Backdoor Discovered In Netgear and Linkys Routers

An anonymous reader writes "A hacker has found a backdoor in the Linksys WAG200G router, that gives access to the admin panel without authentication. Further research shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others maybe affected as well. From the article: 'The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.'"

not exclusively local

http://www.shodanhq.com/search?q=port%3A32764

Re:not exclusively local

Of course it's spying on you.

Which part of "Made in the USA" did you not understand?

Re:not exclusively local

[davester666]

The NSA helpfully checks all hardware coming into the country, and makes sure you only get backdoored by an American agency/corporation.

OpenBSD

[grub]

Thank goodness for OpenBSD and a bit of elbow grease.

Re:OpenBSD

[grub]

As a gateway/router/wifi point, OpenBSD is excellent. My comment is very relevant to the story.
For example, my own setup has OpenBSD acting as a router/NAT/etc. box. For guests there is a wifi network it broadcasts and routes only to the world. Also has a VLAN for DMZ, outside accessible services, etc.
It's not name dropping if it's true.

Re:OpenBSD

[Eravnrekaree]

I have thought of doing an OpenBSD router of some sort. The idea of having a full blown computer as a router does seem to be a bit overkill for me. This brings up an interesting question. Why have we not seen more router devices with all of the hardware a router needs built in, including ethernet ports, but which is designed to make it easy for the user to install their own open source/free OS on of their choice such as *BSD or Linux. Or does such a thing already exist? yes I know some people work oin getting their own OS to run on off the shelf routers, but for many its just more trouble than its worth to try to get an OS to work with router hardware that may not work smoothly with the OS due to lack of driver support.

Re:OpenBSD

[grub]

If you do set up an OpenBSD box as a small router remember that is is still a full computer. You can install squid as a proxy, install a mail gateway, your own DNS, etc. There's no need to leave it there simply shuffling packets if you don't want to.

As a bonus you can work in another unix and get some skill there.

Re:OpenBSD

[Nemyst]

Few people actually have the time or means to setup a dedicated computer as a router, so while yes, your comment is somewhat related, it is not particularly relevant to anyone who'd actually be in the market for a Netgear/Linksys router.

Re: OpenBSD

[TooTechy]

Small comment.

I have a Netgear router with Tomato running on it with over 730 days of uptime!

Re:OpenBSD

[genik76]

From a security stand-point it is not a good practice - if any of those non-essential services are compromised, so is the router.

Re:OpenBSD

[Fnord666]

Every tech company works with the NSA. I don't need proof, because it's the only safe assumption to make. If any tech company isn't happy about that, the onus is on them to prove that they don't.

And since you can't prove a negative, your self sustaining paranoia will remain steadfastly intact. Might want to loosen your tin foil hat a bit. It's cutting off circulation to one or more organs.

malware = local

[SethJohnson]

Attacking the router from inside the network is only a matter of infecting a computer inside the network.

Then the compromised computer is used to modify the DNS settings.

Then the whole network depending on the router to provide proper DNS is now visiting whatever hosts the attackers desire.

Re:malware = local

[Qzukk]

is only a matter of infecting a computer inside the network.

Not even that. If dicking around with the port caused a hard reset of the router, who knows what would happen if you got someone to click on this link. (or set it as an img tag for automatic fun)

Re:malware = local

[hawguy]

is only a matter of infecting a computer inside the network.

Not even that. If dicking around with the port caused a hard reset of the router, who knows what would happen if you got someone to click on this link. (or set it as an img tag for automatic fun)

I think that's a bad link. Every time I click on it, I can't reach the internet for a few minutes.

Re:malware = local

[hawguy]

Attacking the router from inside the network is only a matter of infecting a computer inside the network.

Then the compromised computer is used to modify the DNS settings.

Then the whole network depending on the router to provide proper DNS is now visiting whatever hosts the attackers desire.

If you can already infect inside computers, do you really need to hack the router?

Re: malware = local

[chromeronin799]

Not usually much av software on a router.

Re:malware = local

[toygeek]

This is exactly what happened with Apple a couple of years ago. The DNS Changer virus

http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml

It infected OSX machines and logged in the users router using the biggest "back door": admin/password. Then it changed to some DNS servers in Russia, and any device on the network was getting redirected to death to all sorts of sites.

Yes, this is a big back door, but no bigger than the admin/password admin/admin default credentials that 99% of people never changed. Thankfully, these days the routers come with better defaults.

Re:malware = local

[SethJohnson]

If you can already infect inside computers, do you really need to hack the router?

