Slashdot Mirror
Netgear's Amusing "fix" for WG602v1 Backdoor
An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
Chalk up another loss for 'security by obscurity'.
dmiessler.com -- grep understanding knowledge
That would be like "fixing" Windows 95 with Windows ME.
"We need a fourth law of Robotics: Stop Fingering My Wife"
I thought the last article said changing passwords was a good idea! Make your minds up.
I jest of course.
----
Well at least sys-admins and network engineers can finally use the login name they think they deserve.
99 bottles of beer in 175 characte
If this their idea of pluging a security hole then I don't think I will be purchasing any kind of routing equipment from this mickey mouse outfit in the future.
I don't think there's anything amusing about this at all. I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this. This just isn't the way a responsible company behaves.
Simon.
They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
And thanks to Slashdot, thus begins an endless stream of firmware updates; every time Netgear "fixes" their problem, I'm sure an article here will put the cycle in motion again. Let's see, who wants to guess what they change the password to next?
"superduperman", anyone?
I've done it with other types of binary files, but never tried with firmware.
Anyone try this?
But that's just me.
I am so irritated I don't know what to say. Seriously, How can netgear expect people to trust them again, is there any way to repair their reputation?
This looks like a job for.......SUPERMAN!
Now this is very sad. How can any semi-reputable company call changing the admin username and password for a major security hole a fix? Especially since they should have realized this new username/password would hit the net faster than Homer at an all you can eat buffet.
Since these things have built in firewalls, wouldnt the fix just include a user-invisible firewall rule preventing access to the router on whatever the admin port is (80, 8080, etc..)? Seems like a fairly simple fix to me.
Thanks Netgear! You've just assured that I'll never buy one of your products!
It's better to burn out than to fade away
I couldn't find the exact link at first glance, but this one is a reply to it: http://www.securityfocus.com/archive/1/365292/2004 -06-05/2004-06-11/0
I do security
The blackhats that subscribe to
i sc losure
http://lists.netsys.com/mailman/listinfo/full-d
knew about this on irc for a while.
EU via interpol desires, and us's NSA/NRO both desire various entrypoints.
cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.
Netgear reacted to the messages over a Backdoor in the wl to ACCESS POINT WG602 Version1 promptly with a firmware update, however the Backdoor is still present -- this time only with new user name and password. With the name one was a little creative and extended the original character string "super" too "superman". With the password Netgear obviously took forum contributions for the first message of the safety gap seriously and changed the number on 21241036. To whom however this telephone number is to belong, Netgear Germany could not say to us -- there one knew nothing from the new problem and wanted only to make itself once kundig.
An again updated firmware design does not give it yet. Anyway the question arises whether users are still determined after the second Patzer to bring new software in. In opinion of lawyers this problem could quite be reason of enough to return the devices to the dealer and back-demand the purchase price. The salesman can try to improve the lack however the chances stand for it for the moment obviously quite badly.
Unfortunately Heise (publisher of c't and iX) is the probably most clueful German publishing house when it comes to technology.
Those Netgear bozos really seem to be dumber then my cigar cutter.
The other explanation is that the equipment has such a fundamental design flaw that it can't be fixed at all. But then they act damn unresponsible.
Then again: Thanks to such blunders I know what equipment not to buy.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
That's amazing. I've got the same combination on my luggage.
"Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson
A backdoor? We're insecure? This looks like a job for... a random number generator!
There is no mod option "-1: Disagree" for a reason. "Overrated" is not an acceptable substitute. Post something instead.
I realise that this is a bit redundant, but I read the slashdot artile linked to, and what to I see but:
Re:Fixed in new firmware, available here: (Score:3, Informative)
by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.
(You can find it yourselve by just taking similiar steps as in the securityfoces article.)
Maybe reading slashdot sometimes would be a good idea.
Now the hacker has to figure out which version of the firmware one is running in order to crack the password. And they can't figure that out without logging in. So everyone is safe now.
:-)
I tried for 5 years to come up with a clever sig...only to realize that I am not clever.
cat knowledge |grep -v understanding
There is certainly no understanding comeing through their pipe.
