Slashdot Mirror
Backdoor Discovered In Netgear and Linkys Routers
An anonymous reader writes "A hacker has found a backdoor in the Linksys WAG200G router, that gives access to the admin panel without authentication. Further research shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others maybe affected as well. From the article: 'The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.'"
http://www.shodanhq.com/search?q=port%3A32764
Attacking the router from inside the network is only a matter of infecting a computer inside the network.
Then the compromised computer is used to modify the DNS settings.
Then the whole network depending on the router to provide proper DNS is now visiting whatever hosts the attackers desire.
$5 / month hosted VPS on linux = awesome!
"Linksys (...) devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin (...)"
It reminds me that scary graph where half a dozen companies control almost all the stuff you see on supermarket shelves.
I remember reading nice fairy tales in school about open markets, and fair and diverse competition being paramount to the western economic model...
As a gateway/router/wifi point, OpenBSD is excellent. My comment is very relevant to the story.
For example, my own setup has OpenBSD acting as a router/NAT/etc. box. For guests there is a wifi network it broadcasts and routes only to the world. Also has a VLAN for DMZ, outside accessible services, etc.
It's not name dropping if it's true.
Trolling is a art,
Small comment.
I have a Netgear router with Tomato running on it with over 730 days of uptime!
Dear lord, I hate it when neckbeards such as yourself talk about how a full PC running OpenBSD or Linux is somehow the "cheap" option compared to a goddamn $40 home router. You make the entire IT profession seem like a bunch of blithering idiots.
Most civilized people don't have Alphas, SPARCs or even old PCs lying around. They'll end up paying more than $40 to acquire such a system, too.
Since most people have several devices on their home network these days, including wireless devices, they'll again need to buy several cabled network cards and at least one wireless network card. You're looking at $100 or more, depending on the type and number of network cards you need to buy.
Then they'll have to waste time setting up this system. If they don't already have experience with installing and configuring OpenBSD and Linux, they'll waste even more time. Good luck getting the wireless network card working! That can be a real battle under Linux, and absolute hell under OpenBSD, even for experienced sysadmins. Anyone with a real job paying a real salary or billing rate will be out hundreds of dollars.
If they manage to get this far, probably spending several hundred dollars getting the equipment in the first place, and then potentially spending at least a day (but likely far more) setting it up, then they'll have to actually start using it. This involves leaving a full computer running 24/7, likely consuming a large amount of power (especially if it's the outdated workstation or PCs that you're advocating). Electricity is quite expensive in many areas.
Way to go, neckbeard. Your "cheap" option only costs $600 or more, just to do the same job that a $40 home router can do. And that's ignoring the ongoing cost of running the system, which depending on local electricity rates can cost a few hundred dollars more per year. The $40 home router will consume a comparatively insignificant amount of electricity, likely costing less than $10 a year even in areas with extremely high electricity prices.
It's so hard to take you seriously when you advocate spending 10 or 20 times as much on some custom Linux or OpenBSD router than it'd cost to buy a cheap home router.