The first computer is compromised via email spam, spearfishing, drive-by browser vulnerability, etc. That computer is the beachhead for the attack on the router.

The router is then used to compromise all the other computers on the network. DNS is the easiest way. When the other users attempt to access URL's for Microsoft Outlook webmail, bank accounts, etc. the router misdirects them to fake websites that capture their login credentials or attempt drive-by browser exploits, etc.

Re:malware = local

[fuzzyfuzzyfungus]

If you can already infect inside computers, do you really need to hack the router?

Two major upsides: hitting the router is a handy way to turn an exploit of a single machine into a position for eavesdropping and/or DNS attacking every device on the network. Odds are good that the one you exploited directly isn't the only one, and the others may be harder targets from the outside. Plus, the router is a handy 'bastion' for re-infection and persistence in case the luckless user finally ditches or wipes his worm farm of a system. Unless you screw it up, badly, most people are barely aware that routers contain software at all, so odds are excellent that they won't be getting rid of you in the near future...

Damn those Linkys routers

[ShaunC]

Oh wait, if anyone edited this shit instead of piling more images and whatever else Dice's marketing team deems "awesome and revolutionary to leverage for Slashdot," this might be a reputable god-damned tech news site anymore.

great. typo in the title.

[richlv]

"Linkys". because details are for samzenpussies.
this is getting annoying enough.

So much for competition

[bob_super]

"Linksys (...) devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin (...)"

It reminds me that scary graph where half a dozen companies control almost all the stuff you see on supermarket shelves.
I remember reading nice fairy tales in school about open markets, and fair and diverse competition being paramount to the western economic model...

Re:So much for competition

[Gothmolly]

That fairy tale stopped existing once companies could buy the laws they need to create barriers to entry.

Re:So much for competition

[n1c0]

These devices are 'old', end of life, no longer supported and most non tech users won't ever know. And the non tech enduser will (once again) see personal or financial information compromised, or will participate in yet another botnet. It's public now, but nobody knows how much this has been exploited as zero day. Replace router/firmware with 'car' and we would see class action lawsuits as never before. I think that more strict regulation is needed or legislative work that hold companies accountable for issues as these, it's just too easy, make crap, write shitty software, sell it, don't look back.

Re:So much for competition

[bill_mcgonigle]

Oh. There's a problem with your market? Sounds like the job for The Invisible Hand! Invisible Hand will fix it!

Sorry, the Invisible Hand is unavailable for comment. It's been bound, gagged (handcuffed?), indefinitely detained and sent to Gitmo for questioning by the State.

Re:So much for competition

[drinkypoo]

Most Americans don't realize that the country got by on its first hundred years with no permanent corporations. JD Rockefeller found the right price.

Jingoism is a terrible thing. If I tell people that corporations should not exist unless they serve the public good, they often call me a communist. But that's precisely what corporations originally had to do, at least in theory, in order to be granted incorporation.

Re:Return to vendor

[hawguy]

Get a refund. This shit must cost them or it will never stop.

On what grounds? They'll just say "It's a bug, we're working on a patch". Has anyone ever been able to get a refund because of a software bug?

Re:DSL?

[hawguy]

Who has that anymore?

People that don't want to give any money to a cable company and want to give as little money as possible to the AT&T monopoly, and would rather have their money go to a friendly CLEC. I gave up my 50mbit Comcast cable internet connection for a 14mbit DSL connection because several times a week, packet loss would go through the roof and throughput would slow to a crawl on the Comcast connection, while the DSL provider has been rock solid.

similar problem in 2004

I did a web search for "linksys router backdoor" and this story was one of the top results:
http://news.techworld.com/security/1682/critical-flaws-in-linksys-and-netgear-kit/

"...a hard-wired user account with a known password. Any user with access to a LAN with an affected WG602 device connected to it would be able to gain full administrator access to the device..."

Re:Return to vendor

[gnasher719]

On what grounds? They'll just say "It's a bug, we're working on a patch". Has anyone ever been able to get a refund because of a software bug?

Excuse me, but accepting commands and executing scripts received on an unusual port is not a bug. That is code that is there 100% intentional. In the UK, I'd call it defective; it would be pretty obvious that it was defective as sold, so you can return it to the shop where you bought it for a reasonable time (maybe 2 years).

Huawei at least have a password...

[vik]

You can telnet into most Huawei/Vodafone DSL modems with admin/{VF-}[Countrycode]hg[ModelId] through the ethernet port...

This wasn't the NSA!

[CajunArson]

Their backdoors are implemented at much higher quality level.

Is this really a vulnerability or a feature?