The firmware is gzip compressed, so you'd need to do a bit more than just use bvi. But I suspect if you extracted the gzip'd portion, edited the firmware, re-gzipped it, put it back in the firmware and updated any crc/md5 checks in there it might work.
Blaming GW Bush for the Iraq war is like blaming Ronald McDonald for the poor quality of food.
I for one like my whores anonymous. It keeps things simpler...
Oh, what exactly are we talking about again?
"Piter, too, is dead."
I am amused. When I say the headline I just about died laughing. The sad part is that most people that have a Netgear router aren't going to update the firmware, and they probably don't even care or understand the issues involved. Further, what about all those units that are on the shelf somewhere? The problem is that Netgear has admitted now that they are not interested in security and they are not offering a secured unit. I was amused when I installed one for a friend -- she had bought the unit. No user name, just a password. I am thinking that IEEE or ANSI or whoever should adopt a standard for baseline security for routers. That way even an idiot that wants to have an open WIFI device won't have to worry about some Wardriver taking over his device. Well, all I can say is that I am happy that I was not the executive that made the Superman call.
The views expressed are mine own and do not express the views of my employer.
Those Netgear bozos really seem to be dumber then my cigar cutter.
And not nearly as sharp!
.signature not found
The new password is apparently someone's PHONE NUMBER in Germany! No idea whose, but I gleaned this tidbit by getting a Babelfish translation of the page (orig, in German). For those in the US - Is this the networking equivalent of calling Jenny? (867-5309)
Laws affecting technology will always be bad until enough techies become lawyers.
Netgear has promptly reacted to the reports of a backdoor in the WLAN-Access-Point WG602 Version 1 with a Firmware-Update, however, the backdoor is still present, but with a new user name and password. They were a little creative with the name and extended the original character string "super" to "superman." With the password, Netgear has obviously taken the message of security seriously and changed the password to "21241036." However, to whom this telephone number points, Netgear did not comment. There, they knew nothing and initially only wanted to make themselves aware of the (details of the) problem.
Again, there is not a real updated firmware design yet. The question arises whether users are still determined--after the second patch--to get new software. In the lawyer's opinions, this problem could be reason enough to take back the device to the retailer and receive a refund of the purchase price. For now, the retailer can try to fix the shortcoming, however, the chances of that are not very good.
I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood
Was anyone else reminded of some of Mitnick's work where he'd call the manufacturer of the equipment to get the backdoor password? That most of the people using it didn't even know it had? And they gave it to him over the phone...
I am disrespectful to dirt! Can you see that I am serious?!
First of all we are talking about a Netgear Product so what does Linksys's problem have to do with this? Second of all if you would bother to read the responses in the article you linked to, you would see that some people have already proved that its not a hoax with regards to the Linksys product.
If you wanna get rich, you know that payback is a bitch
Wait - the false report was about Linksys - NOT about NETGEAR.
SO now the Linksys is ok and the Netgear is not. Someone buy me a program so I can tell the players apart.
Flawed Routers Flood University of Wisconsin Internet Time Server
http://www.cs.wisc.edu/~plonka/netgear-sntp/
Abstract:
"In May 2003, the University of Wisconsin - Madison found that it was the recipient of a continuous large scale flood of inbound Internet traffic destined for one of the campus' public Network Time Protocol (NTP) servers. The flood traffic rate was hundreds-of-thousands of packets-per-second, and hundreds of megabits-per-second.
Subsequently, we have determined the sources of this flooding to be literally hundreds of thousands of real Internet hosts throughout the world. However, rather than having originated as a malicious distributed denial-of-service (DDoS) attack, the root cause is actually a serious flaw in the design of hundreds of thousands of one vendor's low-cost Internet products targeted for residential use. The unexpected behavior of these products presents a significant operational problem for UW-Madison for years to come.
This document includes the initial public disclosure of details of these products' serious design flaw. Furthermore, it discusses our ongoing, multifaceted approach toward the solution which involves the University, the products' manufacturer, the relevant Internet standards (RFCs), and the public Internet service and user communities."
By issuing this form of a fix, Netgear is stating that they are not just incompetent, they are deliberately so, and they think everybody else is as stupid as they are. I've rarely seen such negligence and contempt for customers. Well, not that rarely: The Winnuke Patch
..is that they lost the source, and all they could do was to binary patch the firmware image.
