainstream media, can you imagine how this could change the marketplace, even if the report isn't true?
Maybe I should be buying some Cisco stock...
How can you be sure that the backdoor ID to your gear isn't batman and that the passward isn't 46386124? I realize that any proprietary software can have backdor passwords in it. Netgear has shown that at least one of their products has a backdoor. When Netgear was given the chance to act horrified that somebody put a backdoor in one of their products and remove it, they decided to just change the backdoor name and password. This gives me LOTS of confidence in the security awareness of Netwgear products. You are trusting the security of your wireless connectivity to a company that knowingly maintains a backdoor in at least one of it's products.
Although Netgear reacted quickly to reports about a backdoor in the WLAN-Access-Point WG602 Version1 with a firmware-update the backdoor still remains, only with a new user name and password. When changing the name Netgear showed not much creatitity since the original string "super" was simply enlarged to "superman". Regarding the password Netgear apparently took seriously some comments of the heise board and changed the number to 21241036. Asked about whose telephone number this is Netgear Germany was not able to make any comment, as it was unaware of the new problem and going to investigate it first.
A newly updated firmware-version is not available yet. Anyhow the question is whether the users are willing to replace the software after the second error. In the opinion of lawyers this is a valid reason for users to be entitled to return the devices in exchange for their money. Although dealers could hypotheticaly fix the inadequacy, chances to do this successfully apparently are not the best.
If it's not, what would the significance be? The factorisation is: 2 2 461 11519 but that doesn't look interesting to me.
Googling for it I only find, as interesting reference:
- An
entry for
something called dipeptidyl anminopeptidase that sounds like a protein or enzyme
But I'm sure that's not itSince they did this, should we all demand refunds since this make their routers so insecure, it is unusable?
Fight Spammers!
I call it backdooring through closed source.
"Quis custodiet ipsos custodes?"
'21241036', That's the same combination on my luggage!
The technology, which allows anyone to access enterprise networks when they enter 'superman' for the username and and '21241036' for the password, frees enterprises from worrying about security issues and allows IT managers to focus on implementing talking paperclips on enterprise desktops. "We are excited about the new technology," commented Steve Hjarkblonka in an interview. "For the first time since the invention of computers, the threat of security intrusions has been completely eliminated. Enterprises can now enjoy 100% unbreakable security."
Geoff Nikreny, chief security officer with Endostar Inc, calls the secure-by-default approach, in which once-vulnerable features are patched, a "mistake" that will lead to deployment confusion. But he doesn't know what he's talking about anyway. So for 100% unbreakable security, buy Netgear.
Offer good while supplies last.
See, here's the problem: Superman's password is Batman's phone number! Think of the confusion and mayhem that is sure to result from this. We all know that only Commisioner Gordon should have that number.
Bush should have died, not Reagan -- Morrissey
Morrissey rides a cockhorse -- The Warlock Pinchers
The real fix should be available shortly.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
It's a bird... It's a plane... It's a router flying off the roof of my building!
The fact that the backdoor existed at all makes them liable, IMO, because it proactively defeats the supposed security they used to sell their product.
Liable for what, though? Has anyone shown any damages yet??
Over the weekend I purchased a Linksys wireless G "router" for my sis and brother-in-law and searched for an updated firmware. I was surprised to not find one. The last Linksys firmware is 2.02.7 from 3/17/2004. I would have bet money that Linksys would have a fix before Netgear did, especialy with Cisco being the parent company. At least Netgear made a shoddy attempt to fix their problem.
I boycott signatures
I tried Netgear in the past and wasn't very happy with them. I've never had an issue with Linksys. I like their interface (improved once the Cisco logo appeared). I find their wireless products to work well and other then the backdoor have no complaints about any of their products.
I boycott signatures
Netgear has posted a whopping 1300 firmware design jobs on monster.com!
I can count to 1023 on my hands. Ask me about #132.
I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
I mentioned this elsewhere, but how can you file a lawsuit if no one can show any damages?? Where is the link to someone who had data stolen because of this? How important was it? Or did the attacker just manage to use some of their bandwidth? Did that cost them money?