[DigitAl56K]

There is a supported feature on Netgear routers where so long as you're on the internal network you can send a magic packet (using a utility called TelnetEnable) to open up the telnet port, then you can telnet in and issue commands as the super user. All TelnetEnable needs is the IP address of the router, it's MAC address, and a widely known default username and password - all things anyone connected to the network can get easily.

It seems like this guy stumbled upon a similar feature.

Yes, this stuff should be better protected, but it's not necessarily a vulnerability. For example, you can log into your router this way and use iptables to add some custom firewall rules that the web admin interface doesn't support. The main hole here is A) Most people don't know it's even there, and B) The default username/password is the same for every router by default. You do need to be on the LAN side to send the magic packet in the first place.

Re:Is this really a vulnerability or a feature?

[DigitAl56K]

To add to the above, I see the WNDR3700 is specifically reported as not being vulnerable to the open port he found on some of the older models. I know for a fact (because I owned one), that the WNDR3700 is one of the models that requires the magic packet to open the telnet port, further leading me to believe he found a poorly documented (but not unknown) feature that should have been much more visible and better protected by default, rather than something more akin to a backdoor (after all, you have to be on the LAN side to use it).

Re:Is this really a vulnerability or a feature?

[the_B0fh]

Oh wow. Your inside network doesn't touch the outside network? You don't visit websites? You do not run javascript on your browsers? You personally scan each piece of javascript to make sure it cannot get your IP address (yes it can), your gateway (yes it can) and send packets to your gateway (yes it can)?

Seriously, if you don't know what you're talking about, lurk and learn.

And default username/passwords means that malicious javascript can be very very simple indeed.

Your kind of thinking is why we have so much insecurity on the Internet. Please update and upgrade your skills.

Re:Is this really a vulnerability or a feature?

[the_B0fh]

You understand that most of the botnets out there are the result of someone clicking on a link and visiting a site that had malicious code embedded in it (ActiveX/JavaScript)?

While JavaScript might not natively be able to send a hand crafted magic packet, it can *take over your system* - which then allows it to download and install rootkits and other stuff - one of which can doing the magic packet tickling.

You said:

Yes, this stuff should be better protected, but it's not necessarily a vulnerability.

*AND YOU ARE VERY VERY WRONG* I want to say this in the nicest way I can - if you are propagating wrong information, you should be stopped. If you think you are correct, you need to be corrected. If you think this is being a dick, I apologize, but you are still wrong, and you are still spreading bad information. Learn and improve your knowledge. Think things through.

Think about it - the programmers who should know better thought the same as you. And as a result, now millions of routers are vulnerable, and open to being exploited. Every week, we see tons of news about basic infrastructure being insecure. Because no one said "that's a fucking stupid idea, don't do it" because saying that means they're being a dick.

Hmmm

[koan]

There an interesting video the other day http://boingboing.net/2013/12/31/jacob-appelbaums-must-watch.html I believe he mentions the NSA and hacking wireless routers, perhaps they created it.
additional several router models are susceptible to a hack so easy it's ridiculous, namely adding a certain user agent string to your browser lets you in.

I personally don't use wireless at home any longer,

Re:Return to vendor

[Cwix]

The free dictionary:
http://www.thefreedictionary.com/back+door

Noun 2. back door - an undocumented way to get access to a computer system or the data it containsback door - an undocumented way to get access to a computer system or the data it contains
backdoor
access code, access - a code (a series of characters or digits) that must be entered in some way (typed or dialed or spoken) to get the use of something (a telephone line or a computer or a local area network etc.)

Oxford:
http://www.oxforddictionaries.com/us/definition/american_english/back-door

noun
        the door or entrance at the back of a building.
        a feature or defect of a computer system that allows surreptitious unauthorized access to data.

So obviously it does not matter if it was a "published interface" or even if it was on purpose. It still qualifies as a backdoor. Frankly it does not sound like an accident either so I wouldn't even classify it as a bug. I certainly dont think it is unintended, a mistake, or an error. That means it does not fit your definition.

Note: Bold was added by me, and I did search other online dictionaries, most did not have definition that was technical in nature. Most referred to Back-door deals. Ones I checked were Miriam-Websters, Cambridge, and Oxford. If anyone does find a better definition I welcome being corrected.

wrt54gL is made for diy

[raymorris]

> Or does such a thing already exist?

The wrt54gL (L for Linux) is an example of such a device. The early versions of wrt54g were popular with people using openWRT and such of course. Recognizing this, the company released a version specifically for nerds.

