Backdoor Discovered In Netgear and Linkys Routers

An anonymous reader writes "A hacker has found a backdoor in the Linksys WAG200G router, that gives access to the admin panel without authentication. Further research shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others maybe affected as well. From the article: 'The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.'"

not exclusively local

http://www.shodanhq.com/search?q=port%3A32764

Re:not exclusively local

Of course it's spying on you.

Which part of "Made in the USA" did you not understand?

Re:not exclusively local

[Taco+Cowboy]

Which part of "Made in the USA" did you not understand?

Please correct me if I am wrong, isn't Sercomm ( http://www.sercomm.com/ ) a Chinese company ?

Re:not exclusively local

The Linksys WAG200G is not a router.
It's an ADSL modem which also has a built-in wireless AP, router, and integrated 4-port "dumb" switch.

Re:not exclusively local

You're right, but while Askey, Asus, Cameo, Delta Networks, Foxconn, Senao, SerComm et al probaly add their own backdoors as well, the Netgear and Lynksys NSA channels are homegrown.

Re:not exclusively local

[davester666]

The NSA helpfully checks all hardware coming into the country, and makes sure you only get backdoored by an American agency/corporation.

Re:not exclusively local

[Stalks]

What? "This is not a router" --- "it has a built-in router" .... So you mean, it can't possibly be a router if it has other functions? It *IS* a DSL Router, no doubt about it.

Re:not exclusively local

[mrchaotica]

The first half of that would be helpful, actually...

(If it were true, anyway.)

Re:not exclusively local

[RabidReindeer]

You're right, but while Askey, Asus, Cameo, Delta Networks, Foxconn, Senao, SerComm et al probaly add their own backdoors as well, the Netgear and Lynksys NSA channels are homegrown.

Isn't it wonderful? Two major powers both mucking around in the same router for clandestine purposes.

OpenBSD

[grub]

Thank goodness for OpenBSD and a bit of elbow grease.

Re:OpenBSD

[grub]

As a gateway/router/wifi point, OpenBSD is excellent. My comment is very relevant to the story.
For example, my own setup has OpenBSD acting as a router/NAT/etc. box. For guests there is a wifi network it broadcasts and routes only to the world. Also has a VLAN for DMZ, outside accessible services, etc.
It's not name dropping if it's true.

Re:OpenBSD

[mikael]

But if you want to use your mobile phone with your own wifi router, you still have to give the phone the user password, which then ends up being backed up on some server elsewhere, if it isn't snaffled by some Google wi-fi surveillance vehicle.

Re:OpenBSD

[Eravnrekaree]

I have thought of doing an OpenBSD router of some sort. The idea of having a full blown computer as a router does seem to be a bit overkill for me. This brings up an interesting question. Why have we not seen more router devices with all of the hardware a router needs built in, including ethernet ports, but which is designed to make it easy for the user to install their own open source/free OS on of their choice such as *BSD or Linux. Or does such a thing already exist? yes I know some people work oin getting their own OS to run on off the shelf routers, but for many its just more trouble than its worth to try to get an OS to work with router hardware that may not work smoothly with the OS due to lack of driver support.

Re: OpenBSD

Buffalo routers : run dd-wrt, a linux distro for routers.

Re:OpenBSD

[the_B0fh]

Like others, the only box between my fios connection and my network is my openbsd box. If you don't know how, well, time to learn, little grasshopper.

Re:OpenBSD

[the_B0fh]

so? buy your own small box and install openbsd. any x-86/alpha/sparc will do. People still run it on pentium-2 class machines or smaller.

Basically the cheapest you can find is good enough, for home use as a router/firewall/etc.

Re:OpenBSD

[grub]

If you do set up an OpenBSD box as a small router remember that is is still a full computer. You can install squid as a proxy, install a mail gateway, your own DNS, etc. There's no need to leave it there simply shuffling packets if you don't want to.

As a bonus you can work in another unix and get some skill there.

Re: OpenBSD

Yeah, because DD-WRT sucks balls in comparison to OpenWRT, which is actually Free/Libre!

Re:OpenBSD

[Nemyst]

Few people actually have the time or means to setup a dedicated computer as a router, so while yes, your comment is somewhat related, it is not particularly relevant to anyone who'd actually be in the market for a Netgear/Linksys router.

Re:OpenBSD

[dbIII]

The idea of having a full blown computer as a router does seem to be a bit overkill for me.

Welcome to the 21st century. They are all full blown computers now. They all have the grunt to run a BSD, ulinux or something of similar scale.

Re:OpenBSD

[epyT-R]

and 'busy' people are often the ones throwing away their money because they choose not to attempt anything that might have even the slightest learning curve and/or time commitment to it..

There's no free lunch, but that doesn't mean the negatives always outweigh the positives when choosing the less-traveled path.

Re: OpenBSD

[TooTechy]

Small comment.

I have a Netgear router with Tomato running on it with over 730 days of uptime!

Re:OpenBSD

[Silvrmane]

Apple have stated recently that they have done no such thing. Where is your proof?

Re:OpenBSD

[LoRdTAW]

Though FreeBSD based, and easy to set up, m0n0wall ftw. Running on an Alix board it hasn't been rebooted since I bought the router hardware five years ago. Though it has been unplugged for wire "maintenance" a few times and the blackout from hurricane Sandy. Other than those few planned and unplanned power downs, its simple, easy to use and Rock solid.

I have also ran its protégé, pfSense at work where it proved to be very reliable and had a boatload of features compared to m0n0wall.

Re: OpenBSD

[binarybum]

probably the linksys hardware. As the parent mentioned the solution is a good Buffalo Router. I have run dd wrt on my buffalo for over a year at a clip and still going strong about 9 years out now.

Re:OpenBSD

[genik76]

From a security stand-point it is not a good practice - if any of those non-essential services are compromised, so is the router.

Re: OpenBSD

[meerling]

I ran DD-WRT on my router for many years, and though I didn't track the uptime, the reboots were not often. I left it running for many months, and sometimes over a year. Unfortunately, it eventually died and I had to replace it. I went from a router that supported 802.11 b to 802.11n.
(802.11ac had come out when I replaced it, but I didn't have enough money for one of those.)

