Backdoor Found In Arcadyan-based Wi-Fi Routers

← Back to Stories (view on slashdot.org)

Backdoor Found In Arcadyan-based Wi-Fi Routers

Posted by timothy on Thursday April 26, 2012 @02:12AM from the no-auth-cat dept.

Mojo66 writes "A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore. According to German computer publisher Heise, some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone. (Google translation, original here.) What makes things worse is the fact that in order to exploit the backdoor, no button has to be pushed on the device itself and on some of the affected routers, the backdoor PIN ("12345670") is still working even after WPS has been disabled by the user. The only currently known remedy for those models is to disable Wi-Fi altogether. Since all Arcadyan routers share the same software platform, more models might be affected."

59 comments

Min score:

Reason:

Sort:

Duff link by ledow · 2012-04-26 02:14 · Score: 3, Insightful

Duff link to the translation.
Editors? Firehose? What, precisely, is the point of having them?
1. Re:Duff link by Mojo66 · 2012-04-26 02:18 · Score: 4, Informative
  
  Dunno what happened to the link, this is the link I've submitted.
2. Re:Duff link by Blue+Stone · 2012-04-26 03:34 · Score: 1
  
  >Editors?[...] What, precisely, is the point of having them?
  Eye candy?
  
  --
  Corporation, n. An ingenious device for obtaining individual profit without individual responsibility. - Ambrose Bierce
3. Re:Duff link by arth1 · 2012-04-26 05:59 · Score: 2
  
  >Editors?[...] What, precisely, is the point of having them?
  Eye candy?
  You must not have seen any of the slashdot editors...
12345670? Really? by Anonymous Coward · 2012-04-26 02:18 · Score: 1

Sounds like the combination to some idiot's lunch box.
1. Re:12345670? Really? by Black+Parrot · 2012-04-26 02:24 · Score: 2
  
  Sounds like the combination to some idiot's lunch box.
  Using base 8 is actually pretty sophisticated.
  
  --
  Sheesh, evil *and* a jerk. -- Jade
2. Re:12345670? Really? by loustic · 2012-04-26 02:35 · Score: 1
  
  Organizationally unique identifier of Arcadyan Technology Corporation : http://standards.ieee.org/develop/regauth/oui/oui.txt (It's begining of the MAC address...)
3. Re:12345670? Really? by dmmiller2k · 2012-04-26 04:00 · Score: 1
  
  Gee, and I thought I was being clever omitting 8 and 9
  
  --
  "No matter how cynical you get, it is impossible to keep up." -- Lily Tomlin
President Skroob by Anonymous Coward · 2012-04-26 02:24 · Score: 1

Secures his wifi...
"Someone change the combination on my luggage!" by nweaver · 2012-04-26 02:24 · Score: 1

"Someone change the combination on my luggage!" -President Skroob

--
Test your net with Netalyzr
Legal Liability? by Anonymous Coward · 2012-04-26 02:31 · Score: 5, Insightful

Are hardware and software companies going to be taken down by lawsuits over failed security?
Probably not because they write the EULAs, as in, "You use the product at your own risk." type language.
But when the companies leave the door completely unlocked, that is akin to negligence which should not be covered by a EULA. I have never read a EULA (nearly impossible to read by the way) that said "We are not responsible for making it trivail to hack our devices, you are."
I tried to read a Microsoft EULA one time and before I was 25% through, they disconnected me because I "timed out", having failed to read what was easily over 50 pages in about 10 minutes or so.
Sick.
1. Re:Legal Liability? by nurb432 · 2012-04-26 02:36 · Score: 1
  
  They can still be sued, and lose their shirt fighting then settling to avoid being ground into bankruptcy.
  its the business model for some companies these days. ( ri*cough*aa )
  
  --
  ---- Booth was a patriot ----
2. Re:Legal Liability? by CanHasDIY · 2012-04-26 02:39 · Score: 1
  
  Are hardware and software companies going to be taken down by lawsuits over failed security?
  Probably not because they write the EULAs, as in, "You use the product at your own risk." type language.
  Depends on where you live; Some nations/states have laws that all products of category X must be warrantied for Y number of years.
  