I'd love to see some other, more up-to-date options. I have some projects that would fit nicely in several MBs of RAM, without necessarily needing all the ports. A Raspberry Pi would work, but a beefed up WRT would be better.

The most expensive "cheap" you can get!

Dear lord, I hate it when neckbeards such as yourself talk about how a full PC running OpenBSD or Linux is somehow the "cheap" option compared to a goddamn $40 home router. You make the entire IT profession seem like a bunch of blithering idiots.

Most civilized people don't have Alphas, SPARCs or even old PCs lying around. They'll end up paying more than $40 to acquire such a system, too.

Since most people have several devices on their home network these days, including wireless devices, they'll again need to buy several cabled network cards and at least one wireless network card. You're looking at $100 or more, depending on the type and number of network cards you need to buy.

Then they'll have to waste time setting up this system. If they don't already have experience with installing and configuring OpenBSD and Linux, they'll waste even more time. Good luck getting the wireless network card working! That can be a real battle under Linux, and absolute hell under OpenBSD, even for experienced sysadmins. Anyone with a real job paying a real salary or billing rate will be out hundreds of dollars.

If they manage to get this far, probably spending several hundred dollars getting the equipment in the first place, and then potentially spending at least a day (but likely far more) setting it up, then they'll have to actually start using it. This involves leaving a full computer running 24/7, likely consuming a large amount of power (especially if it's the outdated workstation or PCs that you're advocating). Electricity is quite expensive in many areas.

Way to go, neckbeard. Your "cheap" option only costs $600 or more, just to do the same job that a $40 home router can do. And that's ignoring the ongoing cost of running the system, which depending on local electricity rates can cost a few hundred dollars more per year. The $40 home router will consume a comparatively insignificant amount of electricity, likely costing less than $10 a year even in areas with extremely high electricity prices.

It's so hard to take you seriously when you advocate spending 10 or 20 times as much on some custom Linux or OpenBSD router than it'd cost to buy a cheap home router.

power makes that expensive

[dutchwhizzman]

Any old/small PC will use way more electricity than the small embedded box you are replacing. Even if you get the PC for free, you'd have spent more on extra electricity in a year than you would have paid for a new device that was ready to run and has no back doors.

Re:power makes that expensive

[hairyfeet]

UHHH...You DO know that is still 3-5 times more than an Atom or Bobcat, yes? Or that the amount of useful work per watt is several orders of magnitude higher with the Atom and Bobcat, yes? And that most of the parts that go with that P3 are gonna be horribly inefficient because power usage was just not a concern, right?

I mean if you just hate to throw that old P3 in the dumpster and want to repurpose it, sure I can see that, but you are gonna be wasting more juice over the long run than if you just grabbed one of those $69 Bobcats and stuck it in the same case. And that isn't even taking into account the fact that both the Atom and the Bobcat are dual cores so can do twice as much work per watt and if you were to benchmark that P3 the amount of useful work you are getting when its balls out at 30w would be less than what you get from the Bobcat or Atom at 6w.

Sorry friend but the old stuff? Just wasn't real good when it came to power. you are just lucky its a P3, if it would have been a P4 the only thing it would have been good for is a space heater.

Any device that's not updated

[dutchwhizzman]

These back doors may exist in new devices, but any older device is likely to have a back door. If the vendor updates the devices at all, they usually stop doing that shortly after they stop sales of the device. Your perfectly fine WiFi router or DSL box will most likely have vulnerabilities on it that make it just as insecure as these new devices.

I actively check my DSL router and I know my ISP and several security minded customers do the same. Any WiFi router in my home runs a modified Linux distribution like Tomato, openWRT or DD-WRT that is actively maintained. While it's bad that A-brand companies evidently don't do this this the stuff they buy from other vendors, most devices in the field are just as vulnerable as these boxes are, simply because they don't get updates.

Burning vendors for selling insecure devices is good practice to get this problem solved. Burning them for not being responsible for their sale and updating or liberating the devices they sold should be just as normal as burning them for new equipment. You can't expect people to buy a new device every year simply because the vendor refuses responsibility once it's left their factory.

LinkSys (Cisco) sucks Microsoft balls

[subnomine]

Backdoors and more... I recently purchased a LinkSys and could not access the web interface unless a Windows machine was present on my network. I verified this my starting a Windows VM on the linux host where I was running my web browser. With the Windows VM running, my web browser (linux) could access the LinkSys. Without the Windows VM running, my web browser (linux) could NOT access the LinkSys. Once I got DD-WRT installed, problem fixed.

Real Estate

[DarthVain]

"Well I would move, but that would wreak my uptime..."