Slashdot Mirror
Intentional Backdoor In Consumer Routers Found
New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..."
Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."
...NSA?
Should be installing DD-WRT
how is this not illegal? who has an advantage from this backdoor?
Oh, and you should really trust all the encryption protocols since Reagan.
(under breath ... suckers ...)
-- Tigger warning: This post may contain tiggers! --
if you were in the system that let this occur -> YOU BELONG IN JAIL
...US tech firms blame Snowden for failing confidence in the safety of using US tech companies: The 'Snowden Effect' Is Crushing US Tech Firms In China
Pot, meet Kettle.
. . . the spooks used to have to break into your home to plant bugging devices.
Now, you bring the bugging devices home as consumer appliances, and install then them yourself for the spooks.
This saves them a lot of effort. Cost effective.
Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
I say tomato..
Just load OpenWRT or some other open source firmware, problem solved.
What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.
NEVER buy hardware without a open source port at least in progress.. You have been warned!
"File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet.
Well, somebody paid good money for that backdoor. If Sercomm closed it, they'd have to issue a refund.
I'm not surprised that there is a backdoor ('Hey guys! Should we add a remote management feature that will automagically Just Work with ISPs 'setup disks' and/or remote troubleshooting systems even if the clueless user has forgotten their password, or would that be too scary?' is not a difficult question, especially given how many of these things are sold to ISPs in bulk and not to end users, especially the lousy combined router/modem devices), I am a trifle surprised that it's so slapped-together looking.
It's not exactly a secret that ISPs and providers of combination internet/TV/voice services tend to view customer-controlled equipment as something between a painful support headache and the blasphemous spawn of an unnatural coupling between internet piracy and absolute evil. Hence their enthusiasm for pushing their pet 'home gateway'/'set top box'/etc. with greater or lesser force, and the existence of standards like TR-069 ('CPE WAN Management Protocol') and organizations like the 'Home Gateway Initiative' that seek to standardize a nice, tame, appliance that can be used to sell services to consumers without confusing their little brains or letting them meddle.
That's what surprises me about seeing a comparatively dodgy-looking; but vendor/OEM provided, back door not only present but deliberately preserved even after being discovered, and sufficiently badly as to be rediscovered. There are remote management systems that, by design, are not under the control of the user, present for the convenience of the operator; but those are in the 'bydesign, wontfix' bucket. There are also malicious backdoors; but if this is one the party inserting it was far too arrogant for their own good. There are probably also legacy backdoors, used by some specific ISPs or the like; but those would presumably show up in their hardware, since Sercomm doesn't control enough of the market to assure that all customer-supplied devices will have the backdoor; but they do control enough that a single ISP's backdoor would be splashed all over the place.
Who is the expected user here, and what did they gain by trying to hold on to an existing backdoor so shoddily as to have it detected again?
In the pdf of his presentation he mentions that there are 24 router models confirmed vulnerable spanning Cisco, Linksys, NetGear, and Diamond. I have yet to spot the actual list of vulnerable routers, though.
He also elaborates on how a technically skilled person can figure out if any particular router is vulnerable.
The link to the list of vulnerabilities is found in the pdf. Here's a copy/pasted list of the ones known so far.
BEGIN COPIED TEXT:
Backdoor LISTENING ON THE INTERNET confirmed in :
Linksys WAG120N (@p_w999) ;) (issue 49)
Netgear DG834B V5.01.14 (@domainzero)
Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
Netgear WPNT834 (issue 79)
OpenWAG200 maybe a little bit TOO open
Backdoor confirmed in:
Cisco RVS4000 fwv 2.0.3.2 (issue 57)
Cisco WAP4410N (issue 11)
Cisco WRVS4400N
Cisco WRVS4400N (issue 36)
Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
Linksys WAG120N (issue 58)
Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
Linksys WAG200G
Linksys WAG320N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
Linksys WAG54G2 (@_xistence)
Linksys WAG54GS (@henkka7)
Linksys WRT350N v2 fw 2.00.19 (issue 39)
Linksys WRT300N fw 2.00.17 (issue 34)
Netgear DG834[â..., GB, N, PN, GT] version 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
Netgear DGN1000 (don't know if there is a difference with the others N150 ones... issue 27)
Netgear DGN1000[B] N150 (issue 3)
Netgear DGN2000B (issue 26)
Netgear DGN3500 (issue 13)
Netgear DGND3300 (issue 56)
Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
Netgear DM111Pv2 (@eguaj)
Netgear JNR3210 (issue 37)
Backdoor may be present in:
all SerComm manufactured devices (https://news.ycombinator.com/item?id=6998258) :END COPIED TEXT
Linksys WAG160N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
Netgear DG934 probability: probability: 99.99% (http://codeinsecurity.wordpress.com/category/reverse-engineering/)
Netgear WG602, WGR614 (v3 doesn't work, maybe others...) (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
Z
What about the CPUs themselves ?