;-(.
Sad, but true
(or not)
Well, it seems pretty obvious to me... it's supposed to be there.
This shows that it was Netgear's intention to purposely put back doors into the product. The reason "why" is not really evident. I can leave that up to the tinfoil hat crowd.
Now, I'm not going to even start discussing whether the product *should* have a backdoor. There are many reasons for including them, and many obvious reasons to not.
What I want to know is, why bother with user names and passwords in the backdoor? An SSH tunnel using only public key authentication would pretty much solve the problem of someone examining the firmware for the login information. You could also include multiple keys and provide a public key revokation server that the units automatically update from, as well as a general key update server that the units will grab new keys from using a callback mechanism (to guarantee that the key update servers have a valid private key for connecting to the unit).
That's crap. There may be a multitude of reasons why they couldn't remove the backdoor (no access to source code, the guy who wrote it was on holiday, whatever...) but they could have at least changed the password with a hex editor to something that was difficult to type from a keyboard, low-ascii values for example.
Then again: Thanks to such blunders I know what equipment not to buy.
The fundamental problem here is that we're running out of vendors! Linksys and Belkin are on the shitlist; now NetGear. Who, exactly, does that leave for consumer-grade networking equipment? I don't know about where you live, but where I live, these are about the only three vendors that show up on the computer store shelves (well, there are some cheapo brands, but they suffer even worse quality control problems).
Doesn't having the username and password in the clear mean that anybody who knows how to use a Hex editor can make their own patch? Just find those two strings and change them to something else, or better some sequence of bits that don't map to text.
Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?
Ever dream you could fly? Get up from the Flight Sim. I Fly
I don't know either but you could try the existing known accounts for yourself on your own router. This won't help if a backdoor is there with different credentials but provide piece of mind that the two well known ones either do or do not work.
Getting off topic here but the main advantage of full disclosure with bugs and similar issues like this is you have the ability to verify and test for yourself. Sure beats getting an email that a patch is available and you have no idea what it fixed or how it fixed it.
Bad boys rape our young girls but Violet gives willingly.
How can you be sure that the backdoor ID to your gear isn't batman and that the passward isn't 46386124? I realize that any proprietary software can have backdor passwords in it. Netgear has shown that at least one of their products has a backdoor. When Netgear was given the chance to act horrified that somebody put a backdoor in one of their products and remove it, they decided to just change the backdoor name and password. This gives me LOTS of confidence in the security awareness of Netwgear products. You are trusting the security of your wireless connectivity to a company that knowingly maintains a backdoor in at least one of it's products.
Apple?
The technology, which allows anyone to access enterprise networks when they enter 'superman' for the username and and '21241036' for the password, frees enterprises from worrying about security issues and allows IT managers to focus on implementing talking paperclips on enterprise desktops. "We are excited about the new technology," commented Steve Hjarkblonka in an interview. "For the first time since the invention of computers, the threat of security intrusions has been completely eliminated. Enterprises can now enjoy 100% unbreakable security."
Geoff Nikreny, chief security officer with Endostar Inc, calls the secure-by-default approach, in which once-vulnerable features are patched, a "mistake" that will lead to deployment confusion. But he doesn't know what he's talking about anyway. So for 100% unbreakable security, buy Netgear.
Offer good while supplies last.
The real fix should be available shortly.
It's better to vote for what you want and not get it than to vote for what you don't want and get it.
- E. Debs
As a matter of fact it was me who found the 1.7.14 username and password and posted it to securityfocus after updating my firmware from 1.5.67(which I tested with the super username and password) to 1.7.14.
Over the weekend I purchased a Linksys wireless G "router" for my sis and brother-in-law and searched for an updated firmware. I was surprised to not find one. The last Linksys firmware is 2.02.7 from 3/17/2004. I would have bet money that Linksys would have a fix before Netgear did, especialy with Cisco being the parent company. At least Netgear made a shoddy attempt to fix their problem.
I boycott signatures
Netgear has posted a whopping 1300 firmware design jobs on monster.com!
I can count to 1023 on my hands. Ask me about #132.
Ah, yes, the lovely irony of a security company outsourcing their own product's security.