  Didn't Apple get burned on this very thing over in France not too long ago?
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
3. Re:Legal Liability? by Anne_Nonymous · 2012-04-26 03:22 · Score: 1
  
  >> Are hardware and software companies going to be taken down by lawsuits over failed security?
  If you produce a worthless product, people won't buy it. That's what's going to take them down.
4. Re:Legal Liability? by clemdoc · 2012-04-26 03:49 · Score: 1
  
  In the EU (not only in France), warranty is two years, AFAIK. That's what's bitten Apple. I'm not sure, however, that the warranty would cover this. The devices are still working, only 'a little bit too well'.
  You'd probably say, and I would agree, that such a blatant security flatulence should cause the producer to take back and repair his device. The producer will probably disagree and then? A court of law... because of a WiFi router? Probably not going to happen, if not done by some consumer advocacy group.
5. Re:Legal Liability? by CanHasDIY · 2012-04-26 04:02 · Score: 1
  
  You'd probably say, and I would agree, that such a blatant security flatulence should cause the producer to take back and repair his device. The producer will probably disagree and then? A court of law... because of a WiFi router? Probably not going to happen, if not done by some consumer advocacy group.
  I think it will most likely be handled in a similar manner to automotive recalls: The manufacturer will weigh the cost of litigation against the cost of recall, and go with the cheaper option.
  
  Fortunately, unlike with automotive recalls, no one is likely to die if the manufacturer decided litigation is cheaper
  
  --
  An enigma, wrapped in a riddle, shrouded in bacon and cheese
Flaws not necessary? by macraig · 2012-04-26 02:32 · Score: 3, Funny

A recently reported flaw... isn't necessary... anymore.
Hmmm... I would have thought all flaws are unnecessary by definition.
God, it would be nice if editors did their damned jobs instead of rubber-stamping every gush of malformed junk that makes its way into the hose.
1. Re:Flaws not necessary? by Mojo66 · 2012-04-26 02:40 · Score: 1
  
  malformed junk that makes its way into the hose.
  As you might have guessed from the link to the original article in german, english is not my native language. Whereas submitters of pieces that are already written in english can just copy/paste the relevant parts into their /. submission, non-english sources have to be translated by the submitter. It's anyone's choice to wait until an english-speaking site picks up the story written in perfect english, or read the "malformed junk" version while it is still fresh...
2. Re:Flaws not necessary? by gl4ss · 2012-04-26 02:44 · Score: 1
  
  the point is that abusing the flaw isn't necessary for pwning some wireless boxes.
  
  --
  world was created 5 seconds before this post as it is.
3. Re:Flaws not necessary? by Black+Parrot · 2012-04-26 02:51 · Score: 2
  
  No need to justify it. The geeky amateurism is half of what makes Slashdot fun.
  Most of us read comic books instead of Proust.
  
  --
  Sheesh, evil *and* a jerk. -- Jade
4. Re:Flaws not necessary? by macraig · 2012-04-26 02:52 · Score: 1
  
  I know what his point was. My point is that he communicated his point rather poorly. I didn't appreciate having to waste extra calories trying to figure out what he actually meant to say. Reducing calorie consumption is after all the point of effective language use.
5. Re:Flaws not necessary? by Anonymous Coward · 2012-04-26 02:54 · Score: 0
  
  Grand's rant was not about you, who submitted the story. His rant was about the editor who merely approved your submission.
  You are entitled to send whatever you want of can, but editor's JOB is to right the wrongs and make a better summary that the original submitter did.
  Nothing wrong with your submission, only wrong with the editor's non editing.
6. Re:Flaws not necessary? by macraig · 2012-04-26 02:59 · Score: 1
  
  I recognize with regret that not everyone who posts to the Interwebs will have a fluent grasp of English. That is why editors/moderators exist. It's the job of the editor to either clean up your non-native English or reject the submission if it's irredeemable. This particular editor did neither.
7. Re:Flaws not necessary? by MagicM · 2012-04-26 03:03 · Score: 1
  
  Reducing calorie consumption is after all the point of effective language use.
  I had to read that twice to understand what you're talking about. Now I have to eat an extra twinkie to make up for that. THANKS A LOT!
8. Re:Flaws not necessary? by X0563511 · 2012-04-26 03:07 · Score: 1
  
  You made perfect sense to me; macraig is just being an asshole.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
9. Re:Flaws not necessary? by Jeng · 2012-04-26 03:07 · Score: 1
  
  Slashdots "editors" pretty much just choose which stories to post. I think that might be the extent of their duties.
  