I'm not dissing OpenWRT, I just haven't tried it yet.

Re:OpenBSD

[queBurro]

FYI - those things you listed are all available as packages for dd-wrt/openwrt/tomato routers. e.g. I've got mediatomb running on my router,which servers some tunes etc on a stick plugged in to its side. I figured it was cheaper than having a PC on all the time as a media server.

Re:OpenBSD

[DarkOx]

Any of the plug computers. http://www.globalscaletechnologies.com/

Re: OpenBSD

[zeigerpuppy]

Tomato is awesome. Open-WRT is also excellent. Check compatability on their sites before buying any router.

Re:OpenBSD

[mrchaotica]

Every tech company works with the NSA. I don't need proof, because it's the only safe assumption to make. If any tech company isn't happy about that, the onus is on them to prove that they don't.

Re:OpenBSD

[grub]

Sure but the storage is pretty slow, it would defeat the purpose of running squid unless conserving bandwidth was your only goal.

Re:OpenBSD

[unixisc]

How do you install OpenBSD or pFsense on any such device?

Re:OpenBSD

[Fnord666]

Every tech company works with the NSA. I don't need proof, because it's the only safe assumption to make. If any tech company isn't happy about that, the onus is on them to prove that they don't.

And since you can't prove a negative, your self sustaining paranoia will remain steadfastly intact. Might want to loosen your tin foil hat a bit. It's cutting off circulation to one or more organs.

Re:OpenBSD

[Fjandr]

Only for the most rigorous standards is the lack of ability to 100% "prove a negative" relevant. Most things have a much lower bar, and the lack of any corroborating evidence of a relationship is actually pretty easy to provide with decent transparency.

Given the revelations of Snowden, claims of paranoia just don't have the same impact they once did.

Re:OpenBSD

[Fjandr]

Only for rigorous science is that actually very important. Lack of any evidence corroborating a relationship (when you have reason to believe you have examined all modes in which such a relationship could take place) is indeed very good cause to believe no relationship exists between two entities.

malware = local

[SethJohnson]

Attacking the router from inside the network is only a matter of infecting a computer inside the network.

Then the compromised computer is used to modify the DNS settings.

Then the whole network depending on the router to provide proper DNS is now visiting whatever hosts the attackers desire.

Re:malware = local

[nmpro]

yep.. not good.. :)

Re:malware = local

[Qzukk]

is only a matter of infecting a computer inside the network.

Not even that. If dicking around with the port caused a hard reset of the router, who knows what would happen if you got someone to click on this link. (or set it as an img tag for automatic fun)

Re:malware = local

[hawguy]

is only a matter of infecting a computer inside the network.

Not even that. If dicking around with the port caused a hard reset of the router, who knows what would happen if you got someone to click on this link. (or set it as an img tag for automatic fun)

I think that's a bad link. Every time I click on it, I can't reach the internet for a few minutes.

Re:malware = local

[hawguy]

Attacking the router from inside the network is only a matter of infecting a computer inside the network.

Then the compromised computer is used to modify the DNS settings.

Then the whole network depending on the router to provide proper DNS is now visiting whatever hosts the attackers desire.

If you can already infect inside computers, do you really need to hack the router?

Re: malware = local

[chromeronin799]

Not usually much av software on a router.

Re:malware = local

[toygeek]

This is exactly what happened with Apple a couple of years ago. The DNS Changer virus

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml

It infected OSX machines and logged in the users router using the biggest "back door": admin/password. Then it changed to some DNS servers in Russia, and any device on the network was getting redirected to death to all sorts of sites.

Yes, this is a big back door, but no bigger than the admin/password admin/admin default credentials that 99% of people never changed. Thankfully, these days the routers come with better defaults.

Re:malware = local

[SethJohnson]

If you can already infect inside computers, do you really need to hack the router?

The first computer is compromised via email spam, spearfishing, drive-by browser vulnerability, etc. That computer is the beachhead for the attack on the router.

The router is then used to compromise all the other computers on the network. DNS is the easiest way. When the other users attempt to access URL's for Microsoft Outlook webmail, bank accounts, etc. the router misdirects them to fake websites that capture their login credentials or attempt drive-by browser exploits, etc.

Re:malware = local

[war4peace]

...only if you set your router to be 192.168.1.1 - which I carefully avoided.
But I got your point nevertheless :)

Re:malware = local

[PlusFiveTroll]

Yes. Most of the time you may not get root on the infected device. Or the device will be some limited piece of crap. With an attack like this it is a stepping stone to get every device on the network under your control. Many computers will firewall themselves off from other devices on the network, yet allow some communications with the router. Also, most home routers provide DNS to the client computers.

Re:malware = local

[fnj]

I don't use the DHCP and DNS proxy services on the router. Beats me why anybody would. I run them on a BeagleBone which has so far shown five nines reliability, much more power and flexibility, and no vulnerabilities. The cost is about $50 up front and under 3 watts of AC power.

Re:malware = local

[fuzzyfuzzyfungus]

If you can already infect inside computers, do you really need to hack the router?

Two major upsides: hitting the router is a handy way to turn an exploit of a single machine into a position for eavesdropping and/or DNS attacking every device on the network. Odds are good that the one you exploited directly isn't the only one, and the others may be harder targets from the outside. Plus, the router is a handy 'bastion' for re-infection and persistence in case the luckless user finally ditches or wipes his worm farm of a system. Unless you screw it up, badly, most people are barely aware that routers contain software at all, so odds are excellent that they won't be getting rid of you in the near future...

Re:malware = local

[reikae]

NoScript helps with this, it gives an ABE (application boundary enforcement) error.

ABE and some other features such as clickjacking protection also work if you've set it to allow scripts globally; this is how I've configured it on my parents' computer. It helps that my mother understands hardly any English, so I told her to close the browser if any foreign language messages popped up. No problems so far... *knocks on wood* :-)

Re:malware = local

[drinkypoo]

I don't use the DHCP and DNS proxy services on the router. Beats me why anybody would. I run them on a BeagleBone which has so far shown five nines reliability, much more power and flexibility, and no vulnerabilities. The cost is about $50 up front and under 3 watts of AC power.

You know, for $30 (or less!) you could get a pogoplug series 4 and run debian on it. And it has USB3. That's the complete package with case and power supply. You could use an earlier pogo, but the newer ones have SD slots.

