Slashdot Mirror

← Back to Stories (view on slashdot.org)

Netgear's Amusing "fix" for WG602v1 Backdoor

Posted by CmdrTaco on from the get-your-giggle-on dept.

An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "

23 of 515 comments (clear)

  1. Oops... by danielrm26 · · Score: 5, Funny

    Chalk up another loss for 'security by obscurity'.

    --
    dmiessler.com -- grep understanding knowledge
    1. Re:Oops... by einhverfr · · Score: 5, Informative

      Chalk up another loss for 'security by obscurity'.

      Well, that might be good enough, if they could choose the login information. But now that they published it....

      First rule of passwords is that you don't talk about your passwords....

      --

      LedgerSMB: Open source Accounting/ERP
    2. Re:Oops... by isthisthingon · · Score: 5, Insightful

      Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?

      Any open source coder would be summarily flogged for such a transgression. Why on EARTH is this not literally considered a criminal offense for a company to do?

      And I for one used to hold Netgear in reasonably high regard, too.

      Never again.

      --
      And then one day you find, ten years have gone behind you....
    3. Re:Oops... by AndroidCat · · Score: 5, Funny

      If someone war-chalks it up, it won't be obscure for long. What is the symbol for "lame gateway security"?

      --
      One line blog. I hear that they're called Twitters now.
    4. Re:Oops... by djansen · · Score: 5, Funny

      Well, it IS an improvement. The increase from 5 characters for the login to 8 now makes it SO much harder to crack. What was the old password? Someone do the math and figure out the number of new permutations they've added. Ha. I bet this is how the guy who did it justified the whole thing.

      "What da ya mean? It's MUCH more secure than it was before."

      Doh.

    5. Re:Oops... by chris_mahan · · Score: 5, Insightful

      >Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?

      The answer lies within the question: Because we pay them.

      If someone paid you to paint a building and didn't care whether you stripped off the old paint first, I guarantee you you would just slap a coat over the old paint.

      >And I for one used to hold Netgear in reasonably high regard, too.

      Your mistake, then.

      >Never again.

      You should not say never if you want to reach them. This just makes the company execs think that since they can never reach you as a customer again, they won't make the effort. What you should say instead is: "I will purchase products from other companies since theirs do not address my needs at this time."

      This is reasonable to them, and they won't discount you as a hot-head but rather may take your advice.

      Just my .016 euro

      --

      "Piter, too, is dead."

    6. Re:Oops... by gfxguy · · Score: 5, Insightful

      Your last line says it all - they should be held accountable. If it's advertised as being secure, and a backdoor is found, they should have to buy back every single unit or replace every single unit with a working one.

      If anyone has been damaged by the availability of the back door they should be held liable even if they claim you waive that right in their license agreement (their license agreement does not state there may be the possibility of back doors, no?)

      If you claim something is secure, but that you can't prevent all future attacks so you can't be liable, that's one thing, but when the liability is clearly your fault, it's another.

      --
      Stupid sexy Flanders.
    7. Re:Oops... by Fjord · · Score: 5, Funny

      The first rule of passwords is that you do not talk about your passwords.
      The second rule of passwords is that you do not talk about your passwords.
      The third rule is if someone uses "password" or nothing, there is no password.
      The fourth rule is only one person to a password.
      The fifth rule is one password at a time.
      The sixth rule is no sheets, no stickies.
      The seventh rule is password will be expired when they have to

      and the final rule of passwords is, if it's your first logon, you have to set one.

      --
      -no broken link
  2. Nice fix. by SpyPlane · · Score: 5, Funny

    That would be like "fixing" Windows 95 with Windows ME.

    --
    "We need a fourth law of Robotics: Stop Fingering My Wife"
  3. Superman!! by Claire-plus-plus · · Score: 5, Funny

    Well at least sys-admins and network engineers can finally use the login name they think they deserve.

    --
    99 bottles of beer in 175 characte
  4. full-disclosure hackers knew for a while by Anonymous Coward · · Score: 5, Interesting

    The blackhats that subscribe to

    http://lists.netsys.com/mailman/listinfo/full-di sc losure

    knew about this on irc for a while.

    EU via interpol desires, and us's NSA/NRO both desire various entrypoints.

    cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.

  5. Re:A joke surely? by CaptainZapp · · Score: 5, Insightful
    I wish it was true.

    Unfortunately Heise (publisher of c't and iX) is the probably most clueful German publishing house when it comes to technology.

    Those Netgear bozos really seem to be dumber then my cigar cutter.

    The other explanation is that the equipment has such a fundamental design flaw that it can't be fixed at all. But then they act damn unresponsible.

    Then again: Thanks to such blunders I know what equipment not to buy.