  --
  Don't know something? Look it up. Still don't know? Then ask.
10. Re:Flaws not necessary? by X0563511 · 2012-04-26 03:08 · Score: 1
  
  See, this is where you are wrong. The editors' jobs are to approve flamebait stories, intentionally break links, and sneak in (or not so sneak) advertising.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
11. Re:Flaws not necessary? by macraig · 2012-04-26 03:08 · Score: 1
  
  You're not fooling anybody... you would've eaten that extra Twinkie anyway!
12. Re:Flaws not necessary? by interval1066 · 2012-04-26 03:10 · Score: 1
  
  english is not my native language
  Yeah, calm down guy.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
13. Re:Flaws not necessary? by macraig · 2012-04-26 03:17 · Score: 1
  
  Monkeys can do that job, and they don't demand a 401k or benefits. Slashdot should employ a few, which would really help since the monkey unemployment rate is about 100%, unless you count laboratory servitude. Maybe Caesar will even be among the hires? I for one welcome my new banana-eating editorial overlords.
14. Re:Flaws not necessary? by macraig · 2012-04-26 03:19 · Score: 2
  
  I stand correc... errr, edited.
15. Re:Flaws not necessary? by worf_mo · 2012-04-26 04:24 · Score: 1
  
  The German article links to some previously discovered flaws. I read the TFS as in "the previously discovered flaw isn't necessary to calculate the PIN anymore, because a new backdoor has been discovered that makes things so much easier".
  Your comment gave me a good chuckle, though.
16. Re:Flaws not necessary? by gstrickler · 2012-04-26 05:33 · Score: 1
  
  While the way it's written does leave it room for misinterpretation, your edit of it excludes the obvious predicate for "isn't necessary ... anymore", thus, your rant is actually based upon you reading the statement incorrectly. Had "...that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router..." been separated with commas, clearly identifying it as a prepositional clause, then your interpretation and rant would be valid. However, it wasn't, and it's clear from context that "isn't necessary... anymore" refers to the clause about exploiting the flaw.
  I understand you complaint about lack of editing. But your rant is about your misinterpretation.
  
  --
  make imaginary.friends COUNT=100 VISIBLE=false
17. Re:Flaws not necessary? by KlomDark · 2012-04-26 08:01 · Score: 1
  
  Don't worry about it. I had zero trouble reading it and English is my first and only language other than programming languages.
  What confused/confuses me was what the guy meant by "duff link", WTF is a duff link?
18. Re:Flaws not necessary? by Anonymous Coward · 2012-04-27 08:54 · Score: 0
  
  My God, you actually burned a couple of calories while you sat on your ass reading Slashdot. HOW DARE HE.
Re:Obama ate a dog. by Black+Parrot · 2012-04-26 02:46 · Score: 0

Obama ate a dog.
Funny, but while "Man Bites Dog" is news and "Dog Bites Man" isn't, the reverse is try when you switch 'Bites' to 'Eats'.

--
Sheesh, evil *and* a jerk. -- Jade
CPE is a nightmare... by nweaver · 2012-04-26 02:48 · Score: 4, Interesting

Overall, the "Customer Premises Equipment" or CPE in industry parlance, aka the user's NAT/home router and associated WiFi, is a nightmare of bad design and forever day bugs.
With Netalyzr we have been starting to probe for information about the CPE: we use UPnP to try to identify the NAT and we also do DNS queries that may indicate what software is running. The resulting picture, which we've only started to analyze, is dismal. We see NATs which are running versions of DNSmasq that were released in 2003/2004! So almost decade-old code that just never ever ever got upgraded.