No harm, no foul. You can't have a class action lawsuit when not even one member of the class can show any evidence.
They were dialing it long before I posted my comment - the article was up for a long time before I got a translation.
Laws affecting technology will always be bad until enough techies become lawyers.
"If someone paid you to paint a building, as they trust you will do a better job...
Why did GEAR crush RDP?
Ah, yes, the lovely irony of a security company outsourcing their own product's security.
Nothing like trusting your future to some shady fly-by-night low-bidder who's not an employee. Whoever at Netgear argued this process saves money, I almost pity you. Almost.
Although in this case, you can't argue that specs called FOR a backdoor... but maybe there were no specs at all.
I don't blame them for this "quick fix".. as a longtime Software QA engineer I can tell you it takes more than 1 day to test something, unless you're willing to accept the risk that the fix could be worse. I'm willing to bet the OEM developer is probably just a one or two man shop, has no QA and might not even have source code control.
off-topic:
I run m0n0wall, a BSD distribution just for firewalls & routers. It doesn't need a hard drive so it's quiet.
I even yanked the CPU fan off the AMD K6/450 it is running on. CAUTION: passive cooling a CPU risks burning out the processor. To prevent this I fitted a stock AMD CPU sink from an Athlon 1800, and made a small duct for the power supply to draw air over the CPU (this was an OLD old ATX case with the PS directly above the CPU so it was easy).
Works great!
Too bad you can't upload monowall into consumer routers. I think this is the next step. Some vendor will start making it very easy to do such a thing (discoveries like the Linksys WRT54G hacking do not count).
The firmware for this box (or at least some of it) is offered for download on Netgear's site. I'm looking through the source, but I haven't seen anything relevant yet.
Has anyone seen where the backdoor is coded into the system? (Hint: if it's NOT in the source anywhere, Netgear is violating GPL here).
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
"Well, I suppose we could just change the username and password..."
"DO IT!"
"If you say so, sir"
Pure speculation, of course.
It's just that, according to the site, there's no fix yet:
a sp
n ldID=735
http://kbserver.netgear.com/kb_web_files/n101383.
Now, there is a firmware from the 4th:
http://kbserver.netgear.com/support_details.asp?d
that claims to fix the problem, but I'm tempted to suggest what's happened is they've changed the username and password while they test a full fix. After all, changing data is generally less likely to break stuff than changing code...
The common saying with free software is "who can you sue when something goes wrong." Well you can sue Netgear in this case but in a class action suit only the lawyers get rich. The most compensation the actual victims will get is a $10 rebate on the next Netgear purchase. What you really want is the problem not to have occured in the first place. I believe that if this was truely open source software, there are enough paranoid enough people reviewing the code for back doors like this before it went to far. Personally I prefer to deal with people or companies I can trust than that I can sue.
On a side note I noticed that this SOHO NAS server I bought also has a password hidden in its firmware. Fortunately it requires some minor hardware modifications to enable a serial port needs to be made before this is possible so the security implications are minimal.
...how many times did they use the generator before settling on the number to use? Nobody in the history of the world has been satisfied by the FIRST random number generated!
"No....no...no...maybe if it had a '7'. AH! Bingo!" -- Netgear Security Engineer
"These people look deep within my soul and assign me a number based on the order in which I joined" --Homer re:
You can bet it's the home phone number of the guy who put in the backdoor in the first place. What better way to reward an employee for putting a backdoor in their product?
Man this sucks. I've got an FVS318. While, thankfully it's not the router that is the cause of this particular ruckus, it's a Netgear product.
I like it. It's a very solid, reliable firewall/router. I've had it for a number of years now, and Netgear to this day continues to put out new firmware updates that not only fix bugs, but implement new features. It works well, and I always liked it better than my friend's Linksys.
But this whole crisis makes me really really leary... How do I know there isn't a backdoor in my firewall/router as well? The fact is, now I don't.
Getting a Linksys that can run a custom Linux distribution becomes more appealing every single day. This may be what finally pushes me over the edge.
Bryan
i know this is a troll but i can't resist.
so the problem is that because they use linux that they leave plain text passwords in the firmware? along with that that people can find the backdoors easily meaning that its not just the 1337 hax0rs who know about it, which means that you as a consumer can stay safe about it by researching the products you buy?