Nothing like trusting your future to some shady fly-by-night low-bidder who's not an employee. Whoever at Netgear argued this process saves money, I almost pity you. Almost.
Although in this case, you can't argue that specs called FOR a backdoor... but maybe there were no specs at all.
I don't blame them for this "quick fix".. as a longtime Software QA engineer I can tell you it takes more than 1 day to test something, unless you're willing to accept the risk that the fix could be worse. I'm willing to bet the OEM developer is probably just a one or two man shop, has no QA and might not even have source code control.
off-topic:
I run m0n0wall, a BSD distribution just for firewalls & routers. It doesn't need a hard drive so it's quiet.
I even yanked the CPU fan off the AMD K6/450 it is running on. CAUTION: passive cooling a CPU risks burning out the processor. To prevent this I fitted a stock AMD CPU sink from an Athlon 1800, and made a small duct for the power supply to draw air over the CPU (this was an OLD old ATX case with the PS directly above the CPU so it was easy).
Works great!
Too bad you can't upload monowall into consumer routers. I think this is the next step. Some vendor will start making it very easy to do such a thing (discoveries like the Linksys WRT54G hacking do not count).
The firmware for this box (or at least some of it) is offered for download on Netgear's site. I'm looking through the source, but I haven't seen anything relevant yet.
Has anyone seen where the backdoor is coded into the system? (Hint: if it's NOT in the source anywhere, Netgear is violating GPL here).
"My strength is as the strength of ten men, for I am wired to the eyeballs on espresso."
It's just that, according to the site, there's no fix yet:
a sp
n ldID=735
http://kbserver.netgear.com/kb_web_files/n101383.
Now, there is a firmware from the 4th:
http://kbserver.netgear.com/support_details.asp?d
that claims to fix the problem, but I'm tempted to suggest what's happened is they've changed the username and password while they test a full fix. After all, changing data is generally less likely to break stuff than changing code...
...how many times did they use the generator before settling on the number to use? Nobody in the history of the world has been satisfied by the FIRST random number generated!
"No....no...no...maybe if it had a '7'. AH! Bingo!" -- Netgear Security Engineer
"These people look deep within my soul and assign me a number based on the order in which I joined" --Homer re:
I use D-link for all my home networking needs
Man this sucks. I've got an FVS318. While, thankfully it's not the router that is the cause of this particular ruckus, it's a Netgear product.
I like it. It's a very solid, reliable firewall/router. I've had it for a number of years now, and Netgear to this day continues to put out new firmware updates that not only fix bugs, but implement new features. It works well, and I always liked it better than my friend's Linksys.
But this whole crisis makes me really really leary... How do I know there isn't a backdoor in my firewall/router as well? The fact is, now I don't.
Getting a Linksys that can run a custom Linux distribution becomes more appealing every single day. This may be what finally pushes me over the edge.
Bryan
Not as far as I know, but if I were a business I wouldn't have to have actual damages from an attacker to claim that I had to take my computers offline while the security risk was fixed, therefore costing my business an estimated $X.
Stupid sexy Flanders.
Speak truth to power.
I had a compatability and reliability problem with a Dlink 802.11g router I bought when used with other manufacturer's WiFi equipment - seems most of their wireless gear suffers from this, from what I've read.
Really, isn't there something slightly immoral, possibly illegal about putting a backdoor into your product that allows anyone access to it, with no way to disable it, and THEN, when you are caught, you blame "the vendor that packaged the device for" you, and THEN you release a patch that claims to fix the backdoor, but really just leaves it there with a different password?
-no broken link
I recently bought several 24 port switches off of ebay. There was no way to reset the password, but calling up tech support, and providing a small amount of proof that I did in fact buy these switches, they provided me with the backdoor username/password.
:(
It's documented on their website that they do have a backdoor password, and what you need to do to get it. For me, it took a single email (ebay end of auction), and a 5 minute phone call to get the backdoor.
This would be fine, if the backdoor only worked on the serial console, but nope.. Works fine with the web interface too
In a related story, Netgear has announced the formation of a new security division, formed with ex-Microsoft employees...
That's because of their 4x stuff. If you disable their proprietary packet sizes and compression stuffs, you get some nice reliabiity.