--
Test your net with Netalyzr
1. Re:CPE is a nightmare... by Anonymous Coward · 2012-04-26 03:30 · Score: 0
  
  Worse than that. Some of the equipment was bought say 1-2 years ago. Now try getting any sort of updates for it. Forget it... They have already came out with a new plastic shell it costs them 2 dollars less to make and you are getting 0 support for your old model. Then they have 2-5 different revs of the 'same model' and you have no idea if you can even flash it to something that you can at least keep up to date... Much less any sort of support for the thing. The router I bought 2 years ago was supposed to get an ipv6 patch. Never happened, never will. There were a grand total of 2 patches. The second one had a handful of security things. So now I am at the behest of the goodwill of some third party who may or may not update my firmware. Even IF I goto an 'open source' one I am still at the good will of them if my model is even supported at all.
2. Re:CPE is a nightmare... by tlhIngan · 2012-04-26 05:14 · Score: 1
  
  Overall, the "Customer Premises Equipment" or CPE in industry parlance, aka the user's NAT/home router and associated WiFi, is a nightmare of bad design and forever day bugs.
  With Netalyzr we have been starting to probe for information about the CPE: we use UPnP to try to identify the NAT and we also do DNS queries that may indicate what software is running. The resulting picture, which we've only started to analyze, is dismal. We see NATs which are running versions of DNSmasq that were released in 2003/2004! So almost decade-old code that just never ever ever got upgraded.
  Customers almost never buy CPE. It's usually provided by the provider. As such, it's demanded to be the cheapest crap available because CPE isn't something the provider wants to pay a lot of money on (it eats into subscrpition revenue).
  So a company is basically forced to build a $20 cablemodem-router (or DSL router) with wireless. The hardware cost is already around $10-15 (you want the router part to at least be able to provide what the provider claims - 250Mbps+ in some stupid configuration), so there's very little money in the software. So it's cheaped out (and yes, they may use ancient Linuxes with smaller memory footprints). And no, there's no money for software support.
  Me personally, I had my provider disable the router/wireless part and put the modem they have into bridge mode (i.e., cablemodem only) which required them to flash a special firmware on it to do just that. Connected it to my router (a much more capable piece of hardware).
  There's a reason you can walk into Best Buy and pick up a $20 router that sells alongside $100, $150, and $200+ routers (and bet that Best Buy is STILL making a profit on the $20 one). And guess which router they're gonna throw into the "free" modem they provide you. Any problems like disconnections and such, sure they'll replace it (and pass your old one to someone who hopefully wouldn't care).
Duh, by Anonymous Coward · 2012-04-26 02:49 · Score: 0

I have been trying Password1 for a long time with no avail,
When poor design meets poor implementation by SLot · 2012-04-26 02:50 · Score: 1

http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf
Ouch by DaMattster · 2012-04-26 02:51 · Score: 1

Usually the first thing I do is disable that push-button, WPS thing as I don't usually trust "instant" security schemes anyhow. As I was reading the summary, I was thinking big deal, just turn off WPS. As I got near the end of the summary, I'm thinking "ouch," even though you turn it off the backdoor still exists. I would really like to see device manufacturers spend a little more time on security. It seems that security is an afterthought in the effort to bring a device to market and have it turn a profit. I would think that by spending a little more time on security, there would be more savings because it is costly to develop, test, and distribute patches. What if the patches brick a router, then even more money is spent on replacing the customer's hardware under warranty. Why not take the time and build a more secure router and spend a little more money which will be recouped over a longer period of time?
1. Re:Ouch by Anonymous Coward · 2012-04-26 03:23 · Score: 0
  
  Because making a decent product does not significantly increase the odds of making a sale, while being late to ship significantly decreases those odds.
2. Re:Ouch by KlomDark · 2012-04-26 08:04 · Score: 1
  
  True, but making a decent product very significantly increases the odds of making a second sale.
Re:Obama ate a dog. by mr1911 · 2012-04-26 03:08 · Score: 0

It was in college and he was drunk.
She had a good personality.
He and Michelle were "on a break".

--
This post comes with a double-your-money-back guarantee!
Any offense taken to this post is at your sole discretion.
Anyone else find this hard to parse? by wonkey_monkey · 2012-04-26 03:24 · Score: 1

*Spins around in a phonebox and becomes... Captain Pedantic!*

A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore.
Not necessary for what? That alone took me a while to figure it.