Personally, I use the DNS on my router, which is a Linksys WRT54G of some sort. But it's running Tomato. Any nerd worth their salt is doing the same or similar, if not building an appliance from scratch. There's just no cheaper way, though, than to use a WAP you got at a yard sale. I've yet to pay more than $10 for a wireless router and I've got three 54Gs and some other assorted points. And these days I can check the supported platforms before even purchasing.

Re:malware = local

[AmiMoJo]

A few years back there was a virus doing the rounds that modified the DNS settings on vulnerable routers to make all machines on the network using dhcp connect to them. The machines were the bombarded with adverts, malware and phishing sites. No anti: virus software could remove it because the machines themselves were not infected. Even phones and tablets on WiFi were vulnerable.

Users tended to complain that their connections were slow because the servers were overloaded.

Re:malware = local

[SethJohnson]

I wish more people were as forward-thinking as you.

Damn those Linkys routers

[ShaunC]

Oh wait, if anyone edited this shit instead of piling more images and whatever else Dice's marketing team deems "awesome and revolutionary to leverage for Slashdot," this might be a reputable god-damned tech news site anymore.

Typo in subject

[Somebody+Is+Using+My]

(insert expected comment about how Slashdot editors... don't).
It is LinkSys, not Linkys.

Although "Linky" seems almost appropriate, considering that's what routers do!

great. typo in the title.

[richlv]

"Linkys". because details are for samzenpussies.
this is getting annoying enough.

Return to vendor

Get a refund. This shit must cost them or it will never stop.

Re:Return to vendor

[hawguy]

Get a refund. This shit must cost them or it will never stop.

On what grounds? They'll just say "It's a bug, we're working on a patch". Has anyone ever been able to get a refund because of a software bug?

Re:Return to vendor

[gnasher719]

On what grounds? They'll just say "It's a bug, we're working on a patch". Has anyone ever been able to get a refund because of a software bug?

Excuse me, but accepting commands and executing scripts received on an unusual port is not a bug. That is code that is there 100% intentional. In the UK, I'd call it defective; it would be pretty obvious that it was defective as sold, so you can return it to the shop where you bought it for a reasonable time (maybe 2 years).

Re:Return to vendor

[hawguy]

On what grounds? They'll just say "It's a bug, we're working on a patch". Has anyone ever been able to get a refund because of a software bug?

Excuse me, but accepting commands and executing scripts received on an unusual port is not a bug. That is code that is there 100% intentional. In the UK, I'd call it defective; it would be pretty obvious that it was defective as sold, so you can return it to the shop where you bought it for a reasonable time (maybe 2 years).

You're excused.

Unless it's a published interface that they meant to be exploited that way, it can still be classified as a bug.

bug:

A software bug is an error, flaw, failure, or fault in a computer program or system that causes it to produce an incorrect or unexpected result, or to behave in unintended ways. Most bugs arise from mistakes and errors made by people in either a program's source code or its design, or in frameworks and operating systems used by such programs

Re: Return to vendor

Enough with the sophistry. A backdoor is not a bug. It is intentional, not accidental. If you have to call it by a computerish name, call it malware. It does after all cause unwanted and malicious behavior. A device with a backdoor is defective by design and abuses the customer's trust in a way that can not be remedied by a patch.

Re: Return to vendor

[hawguy]

Enough with the sophistry. A backdoor is not a bug. It is intentional, not accidental. If you have to call it by a computerish name, call it malware. It does after all cause unwanted and malicious behavior. A device with a backdoor is defective by design and abuses the customer's trust in a way that can not be remedied by a patch.

You can call it anything you like, but if you expect to return it and get a refund, you're going to have to come up with a better reason than "The software does something it's not supposed to, I want a refund". As long as the software/hardware does reasonably what it's supposed to, the manufacturer is unlikely to grant a refund, especially a year or more after purchase. If a security vulnerability (even a big gaping one) was sufficient to get a refund, no one would pay for any software, they'd just use it for a year or two, find a security vulnerability, then return it for a refund then buy the next version, and repeat.

I agree, it's a backdoor, but I disagree that there is any reasonable hope that the manufacturer will refund your money because there's a vulnerability in their code.

Re:Return to vendor

[Cwix]

The free dictionary:
http://www.thefreedictionary.com/back+door

Noun 2. back door - an undocumented way to get access to a computer system or the data it containsback door - an undocumented way to get access to a computer system or the data it contains
backdoor
access code, access - a code (a series of characters or digits) that must be entered in some way (typed or dialed or spoken) to get the use of something (a telephone line or a computer or a local area network etc.)

Oxford:
http://www.oxforddictionaries.com/us/definition/american_english/back-door

noun
        the door or entrance at the back of a building.
        a feature or defect of a computer system that allows surreptitious unauthorized access to data.

So obviously it does not matter if it was a "published interface" or even if it was on purpose. It still qualifies as a backdoor. Frankly it does not sound like an accident either so I wouldn't even classify it as a bug. I certainly dont think it is unintended, a mistake, or an error. That means it does not fit your definition.

Note: Bold was added by me, and I did search other online dictionaries, most did not have definition that was technical in nature. Most referred to Back-door deals. Ones I checked were Miriam-Websters, Cambridge, and Oxford. If anyone does find a better definition I welcome being corrected.

Re:Return to vendor

[hawguy]

The free dictionary:
http://www.thefreedictionary.com/back+door

...

Oxford:
http://www.oxforddictionaries.com/us/definition/american_english/back-door

So obviously it does not matter if it was a "published interface" or even if it was on purpose. It still qualifies as a backdoor. Frankly it does not sound like an accident either so I wouldn't even classify it as a bug. I certainly dont think it is unintended, a mistake, or an error. That means it does not fit your definition.

Note: Bold was added by me, and I did search other online dictionaries, most did not have definition that was technical in nature. Most referred to Back-door deals. Ones I checked were Miriam-Websters, Cambridge, and Oxford. If anyone does find a better definition I welcome being corrected.

You don't understand, I'm not saying that it's not a back door, nor that it's not a big glaring security whole, I'd even agree with someone that said it's irresponsible.