Speak truth to power.
Seems to me that 41036, along with 41091 and a few othewr 5 digit strings beginning with 41 were once relegated to local loop testing. IIRC dialing 40136 then hanging up, would give you a natural ring, just like a real incomming phone call. 40191 would give short and long rings. This was many years ago in the early 70' and in a Canadian area code.
Can anyone else confirm my rememberances?
Really, isn't there something slightly immoral, possibly illegal about putting a backdoor into your product that allows anyone access to it, with no way to disable it, and THEN, when you are caught, you blame "the vendor that packaged the device for" you, and THEN you release a patch that claims to fix the backdoor, but really just leaves it there with a different password?
-no broken link
Right.
I'm sure the type of hacker who would exploit this really needs slashdot to clue him in.
He would never be able to recover the username and password from the BIOS file, where it's stored in plaintext . He wouldn't just google for it. He doesn't subscribe to BugTraq. Right.
I wonder if the SBC Netgear uses has a JTAG
port. The CPU and memory available on the
premium version of the product has (IMO)
enough capabilities for an embedded install
of OpenBSD (preferably Ver. 3.4 or 3.5).
Anyone know of any efforts along this line?
I recently bought several 24 port switches off of ebay. There was no way to reset the password, but calling up tech support, and providing a small amount of proof that I did in fact buy these switches, they provided me with the backdoor username/password.
:(
It's documented on their website that they do have a backdoor password, and what you need to do to get it. For me, it took a single email (ebay end of auction), and a 5 minute phone call to get the backdoor.
This would be fine, if the backdoor only worked on the serial console, but nope.. Works fine with the web interface too
I think the "backdoor" is just a user/pass entry in some config file (like a
11*43+456^2
In a related story, Netgear has announced the formation of a new security division, formed with ex-Microsoft employees...
There is an existing IETF internet draft on this very subject. Located here.
(This would probably violate 2.12.9, "No default passwords").
A friend of mine is mapping the surrounding cities for WLAN access ports... though not merely "open" WLANs, but open routers. T-Online/Telekom, the monopolist here in Germany, gives out their routers in a plug&play fashion with a default 'password' of 0000 (no username, nothing) in tradition of the electronic phone devices they were selling since the 1970s, since when the default pass code was always 0000. All you need to do is log into these Access points with a webbrowser using (running on port 80, even, address 192.168.1.1 IIRC), and you can retrieve all the info necessary to hijack the person's internet account. As many people have a volume based billing model for their DSL over here, you can cause a lot of damage this way, and never be found. The routers have an annoying (though somewhat sensible) Anti-Theft feature - they won't dial in automatically if they are stolen (i.e. are disconnected from their power supplies), meaning you have to reset them to factory defaults if you don't know the code. Fortunately, their WLAN routers, unlike many older devices, do accept alphanumeric passwords nowadays.
It's more than just the mere fact of the backdoor. It's the amateur way they coded the backdoor. They found the strings in plaintext after gunzipping the image file. And to further insult our intelligence, they changed the password and left it coded the same way thinking we're too dumb to find the new one. There's no obfuscation at all except for the gzipping. Linux and open source make no difference here. You can at least give some credit to a well hidden backdoor. What's disturbing is their naive, amateur approach to security.
these are consumer grade devices. If you want those kind of garanuntees, don't buy consumer grade devices. I'm sure cisco will be happy to sell you a router for $100,000 with all kinds of garuantees. Personally, I'll take th $60 netgear and live with the occasional security flaw (and I won't run wireless, It's just not that hard to string ethernet cables, but I digress).
Hi! I make Firefox Plug-ins. Check 'em out @ https://addons.mozilla.org/en-US/firefox/addon/youtube-mp3-podcaster/
Sure, but still, why broadcast to the world the username/password? Is it for the neener-neener-I-got-your-password pleasure?
"Would it kill you to put down the toilet seat?" -- Maya Angelou
Someday, somebody from Netgear is going to have to explain that to a judge and jury. And it's not going to go over well. Once might be considered ordinary negligence. But the second time moves it into the "gross negligence" category: "an act or omission in reckless disregard of the consequences affecting the life or property of another."
