Slashdot Mirror
Netgear's Amusing "fix" for WG602v1 Backdoor
An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
Chalk up another loss for 'security by obscurity'.
dmiessler.com -- grep understanding knowledge
That would be like "fixing" Windows 95 with Windows ME.
"We need a fourth law of Robotics: Stop Fingering My Wife"
I thought the last article said changing passwords was a good idea! Make your minds up.
I jest of course.
----
Well at least sys-admins and network engineers can finally use the login name they think they deserve.
99 bottles of beer in 175 characte
I don't think there's anything amusing about this at all. I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this. This just isn't the way a responsible company behaves.
Simon.
They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
And thanks to Slashdot, thus begins an endless stream of firmware updates; every time Netgear "fixes" their problem, I'm sure an article here will put the cycle in motion again. Let's see, who wants to guess what they change the password to next?
"superduperman", anyone?
I've done it with other types of binary files, but never tried with firmware.
Anyone try this?
But that's just me.
I am so irritated I don't know what to say. Seriously, How can netgear expect people to trust them again, is there any way to repair their reputation?
Now this is very sad. How can any semi-reputable company call changing the admin username and password for a major security hole a fix? Especially since they should have realized this new username/password would hit the net faster than Homer at an all you can eat buffet.
Since these things have built in firewalls, wouldnt the fix just include a user-invisible firewall rule preventing access to the router on whatever the admin port is (80, 8080, etc..)? Seems like a fairly simple fix to me.
Thanks Netgear! You've just assured that I'll never buy one of your products!
It's better to burn out than to fade away
The blackhats that subscribe to
i sc losure
http://lists.netsys.com/mailman/listinfo/full-d
knew about this on irc for a while.
EU via interpol desires, and us's NSA/NRO both desire various entrypoints.
cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.
Unfortunately Heise (publisher of c't and iX) is the probably most clueful German publishing house when it comes to technology.
Those Netgear bozos really seem to be dumber then my cigar cutter.
The other explanation is that the equipment has such a fundamental design flaw that it can't be fixed at all. But then they act damn unresponsible.
Then again: Thanks to such blunders I know what equipment not to buy.
ich bin der musikant
mit taschenrechner in der hand
kraftwerk
That's amazing. I've got the same combination on my luggage.
"Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson
I realise that this is a bit redundant, but I read the slashdot artile linked to, and what to I see but:
Re:Fixed in new firmware, available here: (Score:3, Informative)
by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.
(You can find it yourselve by just taking similiar steps as in the securityfoces article.)
Maybe reading slashdot sometimes would be a good idea.
I am amused. When I say the headline I just about died laughing. The sad part is that most people that have a Netgear router aren't going to update the firmware, and they probably don't even care or understand the issues involved. Further, what about all those units that are on the shelf somewhere? The problem is that Netgear has admitted now that they are not interested in security and they are not offering a secured unit. I was amused when I installed one for a friend -- she had bought the unit. No user name, just a password. I am thinking that IEEE or ANSI or whoever should adopt a standard for baseline security for routers. That way even an idiot that wants to have an open WIFI device won't have to worry about some Wardriver taking over his device. Well, all I can say is that I am happy that I was not the executive that made the Superman call.
The views expressed are mine own and do not express the views of my employer.
The new password is apparently someone's PHONE NUMBER in Germany! No idea whose, but I gleaned this tidbit by getting a Babelfish translation of the page (orig, in German). For those in the US - Is this the networking equivalent of calling Jenny? (867-5309)
Laws affecting technology will always be bad until enough techies become lawyers.
Netgear has promptly reacted to the reports of a backdoor in the WLAN-Access-Point WG602 Version 1 with a Firmware-Update, however, the backdoor is still present, but with a new user name and password. They were a little creative with the name and extended the original character string "super" to "superman." With the password, Netgear has obviously taken the message of security seriously and changed the password to "21241036." However, to whom this telephone number points, Netgear did not comment. There, they knew nothing and initially only wanted to make themselves aware of the (details of the) problem.
Again, there is not a real updated firmware design yet. The question arises whether users are still determined--after the second patch--to get new software. In the lawyer's opinions, this problem could be reason enough to take back the device to the retailer and receive a refund of the purchase price. For now, the retailer can try to fix the shortcoming, however, the chances of that are not very good.
I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood
First of all we are talking about a Netgear Product so what does Linksys's problem have to do with this? Second of all if you would bother to read the responses in the article you linked to, you would see that some people have already proved that its not a hoax with regards to the Linksys product.
If you wanna get rich, you know that payback is a bitch
Flawed Routers Flood University of Wisconsin Internet Time Server
http://www.cs.wisc.edu/~plonka/netgear-sntp/
Abstract:
"In May 2003, the University of Wisconsin - Madison found that it was the recipient of a continuous large scale flood of inbound Internet traffic destined for one of the campus' public Network Time Protocol (NTP) servers. The flood traffic rate was hundreds-of-thousands of packets-per-second, and hundreds of megabits-per-second.
Subsequently, we have determined the sources of this flooding to be literally hundreds of thousands of real Internet hosts throughout the world. However, rather than having originated as a malicious distributed denial-of-service (DDoS) attack, the root cause is actually a serious flaw in the design of hundreds of thousands of one vendor's low-cost Internet products targeted for residential use. The unexpected behavior of these products presents a significant operational problem for UW-Madison for years to come.
This document includes the initial public disclosure of details of these products' serious design flaw. Furthermore, it discusses our ongoing, multifaceted approach toward the solution which involves the University, the products' manufacturer, the relevant Internet standards (RFCs), and the public Internet service and user communities."
Well, it seems pretty obvious to me... it's supposed to be there.
This shows that it was Netgear's intention to purposely put back doors into the product. The reason "why" is not really evident. I can leave that up to the tinfoil hat crowd.
That's crap. There may be a multitude of reasons why they couldn't remove the backdoor (no access to source code, the guy who wrote it was on holiday, whatever...) but they could have at least changed the password with a hex editor to something that was difficult to type from a keyboard, low-ascii values for example.
Then again: Thanks to such blunders I know what equipment not to buy.
The fundamental problem here is that we're running out of vendors! Linksys and Belkin are on the shitlist; now NetGear. Who, exactly, does that leave for consumer-grade networking equipment? I don't know about where you live, but where I live, these are about the only three vendors that show up on the computer store shelves (well, there are some cheapo brands, but they suffer even worse quality control problems).
Doesn't having the username and password in the clear mean that anybody who knows how to use a Hex editor can make their own patch? Just find those two strings and change them to something else, or better some sequence of bits that don't map to text.
Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?
Ever dream you could fly? Get up from the Flight Sim. I Fly
As a matter of fact it was me who found the 1.7.14 username and password and posted it to securityfocus after updating my firmware from 1.5.67(which I tested with the super username and password) to 1.7.14.
I would have thought the link refers to the "fix" we're discussing here.
It's just that, according to the site, there's no fix yet:
a sp
n ldID=735
http://kbserver.netgear.com/kb_web_files/n101383.
Now, there is a firmware from the 4th:
http://kbserver.netgear.com/support_details.asp?d
that claims to fix the problem, but I'm tempted to suggest what's happened is they've changed the username and password while they test a full fix. After all, changing data is generally less likely to break stuff than changing code...
I would think under current laws that installing an undisclosed backdoor onto someone elses property would be akin to using a trojan to allow access to anothers system. Just becaujse they sell the system does not give them the right to access to it after it is sold. I can see no beneficial reason for this as most consumer routers have a hardware reset that reloads the factory defaults.
Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.
"Oh, the white airbags don't work? Here, let me paint it blue."