But there's no reason why it can't be all of those things *and* still be called a bug -- they are not mutually exclusive.

It could have even been coded that way intentionally to integrate with other software or for diagnostics or whatever and it would *still* be a bug if the functionality can be exploited for other means.

Re:Return to vendor

[davecb]

In most legal systems derived from the English Common Law, this is selling something "not suitable for the purpose sold", and is part of the definition of fraud. Consult a lawyer for local details.

Re:Return to vendor

[sjames]

And if/when they create such a patch and apply it the product will no longer be defective. But today, it IS defective.

Telling the buyer to duck tape it is not the same as not being defective.

Re: Return to vendor

[fnj]

Small claims court. Learn it, live it, love it. This shit fails the merchantability and fitness implied warranty.

Use the crumbs the legal system does afford the poor fumb duck consumer before shrugging and excusing evil and incompetence on the part of capitalist ripoff artists.

Re: Return to vendor

[mrchaotica]

You can call it anything you like, but if you expect to return it and get a refund, you're going to have to come up with a better reason than "The software does something it's not supposed to, I want a refund".

"The software is maliciously designed to attack me." How about that?

(Actually, a refund shouldn't even be sufficient. The appropriate response is more along the lines of criminal prosecution!)

Re:Return to vendor

[ArsenneLupin]

Excuse me, but accepting commands and executing scripts received on an unusual port is not a bug.

Conceivably (plausible deniability...) it could be debugging or test code accidentally left in...

So much for competition

[bob_super]

"Linksys (...) devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin (...)"

It reminds me that scary graph where half a dozen companies control almost all the stuff you see on supermarket shelves.
I remember reading nice fairy tales in school about open markets, and fair and diverse competition being paramount to the western economic model...

Re:So much for competition

[Gothmolly]

That fairy tale stopped existing once companies could buy the laws they need to create barriers to entry.

Re:So much for competition

[jones_supa]

Cisco Systems' dominance in the enterprise gear should also be discussed more often.

Re:So much for competition

[besalope]

"Linksys (...) devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin (...)"

It reminds me that scary graph where half a dozen companies control almost all the stuff you see on supermarket shelves. I remember reading nice fairy tales in school about open markets, and fair and diverse competition being paramount to the western economic model...

Sorta like these conglomerates? Just to name a few :)

• ConAgra
• Kraft
• Nestle
• Proctor&Gamble
• Diageo

Re:So much for competition

[n1c0]

These devices are 'old', end of life, no longer supported and most non tech users won't ever know. And the non tech enduser will (once again) see personal or financial information compromised, or will participate in yet another botnet. It's public now, but nobody knows how much this has been exploited as zero day. Replace router/firmware with 'car' and we would see class action lawsuits as never before. I think that more strict regulation is needed or legislative work that hold companies accountable for issues as these, it's just too easy, make crap, write shitty software, sell it, don't look back.

Re:So much for competition

[jafac]

Oh. There's a problem with your market? Sounds like the job for The Invisible Hand! Invisible Hand will fix it!

Re:So much for competition

[jafac]

That fairy tale stopped existing once companies could buy the laws they need to create barriers to entry.

. . . . like Corporate Charters, for instance.

Re:So much for competition

[bill_mcgonigle]

. . . . like Corporate Charters, for instance.

Most Americans don't realize that the country got by on its first hundred years with no permanent corporations. JD Rockefeller found the right price.

Re:So much for competition

[bill_mcgonigle]

Oh. There's a problem with your market? Sounds like the job for The Invisible Hand! Invisible Hand will fix it!

Sorry, the Invisible Hand is unavailable for comment. It's been bound, gagged (handcuffed?), indefinitely detained and sent to Gitmo for questioning by the State.

Re:So much for competition

[Gordo_1]

Don't forget:

http://www.mondelezinternational.com/brand-family

Re:So much for competition

[DarkOx]

the non tech enduser will (once again) see personal or financial information compromised, or will participate in yet another botnet. It's public now, but nobody knows how much this has been exploited as zero day. Replace router/firmware with 'car' and we would see class action lawsuits as never before.

If it were a car there would be a manufacturer recall. If the problem was discovered in the first decade, after that people would be expected to take care of it on their own.

Device makers should be better behaved to do recalls for stuff like this, maybe they should be forced to, I don't know.

These non tech enduers need to stop getting a free pass too though. "herp derp, gee I didn't know I needed to check for patches and updates, set a non-default password, and have some kind of port filtering" just can't fly these days. Honestly end users like that need to be held responsible for the harm their machines cause.

If I didn't maintain my car and it rolled breaks failed causing it roll into a busy street I'd be liable for the damage it causes. Yes the people creating the botnets and worms are the real criminals and need to punished, but regular users have at least some civil responsibility for negligent and reckless operation. \

Re:So much for competition

[drinkypoo]

Most Americans don't realize that the country got by on its first hundred years with no permanent corporations. JD Rockefeller found the right price.

Jingoism is a terrible thing. If I tell people that corporations should not exist unless they serve the public good, they often call me a communist. But that's precisely what corporations originally had to do, at least in theory, in order to be granted incorporation.

Re:So much for competition

[fatphil]

So, what's the difference between Mondolez and Kraft?

Re:So much for competition

[fatphil]

Answering my own question, as it was only 2 clicky-clickies away

http://www.mondelezinternational.com/about-us/our-corporate-timelines
2011 - On August 4, Kraft Foods announces it intents to â€oesplit†and create two independent, publically traded companies.
2012 - On October 1 the split becomes effective, creating two separate companies: MondelÄ"z International, Inc., the global snacks company, and Kraft Foods Group, Inc., the North American grocery products company.

However, I notice that further back:

1989 - Effective in March, Philip Morris Companies Inc. combines Kraft, Inc. and General Foods Corporation (which Philip Morris acquired in 1985) to form Kraft General Foods, Inc. (KGF), the largest food company in the United States and Canada, and the second largest in the world.
2003 - Philip Morris Companies Inc., parent company of Kraft Foods Inc., changes its name to Altria Group, Inc.

So I guess the two are siblings now, but both have Philip lied-under-oath-in-court-and-destroyed-evidence-that-would-incriminate-them Morris, under its new sounds-like-altruism-because-we're-really-nice name, as a parent.