--fetch daddy's blue fright wig, i must be handsome when i release my rage
It's more than just the mere fact of the backdoor. It's the amateur way they coded the backdoor. They found the strings in plaintext after gunzipping the image file. And to further insult our intelligence, they changed the password and left it coded the same way thinking we're too dumb to find the new one. There's no obfuscation at all except for the gzipping. Linux and open source make no difference here. You can at least give some credit to a well hidden backdoor. What's disturbing is their naive, amateur approach to security.
Someday, somebody from Netgear is going to have to explain that to a judge and jury. And it's not going to go over well. Once might be considered ordinary negligence. But the second time moves it into the "gross negligence" category: "an act or omission in reckless disregard of the consequences affecting the life or property of another."
But the point isn't that it had security flaws (a lot of things do), it's that they proactively put it there.
It's not some logic flaw someone found, like a buffer overflow (which no one would blame them for), it's something extra they put into their product specifically making it insecure.
If a car company finds a flaw in it's airbag system, they replace the airbags and no one blames them - they fixed the problem they saw. If they specifically used flawed airbags, it's entirely different matter. I know we are not talking life and death, but it's a similar principle - only it could result in financial loss instead of physical. People take the risk with airbags, but they should be secure in the knowledge that, while they may still die or be seriously injured in an accident, that the airbag should help. People who buy even a cheap router should be secure in the knowledge that, while they may still be broken into, there are adequate protections.
In this case, it's not merely negligence on netgear's part, they proactively eliminated any security their products may have offered.
Stupid sexy Flanders.
I wonder what DC Comics (and the other owners?) have to say about NetGear using their copyrighted character in a commercial product ?
"Whoever would overthrow the liberty of a nation must begin by subduing the freeness of speech."--Benjamin Franklin
I would think under current laws that installing an undisclosed backdoor onto someone elses property would be akin to using a trojan to allow access to anothers system. Just becaujse they sell the system does not give them the right to access to it after it is sold. I can see no beneficial reason for this as most consumer routers have a hardware reset that reloads the factory defaults.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
Heck, where is the story? I've only seen this at slashdot and the few media articles it links to.
I mean, I can turn on my nightly news and hear about "getting ripped off at the dry cleaners? Let our investigative unit show you how!" but when your personal home network with all your work, personal stuff, family photos, etc are now open to the world because of some backdoor its like its no big deal.
It seems like until someone writes a worm to really screw these people over, no one is going to care. And I'm sure lots of people are testing worms as we speak.
The larger issue here is the complete disregard for security. A backdoor should never be installed. The firmware reset is more than enough to get back to the default settings. So what if you lose your "settings." That's the price of losing your password info or buying a shoddy product.
I can't believe my ears when i hear about backdoors, especially from companies like Cisco. What are we telling the industry, that we'll roll over for whatever they do? Are we telling the government that their next USA PATRIOT act might as well have mandatory Ashcroftian backdoors because corporate america is apathetic to security?
Its mind-boggling. I hope a Netgear gets equated with untrustworthiness and falls from their market position.
"Oh, the white airbags don't work? Here, let me paint it blue."
Maybe somebody could make a program where:
- User opens program
- User points program to firmware file
- Program opens firmware file and replaces the hardcoded passwords with gobbleygook that is different each time the program is run
- Program writes new firmware to disk
- User reflashes router with firmware patched by program
This seems like a good potential short-term solution to me...Karma: Excellent (fuck, even in the future moderation doesn't work!)
In my day, the grease-on ben-tra ran like grease on a pan - that had been burned in place and left there for weeks. Our grease-on ben-tra had a zero to sixty time of sixty seconds, and couldn't steer without rattling like the bones of Buddy Holly. Fuel efficiency? That thing drank like an ex army sergent. And it broke down more often than Tammy Fae. Often times we would be driving it to the shop, and it would break down again on the way. You'd hook it up to the tow truck because of a broken front wheel and the rear axle would crack. Load it on the back, and the bumper would fall off. That thing wasn't a deathtrap: deathtraps have moving parts.
Hope you like it. Have fun with your car!
(note: it was an '86. I've heard they have gotten better.)
The ______ Agenda