I wonder what DC Comics (and the other owners?) have to say about NetGear using their copyrighted character in a commercial product ?
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
I would think under current laws that installing an undisclosed backdoor onto someone elses property would be akin to using a trojan to allow access to anothers system. Just becaujse they sell the system does not give them the right to access to it after it is sold. I can see no beneficial reason for this as most consumer routers have a hardware reset that reloads the factory defaults.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
"Given enough eyes, all obscurity is shallow" ?
Heck, where is the story? I've only seen this at slashdot and the few media articles it links to.
I mean, I can turn on my nightly news and hear about "getting ripped off at the dry cleaners? Let our investigative unit show you how!" but when your personal home network with all your work, personal stuff, family photos, etc are now open to the world because of some backdoor its like its no big deal.
It seems like until someone writes a worm to really screw these people over, no one is going to care. And I'm sure lots of people are testing worms as we speak.
The larger issue here is the complete disregard for security. A backdoor should never be installed. The firmware reset is more than enough to get back to the default settings. So what if you lose your "settings." That's the price of losing your password info or buying a shoddy product.
I can't believe my ears when i hear about backdoors, especially from companies like Cisco. What are we telling the industry, that we'll roll over for whatever they do? Are we telling the government that their next USA PATRIOT act might as well have mandatory Ashcroftian backdoors because corporate america is apathetic to security?
Its mind-boggling. I hope a Netgear gets equated with untrustworthiness and falls from their market position.
It's a shame this number isn't prime, unlike Jenny's.
He who laughs last is stuck in a time dilation bubble.
...for copyright violation. Lois Lane is planning to sue because the password is her phone number.
"My country, right or wrong; if right, to be kept right; and if wrong, to be set right." --Senator Carl Schurz (1872)
No, it's to make people wake up and realize this is still a problem. It's so that people can try this themselves and prove it's not an urban legend or FUD. It's to give the company (NetGear) notice that people won't stand for this shit, and they can't get away with it. The linked article has the user/pass combo, but it's in German, so English speakers wouldn't be able to try this out on their "fixed" systems.
-no broken link
Congratulations, you just violated the DCMA by posting a circumvention to the security of the device in question to /. - there's a special place in the federal pound-me-in-the-ass prison just for you!
Well 21241036 is _almost_ my phone number here in the US. Whom do I sue?
I hadn't known there were so many idiots in the world until I started using the Internet -Stanislaw Lem
One that exploits a fairly recently-discovered hole. One that first attempts to connect to insecure machines, but if it fails to connect to a machine, it then attempts to use the known Netgear backdoor as a passthrough method.
The fallout from that would be absolutely delicious.
STOP MISUSING APOSTROPHES, YOU MORONS!!!
Just checked my router: :(
1.715 fixes the superman (what is it now??)
1.714 appears to have changed super >superman (I can confirm the superman account worked
1.5?? had the "super" account vulnerability. again I did confirm that this firmware had this backdoor.
Netgear have now removed the 1.714/1.5?? firmwares from the site.
I only hope that they have actually fixed this!!
Thanks, /. Now I can worry until I get home from work...
Great men are almost always bad men--Lord Acton's Corollary
Takata/Highland industries used to make the entire airbag supply for the north american market (and a few european manufacturers) here in Cheraw, SC. Now the plant's in the process of shutting down and moving to Mexico. My point is, they're already blue, IIRC from my school field trip last year.
I go to Madison (Engineering major), and I read in the school newspapers last school year (2003-2004) that Netgear is giving something like $50,000 dollars to the DoIT (Department of Information Technology) folks. (DoIT handles the school network, public computers, labs, and so on). So that's pretty much cleared up. Of course, the school newspapers didn't mention that Netgear had flooded the U's time server, but made it seem that because this U rocked so much, they decided to give the money.....
Maybe somebody could make a program where:
- User opens program
- User points program to firmware file
- Program opens firmware file and replaces the hardcoded passwords with gobbleygook that is different each time the program is run
- Program writes new firmware to disk
- User reflashes router with firmware patched by program
This seems like a good potential short-term solution to me...Karma: Excellent (fuck, even in the future moderation doesn't work!)