Re:So much for competition

[Impy+the+Impiuos+Imp]

I think you mean politicians and government working as politicians intend. Most businesspeople would be happy stripping Congress of the power to hand out rent seeking laws.

"There should be separation of economics and state, just as with church and state, and for exactly the same reason."

Re:DSL?

[hawguy]

Who has that anymore?

People that don't want to give any money to a cable company and want to give as little money as possible to the AT&T monopoly, and would rather have their money go to a friendly CLEC. I gave up my 50mbit Comcast cable internet connection for a 14mbit DSL connection because several times a week, packet loss would go through the roof and throughput would slow to a crawl on the Comcast connection, while the DSL provider has been rock solid.

similar problem in 2004

I did a web search for "linksys router backdoor" and this story was one of the top results:
http://news.techworld.com/security/1682/critical-flaws-in-linksys-and-netgear-kit/

"...a hard-wired user account with a known password. Any user with access to a LAN with an affected WG602 device connected to it would be able to gain full administrator access to the device..."

Huawei at least have a password...

[vik]

You can telnet into most Huawei/Vodafone DSL modems with admin/{VF-}[Countrycode]hg[ModelId] through the ethernet port...

This wasn't the NSA!

[CajunArson]

Their backdoors are implemented at much higher quality level.

Re:This wasn't the NSA!

[AHuxley]

It could depend on where the tech ended up. Ex staff, former staff, ex contractors, former contractors could have created their own 'lite' deniable offering for sale to state and federal law enforcement?
Why just log from an isp/telco level when you can get much closer?

Is this really a vulnerability or a feature?

[DigitAl56K]

There is a supported feature on Netgear routers where so long as you're on the internal network you can send a magic packet (using a utility called TelnetEnable) to open up the telnet port, then you can telnet in and issue commands as the super user. All TelnetEnable needs is the IP address of the router, it's MAC address, and a widely known default username and password - all things anyone connected to the network can get easily.

It seems like this guy stumbled upon a similar feature.

Yes, this stuff should be better protected, but it's not necessarily a vulnerability. For example, you can log into your router this way and use iptables to add some custom firewall rules that the web admin interface doesn't support. The main hole here is A) Most people don't know it's even there, and B) The default username/password is the same for every router by default. You do need to be on the LAN side to send the magic packet in the first place.

Re:Is this really a vulnerability or a feature?

[DigitAl56K]

To add to the above, I see the WNDR3700 is specifically reported as not being vulnerable to the open port he found on some of the older models. I know for a fact (because I owned one), that the WNDR3700 is one of the models that requires the magic packet to open the telnet port, further leading me to believe he found a poorly documented (but not unknown) feature that should have been much more visible and better protected by default, rather than something more akin to a backdoor (after all, you have to be on the LAN side to use it).

Re:Is this really a vulnerability or a feature?

[hawguy]

There is a supported feature on Netgear routers where so long as you're on the internal network you can send a magic packet (using a utility called TelnetEnable) to open up the telnet port, then you can telnet in and issue commands as the super user. All TelnetEnable needs is the IP address of the router, it's MAC address, and a widely known default username and password - all things anyone connected to the network can get easily.

It seems like this guy stumbled upon a similar feature.

Yes, this stuff should be better protected, but it's not necessarily a vulnerability. For example, you can log into your router this way and use iptables to add some custom firewall rules that the web admin interface doesn't support. The main hole here is A) Most people don't know it's even there, and B) The default username/password is the same for every router by default. You do need to be on the LAN side to send the magic packet in the first place.

Why is a method to log into the router without any password not classified as a "vulnerability"? If I let my roommate's sketchy friend plug his laptop into the ethernet network because I don't trust him with the Wifi password, I wouldn't expect him to be able to telnet into to my wifi router without a password.

Re:Is this really a vulnerability or a feature?

[the_B0fh]

Oh wow. Your inside network doesn't touch the outside network? You don't visit websites? You do not run javascript on your browsers? You personally scan each piece of javascript to make sure it cannot get your IP address (yes it can), your gateway (yes it can) and send packets to your gateway (yes it can)?

Seriously, if you don't know what you're talking about, lurk and learn.

And default username/passwords means that malicious javascript can be very very simple indeed.

Your kind of thinking is why we have so much insecurity on the Internet. Please update and upgrade your skills.

Re:Is this really a vulnerability or a feature?

[hawguy]

This method is for helping non techies. Tell non techie: following this 4 steps to fix your router: telnet , name, password etc etc. It is always the same to make tech support easier.

I understand why having no password or the same password for everyone is easier for tech support - this is the same reasoning that led Wifi router manufacturers to have the routerr default to an open network with no encryption -- much fewer support calls from people that don't know their WEP or WPA key.

But that doesn't mean that it's not a security vulnerability.

Re:Is this really a vulnerability or a feature?

[DigitAl56K]

Of course there is a risk there, that's probably why in newer models they require a magic packet in the first place. Can JavaScript in a browser construct such a magic packet? As far as I know it can only create TCP connections.

I didn't say Netgear secured this thing well, did I? I was merely pointing out that this was likely not an NSA backdoor, and had already been "improved" in newer models.

At least I felt like I contributed to the discussion. You, on the other hand, were just being a dick.

Re:Is this really a vulnerability or a feature?

[DigitAl56K]

Right, because all the computers on the LAN are completely invulnerable.

If you have a system inside your LAN able to construct whatever network communications it wants to any internal device it might as well be running metasploit at that point and don't think a dinky old consumer grade WiFi router will be protecting you then.

Re:Is this really a vulnerability or a feature?

[the_B0fh]

You understand that most of the botnets out there are the result of someone clicking on a link and visiting a site that had malicious code embedded in it (ActiveX/JavaScript)?

While JavaScript might not natively be able to send a hand crafted magic packet, it can *take over your system* - which then allows it to download and install rootkits and other stuff - one of which can doing the magic packet tickling.

You said:

Yes, this stuff should be better protected, but it's not necessarily a vulnerability.

*AND YOU ARE VERY VERY WRONG* I want to say this in the nicest way I can - if you are propagating wrong information, you should be stopped. If you think you are correct, you need to be corrected. If you think this is being a dick, I apologize, but you are still wrong, and you are still spreading bad information. Learn and improve your knowledge. Think things through.

