Slashdot Mirror

← Back to Stories (view on slashdot.org)

Backdoor Found In Arcadyan-based Wi-Fi Routers

Posted by timothy on from the no-auth-cat dept.

Mojo66 writes "A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore. According to German computer publisher Heise, some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone. (Google translation, original here.) What makes things worse is the fact that in order to exploit the backdoor, no button has to be pushed on the device itself and on some of the affected routers, the backdoor PIN ("12345670") is still working even after WPS has been disabled by the user. The only currently known remedy for those models is to disable Wi-Fi altogether. Since all Arcadyan routers share the same software platform, more models might be affected."

9 of 59 comments (clear)

  1. Duff link by ledow · · Score: 3, Insightful

    Duff link to the translation.

    Editors? Firehose? What, precisely, is the point of having them?

    1. Re:Duff link by Mojo66 · · Score: 4, Informative

      Dunno what happened to the link, this is the link I've submitted.

    2. Re:Duff link by arth1 · · Score: 2

      >Editors?[...] What, precisely, is the point of having them?

      Eye candy?

      You must not have seen any of the slashdot editors...

  2. Re:12345670? Really? by Black+Parrot · · Score: 2

    Sounds like the combination to some idiot's lunch box.

    Using base 8 is actually pretty sophisticated.

    --
    Sheesh, evil *and* a jerk. -- Jade
  3. Legal Liability? by Anonymous Coward · · Score: 5, Insightful

    Are hardware and software companies going to be taken down by lawsuits over failed security?

    Probably not because they write the EULAs, as in, "You use the product at your own risk." type language.

    But when the companies leave the door completely unlocked, that is akin to negligence which should not be covered by a EULA. I have never read a EULA (nearly impossible to read by the way) that said "We are not responsible for making it trivail to hack our devices, you are."

    I tried to read a Microsoft EULA one time and before I was 25% through, they disconnected me because I "timed out", having failed to read what was easily over 50 pages in about 10 minutes or so.

    Sick.

  4. Flaws not necessary? by macraig · · Score: 3, Funny

    A recently reported flaw... isn't necessary... anymore.

    Hmmm... I would have thought all flaws are unnecessary by definition.

    God, it would be nice if editors did their damned jobs instead of rubber-stamping every gush of malformed junk that makes its way into the hose.

    1. Re:Flaws not necessary? by Black+Parrot · · Score: 2

      No need to justify it. The geeky amateurism is half of what makes Slashdot fun.

      Most of us read comic books instead of Proust.

      --
      Sheesh, evil *and* a jerk. -- Jade
    2. Re:Flaws not necessary? by macraig · · Score: 2

      I stand correc... errr, edited.

  5. CPE is a nightmare... by nweaver · · Score: 4, Interesting

    Overall, the "Customer Premises Equipment" or CPE in industry parlance, aka the user's NAT/home router and associated WiFi, is a nightmare of bad design and forever day bugs.

    With Netalyzr we have been starting to probe for information about the CPE: we use UPnP to try to identify the NAT and we also do DNS queries that may indicate what software is running. The resulting picture, which we've only started to analyze, is dismal. We see NATs which are running versions of DNSmasq that were released in 2003/2004! So almost decade-old code that just never ever ever got upgraded.

    --
    Test your net with Netalyzr