    --
    ich bin der musikant

    mit taschenrechner in der hand

    kraftwerk

  6. Re:At least ... by bje2 · · Score: 5, Funny

    That's amazing. I've got the same combination on my luggage.

    --

    "Facts are meaningless. You could use facts to prove anything that's even remotely true." - Homer Simpson
  7. Re:I wonder... by FearTheFrail · · Score: 5, Funny

    But it takes numbers + characters to make -strong- passwords. So the next logical step:

    Login: Theyllneverguess
    Password: cuzimso1337

    --
    ___ In the words of Gen. Douglas McArthur: "I'll be right back."
  8. Who reads slashdot? by tony_gardner · · Score: 5, Interesting

    I realise that this is a bit redundant, but I read the slashdot artile linked to, and what to I see but:

    Re:Fixed in new firmware, available here: (Score:3, Informative)
    by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
    I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.

    (You can find it yourselve by just taking similiar steps as in the securityfoces article.)

    Maybe reading slashdot sometimes would be a good idea.

    1. Re:Who reads slashdot? by Chucky+B.+Bear · · Score: 5, Interesting
      Yeah I hate to say it but told you so!!! ;-) I posted that just before the securityfocus mail. Its funny how this all ended up as a Heise article now. They could've at least given me some credit for finding it.

      I did talk to a netgear support engineer yesterday and he didn't know what I was talking about, so now I'm still waiting to hear anything back from them.

  9. Re:Not funny at all by Dutchmaan · · Score: 5, Funny

    This just isn't the way a responsible company behaves.

    responsible company

    Trying to put these two words together is like trying to touch two magnet ends with the same polarity.

  10. Article Text by Three+Headed+Man · · Score: 5, Informative
    Courtesy of this online GermanEnglish Dictionary and my German teacher, Frau Richards, whereever you are.

    Netgear has promptly reacted to the reports of a backdoor in the WLAN-Access-Point WG602 Version 1 with a Firmware-Update, however, the backdoor is still present, but with a new user name and password. They were a little creative with the name and extended the original character string "super" to "superman." With the password, Netgear has obviously taken the message of security seriously and changed the password to "21241036." However, to whom this telephone number points, Netgear did not comment. There, they knew nothing and initially only wanted to make themselves aware of the (details of the) problem.

    Again, there is not a real updated firmware design yet. The question arises whether users are still determined--after the second patch--to get new software. In the lawyer's opinions, this problem could be reason enough to take back the device to the retailer and receive a refund of the purchase price. For now, the retailer can try to fix the shortcoming, however, the chances of that are not very good.

    --
    I'm probably at the karma cap. Mod up a funny troll instead, it lightens the mood :)
  11. Here's why they didn't remove it by Anonymous Coward · · Score: 5, Insightful
    Yes, you're asking yourself "why didn't they just remove it, instead of changing it? Why was it there in the first place?"

    Well, it seems pretty obvious to me... it's supposed to be there.

    This shows that it was Netgear's intention to purposely put back doors into the product. The reason "why" is not really evident. I can leave that up to the tinfoil hat crowd.

  12. blimey by doofusclam · · Score: 5, Insightful

    That's crap. There may be a multitude of reasons why they couldn't remove the backdoor (no access to source code, the guy who wrote it was on holiday, whatever...) but they could have at least changed the password with a hex editor to something that was difficult to type from a keyboard, low-ascii values for example.

  13. Re:Bianry Edit by MrBlue+VT · · Score: 5, Interesting

    I have an earlier Netgear product (RT314). It's actually a rebranded Zytel product, so this trick may not work on other models.

    However, it was possible to edit the firmware in a binary editor. There was a checksum in the firmware, but you could fix it. You needed to connect a serial cable to the management port. When you made a change and uploaded the new firmware to the router and rebooted, the router would helpfully tell you what the old checksum was and what it expected the new checksum to be. You could then just search for the old checksum string and replace it with the new one the router calculated for you.

    Pretty easy to do. And allowed you to run some of the newer Zytel firmware on the Netgear boxes.

  14. Re:According to Netgear... by Anonymous Coward · · Score: 5, Informative

    I would have thought the link refers to the "fix" we're discussing here.

  15. Why isn't this ilegal. by Holi · · Score: 5, Interesting

    I would think under current laws that installing an undisclosed backdoor onto someone elses property would be akin to using a trojan to allow access to anothers system. Just becaujse they sell the system does not give them the right to access to it after it is sold. I can see no beneficial reason for this as most consumer routers have a hardware reset that reloads the factory defaults.

    --
    Sorry, teleporters just kill you and then make a copy. A perfect, soul-less copy.