Think about it - the programmers who should know better thought the same as you. And as a result, now millions of routers are vulnerable, and open to being exploited. Every week, we see tons of news about basic infrastructure being insecure. Because no one said "that's a fucking stupid idea, don't do it" because saying that means they're being a dick.

Re:Is this really a vulnerability or a feature?

[deconfliction]

If you have a system inside your LAN able to construct whatever network communications it wants to any internal device it might as well be running metasploit at that point and don't think a dinky old consumer grade WiFi router will be protecting you then.

When your sketchy friend/coworker/apartment-maintenance-guy[1] is visiting the home, the computers you are most worried about may not be powered on or present (your primary laptop). The infiltrator running metasploit would then not be able to get very far unless metasploit owned the wifi router (or other device). But one would hope that if many 'dinky old consumer grade wifi routers' were vulnerable to metasploit, we'd be hearing more about it in the news. Presuming the consumer grade routers are at least able to protect themselves against metasploit, then it still matters having an unprotected admin port on your router exposed to the internal network.

[1] about 10 years ago I was able to use motion.sf.net to catch my refrigerator repairman snooping through my bedroom office. Local police told me that since the bedroom door was open, *no law had been violated*!!! Closed but unlocked, and I could have filed trespassing charges. Open an inch, no law broken. Whatever...

Re:Is this really a vulnerability or a feature?

[AHuxley]

Hi dec, re snooping through my bedroom office
http://the.honoluluadvertiser.com/article/2004/Feb/05/ln/ln01a.html
"FBI asks computer shops to help fight cybercrime"
"Each member of the computer crime squad is given a list of local businesses, Laanui said, with the idea of establishing a working relationship with all of them."
The snooping aspect may cover many local people who have the ability to 'walk' around a wide selection of suburban homes and commercial areas at "random" and report back.

Re:Is this really a vulnerability or a feature?

[PlusFiveTroll]

That's a retarded way to think.

Lets imagine a LAN for a moment, where they hosts cannot talk to each other (host isolation), but they can talk to the router, then to the internet at large.

The router provides them DHCP and DNS.

You are host $B running secureXos.

Host $C running insecureBrowser has a cross site forgery attack that changes DNS on the router via an exploit.

A few days later host $B renews their DHCP lease and gets new DNS.

Host $B visits 'slashdot.org' only it's a imitation site designed to capture your login information or cookies transmitted over non-ssl channels.

You've just lost your login credentials with no compromise of your operating system. Only bad security practices on part of the website you were (and are) visiting. Many SSL sites can be compromised this way because they don't enforce Strict Transport Security settings.

Re:Is this really a vulnerability or a feature?

[mrchaotica]

Everything designed to "make it easier for non-techies" ought to require pressing a button on the router.

Re:great news

[AHuxley]

Where, how and who would this help?
You would need to get between then 'house' and the exchange or telco http://en.wikipedia.org/wiki/Digital_loop_carrier
With this method you would be free of any skilled unique ethernet packet logging after the 'modem' in the home network.
The main win for this would be the speed offered locally. While your real packets are still finding that best effort or dedicated loop out of your state, country the "wiretap" has won the networking race.
A cheap version of MINERALIZE and RADON. http://cryptome.org/2014/01/nsa-codenames.htm

Re:And this is why

[PairOfBlanks]

Uh oh. You may find yourself throwing out more than just that. This was slashdotted not long ago. Just search for "BIOS".

And Dell PowerEdges

[Mister+Liberty]

With or without Dell. My bet is on the former.

this is a simple start

[onepoint]

While it's not a very big issue, it's a start... and all good things start with simple steps
given it's been going on for a while, now the ball is rolling and the public is learning ...

it's up to someone smarter than me to figure out how to get these little back doors
more into the public eye.

Backdoor requires local network access?

[the_B0fh]

You mean like how any web page with javascript? It's not that difficult to get $ethX and get the gateway, which will probably be the router. Ooops, it's now fully available to the attacker on the outside world.

Hmmm

[koan]

There an interesting video the other day http://boingboing.net/2013/12/31/jacob-appelbaums-must-watch.html I believe he mentions the NSA and hacking wireless routers, perhaps they created it.
additional several router models are susceptible to a hack so easy it's ridiculous, namely adding a certain user agent string to your browser lets you in.

I personally don't use wireless at home any longer,

RVS4000, too

[dltaylor]

So much for "business class" routers/firewalls, and it wasn't on the list.

I've got a couple of old computers around. Time, again, to build my own. Another plus is that local DHCP addrersses will show up in DNS.

Re:DSL?

[dwater]

Also, even with fibre to the curb/cabinet, which I've had in both Finland and the UK, both involve DSL modems for the final copper link. In Finland, it was an off-the-shelf VDSL2 device, but in the UK I use BT, and I didn't pay enough attention.
Also, the older ADSL modems are widely used in China still - though I think Metropolitan Area Networks are becoming more popular undoubtedly involving local fibre connections (I had a symmetric 10BaseT connection in my flat when I lived here ~10 years ago and it only cost 99rmb/month).

Re:haha

[kelemvor4]

I still have an external USRobotics Courrier HST Dual Standard. It has the daughterboard upgrade and the 56k flash. Got it on the "SysOp" deal so they attached a metal "not for resale" plate on the top.

Turn in your nerd card with that zoom crap. Next you'll be posting photos of zyxel gear.

wrt54gL is made for diy

[raymorris]

> Or does such a thing already exist?

The wrt54gL (L for Linux) is an example of such a device. The early versions of wrt54g were popular with people using openWRT and such of course. Recognizing this, the company released a version specifically for nerds.

I'd love to see some other, more up-to-date options. I have some projects that would fit nicely in several MBs of RAM, without necessarily needing all the ports. A Raspberry Pi would work, but a beefed up WRT would be better.

Re:wrt54gL is made for diy

[aaarrrgggh]

Big fan of the asus RT-65U. The third party firmware gives you great control via GUI, or full shell access.

That said, I don't know what to make of the trust matrix.