According to German computer publisher Heise, some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone.
Affected by the flaw you've just mentioned above? The one that isn't necessary?

What makes things worse is the fact that in order to exploit the backdoor,
I still hadn't seen any mention of a second flaw, so on first reading it seemed like the backdoor is the same unnecessary flaw as mentioned above. I finally realised that there's an old flaw and a new flaw - or at least I think what's trying to be said...

--
systemd is Roko's Basilisk.
1. Re:Anyone else find this hard to parse? by formfeed · 2012-04-26 03:42 · Score: 1
  
  Hey Captain Pedantic!
  You're late to the game, Captain Asshat beat you by 13/15th of an hour.
Thats the code the emperor has on his luggage by davydagger · 2012-04-26 03:39 · Score: 1

1.2.3.4.5? Thats the code an IDIOT puts on his luggage!
*QUICK* someone change the emporer's luggage!
closed wifi ruling by Gamasta · 2012-04-26 03:56 · Score: 1

A different ruling in Germany holds owners of open wifis accountable for any illegal action undertaken by its users. You're required to keep intruders off with authentication and encryption (unless you're a cafe or so). Now people could use closed wifis for illegal activities and the courts would have to hold the wifi manufacturer accountable.

--
reason defies logic
Alternate solution for the owner by damn_registrars · 2012-04-26 04:01 · Score: 1

If you protect the systems on your network, then the security of your router isn't as critical. Sure, there is a chance someone might use your internet access through your router to do something nefarious when you're gone, but if your own local data is protected your situation isn't nearly as bad.

--
Damn_registrars has no butt-hole. Damn_registrars has no use for a butt-hole.
1. Re:Alternate solution for the owner by Anonymous Coward · 2012-04-26 04:22 · Score: 0
  
  True, until the cops come knocking at your door. Or you go over your data cap....see it's bad.
2. Re:Alternate solution for the owner by Anonymous Coward · 2012-04-26 04:23 · Score: 1
  
  there is a chance someone might use your internet access through your router to do something nefarious
  This I think, is the root of the problem. Everyone is held accountable for the traffic emanating from their router. This would make YOU responsible for the actions some hactivist took from your LAN. YOU are the terrorist in this case.
3. Re:Alternate solution for the owner by PlusFiveTroll · 2012-04-26 06:22 · Score: 1
  
  This ignores the point that most people with the type of equipment know nothing about securing their network from inside attacks.
  The router is the number 1 piece of equipment to keep secure. Any unencrypted and unauthenticated traffic can be manipulated by your router, also it's the perfect point to launch a MiTM attack. Once a person is on the WLAN they are free to poke away at any other exploits the router may have till they get a shell on it, very few routers are firewalled on the inside.
  Also as the AC's have stated, why would you want people possible sending spam, death threats, child porn from your supposedly secure router?
4. Re:Alternate solution for the owner by jimbolauski · 2012-04-26 07:29 · Score: 1
  
  If your router is compromised you are vulnerable to MITM attacks, MD5 the standard encryption method for SSL and HTTPS has been show to be broken in a few seconds using an ordinary computer so faking certs is possible in a few seconds. You are in the clear as long as you don't bank on-line or do anything else where you want your communications encrypted.
  
  --
  Knowledge = Power
  P= W/t
  t=Money
  Money = Work/Knowledge so the less you know the more you make
12345670 by DarthVain · 2012-04-26 08:08 · Score: 1

Hey! That's the same password as my luggage!
Re:Obama ate a dog. by Anonymous Coward · 2012-04-26 08:30 · Score: 0

i found a backdoor in your mom.
Bet it smelled better than the frontdoor on yours.
Possible good news for Vodafone customers by sbryant · 2012-04-26 12:45 · Score: 1

If you're a Vodafone/Arcor customer with an Easybox, check the label on the back. If it says Arcadyan, then I'm sorry for you, but if it says Sphairon (a different company) you're in luck. The cases look the same from the outside, but have different hardware and firmware inside, and the Sphairon kit is much better.
It's possible that this is the case for other ISPs too (eg: Telekom).
-- Steve