That's the combination on my luggage!
paintball
Yeah, they didn't even use rot13.
09F91102 no, 455FE104 nope, F190A1E8 uh-uh, 7A5F8A09 that's not it, C87294CE no. Ah! 452F6E403CDF10714E41DFAA257D313F.
This article is my 'box of toothpicks'. I must now build a house inside-out so as to enclose the World in the asylum that it belongs in.
...selling wireless routers with encryption turned off by default and DHCP turned on by default.
Not necessarily.
If their code isn't linked to GPL code (and just running on the same box), they can use code of whatever license they like.
I agree that router manufacturers have a black history here *cough* Linksys *cough* of swiping code from Linux and then ignoring license terms.
May we never see th
Sounds like you are talking about something like Keyring. One password lets you decrypt a bunch of other passwords stored on the device.
I guess you could say they are bound in darkness too because they are encrypted and useless without the main password, which "finds" them all.
In my day, the grease-on ben-tra ran like grease on a pan - that had been burned in place and left there for weeks. Our grease-on ben-tra had a zero to sixty time of sixty seconds, and couldn't steer without rattling like the bones of Buddy Holly. Fuel efficiency? That thing drank like an ex army sergent. And it broke down more often than Tammy Fae. Often times we would be driving it to the shop, and it would break down again on the way. You'd hook it up to the tow truck because of a broken front wheel and the rear axle would crack. Load it on the back, and the bumper would fall off. That thing wasn't a deathtrap: deathtraps have moving parts.
Hope you like it. Have fun with your car!
(note: it was an '86. I've heard they have gotten better.)
The ______ Agenda
It seems the regional offices are less than helpful in some countries, but the australian site is exemplary.
Anyone had any bad experiences with them?
Q. YMMV
Insert Signature Here
speak "friend" and enter
(one password for everyone)
I don't get your sig, isen't the "/" symbol either a door or an arrow? So if it's a door then there is no wall either side of it...
If they made a movie of your life, would anybody buy a ticket?
Great, that's exactly what I need just before my death: a blue screen of death! On the other hand, I always suspected that my last words would be "Damn you, Bill Gates!"
Sincerely,
Pan Tarhei Hosé, PhD.
"Homo sum et cogito ergo odi profanum vulgus et libido."
Thanks, second AC.
As a matter of fact, I still have the first dozen or so Rush albums on original vinyl, since replaced with CDs. I think I have more than a passing familiarity with "Tom Sawyer".
Ok, bad analogy - I thought of a better one.
If you buy a "consumer" level safe as a place to store your valuables, the safe company will, in most cases, not reimburse you for the items stolen from it. What you are buying is a reasonably secure place to store your valuables. You can be reasonably sure that, while it is possible for someone else to open the safe, it will be very difficult.
Then you find out that your model of safe has a backdoor combination. Now, it seems you would argue that, because the company didn't advertise it didn't have a "super" combination, they haven't really done anything that bad. Besides, the main purpose of a safe is to store things - and it can still be used for that purpose, right? And only someone who is fully aware of the super combination, AND aware that you have a safe AND is a criminal at heart would even care.
I say there should be a reasonable assumption of security, and if they can't fix the lock, they should replace the entire safe. It doesn't matter if I've been harmed due to the product's flaw, it matters that I spent money on a product that was supposed to keep me reasonable secure.
While many people don't put security as their first priority in buying a router, the principle is the same - those people with the "combination" can use your netword. You should be reasonably certain that there are safeguards. You understand that encryption can be broken, that people might still be able to "break into" your network, but you have made a reasonable effort to prevent that.
I don't think there are any wireless networking products, especially routers, that don't advertise they are secure, or offer a reasonable assumption of security. I don't see how you can call a recall "wildly disproportionate" when it is, in fact, exactly proportionate. So maybe "buy back" is not really that appropriate, but they should replace every single defective unit - and if they don't have a satisfactory product, then they *should* buy them back and allow the consumers to choose another one.
Stupid sexy Flanders.