Re:wrt54gL is made for diy

[Rufty]

There's currently quite a bit of fun hackery going on with TPlink WR703n routers. See these: OpenWRT, LibraryBox, expansion hub, 3D printable case, external antenna md (PDF) or pre-modded for extra ram+flash. I'm currently trying to get HSMM-MESH going on one.

Re:haha

[Khyber]

Real SysOps used roboboards, not your crappy USRevive-its.

Turn YOUR nerd card in with that single-user crap.

Re:haha

[Cramer]

I win! Original Hayes Smartmodem 300. (bulletproof aluminum case and all) [still functional, as far as I know]

Re:haha

[epyT-R]

Zoom modems were terrible..

The most expensive "cheap" you can get!

Dear lord, I hate it when neckbeards such as yourself talk about how a full PC running OpenBSD or Linux is somehow the "cheap" option compared to a goddamn $40 home router. You make the entire IT profession seem like a bunch of blithering idiots.

Most civilized people don't have Alphas, SPARCs or even old PCs lying around. They'll end up paying more than $40 to acquire such a system, too.

Since most people have several devices on their home network these days, including wireless devices, they'll again need to buy several cabled network cards and at least one wireless network card. You're looking at $100 or more, depending on the type and number of network cards you need to buy.

Then they'll have to waste time setting up this system. If they don't already have experience with installing and configuring OpenBSD and Linux, they'll waste even more time. Good luck getting the wireless network card working! That can be a real battle under Linux, and absolute hell under OpenBSD, even for experienced sysadmins. Anyone with a real job paying a real salary or billing rate will be out hundreds of dollars.

If they manage to get this far, probably spending several hundred dollars getting the equipment in the first place, and then potentially spending at least a day (but likely far more) setting it up, then they'll have to actually start using it. This involves leaving a full computer running 24/7, likely consuming a large amount of power (especially if it's the outdated workstation or PCs that you're advocating). Electricity is quite expensive in many areas.

Way to go, neckbeard. Your "cheap" option only costs $600 or more, just to do the same job that a $40 home router can do. And that's ignoring the ongoing cost of running the system, which depending on local electricity rates can cost a few hundred dollars more per year. The $40 home router will consume a comparatively insignificant amount of electricity, likely costing less than $10 a year even in areas with extremely high electricity prices.

It's so hard to take you seriously when you advocate spending 10 or 20 times as much on some custom Linux or OpenBSD router than it'd cost to buy a cheap home router.

power makes that expensive

[dutchwhizzman]

Any old/small PC will use way more electricity than the small embedded box you are replacing. Even if you get the PC for free, you'd have spent more on extra electricity in a year than you would have paid for a new device that was ready to run and has no back doors.

Re:power makes that expensive

[hairyfeet]

Not if you shop around as you can get an Intel Atom or an AMD Bobcat and both of those average single digits what it comes to watts. As a nice bonus not only do they make good routers but they make great file servers, WAPs, DNS servers, you can do a lot with one of these.

Re:power makes that expensive

[arth1]

My PIII-S from 2001 still runs well, and with low enough wattage (30W under high load, but normally far less) to not need a CPU fan.

Re:power makes that expensive

[grub]

I picked up a pair of cheap Asus EEE boxes. Not quite beefy enough to run a modern version of Windows (indeed that is how I got them), but for OpenBSD paired in failover and purposed as my original post said? Remarkable! Only 32 bit Atoms inside but more than enough ooomph for their purposes. They are also dirt cheap to operate as far as electricity goes (though that isn't much of an issue here our electricity is only 7.183 kw/h)

Re:power makes that expensive

[hairyfeet]

UHHH...You DO know that is still 3-5 times more than an Atom or Bobcat, yes? Or that the amount of useful work per watt is several orders of magnitude higher with the Atom and Bobcat, yes? And that most of the parts that go with that P3 are gonna be horribly inefficient because power usage was just not a concern, right?

I mean if you just hate to throw that old P3 in the dumpster and want to repurpose it, sure I can see that, but you are gonna be wasting more juice over the long run than if you just grabbed one of those $69 Bobcats and stuck it in the same case. And that isn't even taking into account the fact that both the Atom and the Bobcat are dual cores so can do twice as much work per watt and if you were to benchmark that P3 the amount of useful work you are getting when its balls out at 30w would be less than what you get from the Bobcat or Atom at 6w.

Sorry friend but the old stuff? Just wasn't real good when it came to power. you are just lucky its a P3, if it would have been a P4 the only thing it would have been good for is a space heater.

Re:power makes that expensive

[arth1]

UHHH...You DO know that is still 3-5 times more than an Atom or Bobcat, yes?

The maximum wattage, sure. But the wattage that my PIII-S server actually uses, as measured by a kill-a-watt, is lower than what my router does.

and if you were to benchmark that P3 the amount of useful work you are getting when its balls out at 30w would be less than what you get from the Bobcat or Atom at 6w

But it doesn't run balls out.
16:06:21 up 326 days, 4:07, 1 user, load average: 0.00, 0.00, 0.00

That's handling DNS, SMTP, POP3, DHCP, DHCP6 and a few other services.

Re:power makes that expensive

[hairyfeet]

And how many people are gonna actually HAVE a Pentium 3 rig lying about? Not many, hell I run a little PC shop and I don't have a single P3 left thanks to bad caps and shitty PSUs over the years taking 'em out.

Look IF you happen to have a P3 lying about and IF its not a power piggie parts wise and IF its not in danger of blowing a cap any day now? Congrats, you are in a teeny tiny minority when it comes to computing, whereas my way? Anybody with $120 to spare can have a nice low power server, less if they have any parts lying around. Heck you can grab one of those $69 Bobcat boards along with a PCI to IDE adapter and voila! You can turn any old P4 office box into a nice low power dual core. I have done this to quite a few older P4s in office buildings and with a 2Gb RAM stick, 4Gb if they are willing to go 64bit you are looking at MAYBE $100 worth of parts.

Now any way you slice it you just can't beat that, not for a dual core that takes less than 18w under full load AND does 1080P AND has hardware acceleration for Flash and most codecs, that is frankly a steal.

Any device that's not updated

[dutchwhizzman]

These back doors may exist in new devices, but any older device is likely to have a back door. If the vendor updates the devices at all, they usually stop doing that shortly after they stop sales of the device. Your perfectly fine WiFi router or DSL box will most likely have vulnerabilities on it that make it just as insecure as these new devices.

I actively check my DSL router and I know my ISP and several security minded customers do the same. Any WiFi router in my home runs a modified Linux distribution like Tomato, openWRT or DD-WRT that is actively maintained. While it's bad that A-brand companies evidently don't do this this the stuff they buy from other vendors, most devices in the field are just as vulnerable as these boxes are, simply because they don't get updates.

Burning vendors for selling insecure devices is good practice to get this problem solved. Burning them for not being responsible for their sale and updating or liberating the devices they sold should be just as normal as burning them for new equipment. You can't expect people to buy a new device every year simply because the vendor refuses responsibility once it's left their factory.

Oh please...

[myowntrueself]

"The product does something by design which I, the purchaser, was not made sufficiently aware of at time of purchase. Had I known that this product was designed to operate in this way I would not have purchased it. The vendor made no effort to advise purchasers of this functionality, which adversely affects users of the product."

Re:And this is why

[fuzzyfuzzyfungus]

I thought that 'RAGEMASTER' was a particularly elegant, if unnerving little toy... Totally passive, delivers the tempest attack from hell when illuminated by a remote RF source. They had some similar mechanisms for tapping keyboards as well. Time to break out the Tinfoil Compute Enclosure, I suppose.

Re:The most expensive "cheap" you can get!

[the_B0fh]

I never said cheapest. If you are interested in setting up a home network, securely. For less than $200, you can have a soekris box (http://soekris.com/products/net4501-1.html) and you're good to go. If you need extra ports, you can always get a switch.

Also, there is a cost to learning, and that is time and effort. If you are not willing to take the time and spend the effort to do things securely and you come to slashdot bitching about it, perhaps you do deserve to get pwned.

Re:The most expensive "cheap" you can get!

[mrchaotica]

So now you've gone from advocating "pentium-2 class machines or smaller" to a $200 486?!

I'm sure an OpenBSD router is great and all, but there's got to be a cheaper way to do it. At least suggest some little $50 ARM computer or a mini-ITX PC with a low-wattage CPU or something!

Re:The most expensive "cheap" you can get!

[the_B0fh]

Sure. Why not.

LinkSys (Cisco) sucks Microsoft balls

[subnomine]

Backdoors and more... I recently purchased a LinkSys and could not access the web interface unless a Windows machine was present on my network. I verified this my starting a Windows VM on the linux host where I was running my web browser. With the Windows VM running, my web browser (linux) could access the LinkSys. Without the Windows VM running, my web browser (linux) could NOT access the LinkSys. Once I got DD-WRT installed, problem fixed.

Re:LinkSys (Cisco) sucks Microsoft balls

[decsnake]

Serious question - which open firmware is the best choice for current router hardware? years ago, I put DD-WRT on my WRT54g (v2.0) and it worked great, but there's been a lot of forking since then and its not clear at all to me which firmware is the best choice for modern open friendly hardware like the boxes from ASUS.

Re:LinkSys (Cisco) sucks Microsoft balls

[subnomine]

I was hoping someone else would respond to you since it has been a year since I tried OS's other than DD-WRT. I have stayed with DD-WRT since it has the features I need and is reliable enough. I have had to do a 30/30/30 reset more than once while trying to setup a couple different routers (older and newer LinkSys's). The settings will appear correct but something will not work the first time. I don't know which forks have improved that aspect of reliability. Up-time isn't perfect, but good.

Re:Who uses stock firmware anymore?

[unixisc]

Step 1 - how?

Re:haha

[Megane]

USR's problem was 3Com. And it's too bad your Telebit can't find any other whales to sing to.

Real Estate

[DarthVain]

"Well I would move, but that would wreak my uptime..."

Easier...

[Luthair]

Seems like it would have been easier to grab an ethernet cord and plug into the router rather than do a port scan and reverse engineer the firmware....

Re:The most expensive "cheap" you can get!

[nightsweat]

Lighten up Francis. A lot of the people reading this have old computers kicking around that are too slow to do what they want on their main box. Just repurpose one of these and the cost to you is functionally ZERO.

Re:The most expensive "cheap" you can get!

[dpidcoe]

Since most people have several devices on their home network these days, including wireless devices, they'll again need to buy several cabled network cards and at least one wireless network card. You're looking at $100 or more, depending on the type and number of network cards you need to buy.

er, if it's functioning as a router, they just need one interface per network, not one per device as you seem to be implying. Though since most home routers bundle a router and switch (and sometimes modem) into a single package, the confusion is understandable. If additional ports are needed (e.g. for multiple wired devices), then a standard desktop switch can be used to provide them.

pogoplug $16

[Anomalyst]

http://www.rakuten.com/prod/pogoplug-mobile-wireless-backup-access-share-your-pc-mac-tablet/223435914.html?listingId=206407980

Re:pogoplug $16

[drinkypoo]

That's not the good one. That one has half the RAM and USB2 instead of USB3. It's adequate for many purposes, though. I have one here running asterisk on wheezy.

Re:DSL?

[dpidcoe]

Who has that anymore?

People that don't want to give any money to a cable company and want to give as little money as possible to the AT&T monopoly, and would rather have their money go to a friendly CLEC. I gave up my 50mbit Comcast cable internet connection for a 14mbit DSL connection because several times a week, packet loss would go through the roof and throughput would slow to a crawl on the Comcast connection, while the DSL provider has been rock solid.

Yeah, there's no way I'd give any money to the local cable companies in my area. I have 6mbps DSL through a CLEC and it's great. Unlike what I've seen on my friends cable connection, there's no traffic shaping or blocking of common ports. Last time I read the contract it basically said I could do whatever I want with the connection as far as running servers is concerned, this in contrast to the cable company (and also AT'Ts high speed option) that explicitly disallows things such as hosting web or gameservers, and will play whack-a-mole with your ports if they notice.

The backdoor was in the first S

[Optali]

"Backdoor Discovered In Netgear and Linkys Routers"

Obviously the backdoor was in the missing S

Re:haha

[Obijon70]

I loved that modem - I had the internal version for my IIe. And it could keep up with my typing!! Now I'll have to dig around and see if it still works...