Backdoors in software, while scary, can be worked around by using software you trust or write yourself.
But what about backdoors in CPUs which only trigger, for example, as a result of a specific data sequence ?
Is there any evidence that anyone has been stupid enough to implement such hardware back doors in general purpose CPUs ?
sercomm is based in taiwan. i think chinese intelligence is a more likely culprit.
As linked in TFA: Have a link to a list of devices (Not necessarily complete).
And stay off. All your banking is a open book to any and all.
Every thing about you.
Wouldn't it be a simple "Fix" to set up port forwarding to redirect traffic directed to port 32768 to a "dead" address. Then the port would already be allocated, and when the "Knock" arrives, the port is already in use, and data goes nowhere.
A lot of people using SSL, including me, don't deploy it in the router so heartbleed is not such a big issue for DDWRT.
I predict we will see more of that. Congratulations to the finder! Maybe we should start to offer "public safety" bounties to people that find these acts of sabotage.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
No, it just means that if you have one of these devices, then you are fucked.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
If you go to Sercomm's web page you'll see they are headquartered in China.
I've got all you guys beat; I'm too inexperienced as a user to understand what the heck you're talking about. I just merrily read articles of interest that appeal to me. Nothing weird happens and I don't have to subscribe to a newspaper to get edjumicated about what's going on in the world!
You know, I don't sit around worrying about my laptop camera watching me, or the NSA sifting through my data or Google monitoring my keystrokes. I guess many people worry about those things either because they are simply paranoid, or they know they are doing something wrong. The router is a obvious point of gathering data from multiple sources that connect through it. I have no doubt that agencies like the NSA work very hard to tap into such a vast resource for data.
Its difficult though for me to worry about this when tomorrow it will be just old news and some other potential privacy avenue will be found. If you truly do not find the internet or the hardware that is used to access it is safe and private. Then you better pull the plug now.
If I were to venture a guess, things like turning off and on LEDs remotely sound like something that one would want to do when manufacturing as part of a functional tester. That doesn't mean that the way they are doing it is good, but I bet it is so that they can just plug in a router and connect up to their functional tester to test the system to ensure things are working correctly, such as the LEDs. Seems like if they want a feature like this to support manufacturing that it should be something that is only accessible on one *internal* (non-ISP facing) Ethernet port and only within a certain amount of time since bootup.
The 2wire/pace (3600,3800,etc) all have TCP port 3479 open to the internet.This is what you are forced to use if you have AT&T U-verse. There is no way to block it and AT&T says its for "updates and trouble shooting".
http://forums.att.com/t5/forum...
I wonder what great backdoors are in these gateways?
I have to return some videotapes...
What Snowden was turn a suspicion into knowledge. That is a big deal. (Hal Berghel pointed this out first).
I wonder if it would be possible to sue a company that put a backdoor in a IT product. Like if a hacker used it on you, could you sue the company responsible for it being there, like for financial damages it caused you?
IANAL, but it seems to me product liability laws would apply.
n/t
is this a pron site?
yes. tech porn.
i'll be in my bunk.
I don't care how hard are you are to find, someone will find you.
It is crap like this, and the abysmally unreliable hardware most consumer routers seem to be based on, that has convinced me not to buy consumer routers any more. Been using an old PC (running a copy of Ubuntu Server booted from a CF card) as my router for several years now.
Yeah, I know the power consumption of an old PC sucks compared to a consumer router. But after going through 3 routers in something like 5 years I was sick of dealing with that crap. The PC-based router is way more stable and reliable.
And for the Chinese gov. who almost certainly knew about it.
I prefer the "u" in honour as it seems to be missing these days.
Right now, most of all the western electronics come from China. As such, it makes it trivial for the CHinese gov. to do whatever they like.
It is long past time for these western companies to bring back production.
At the same time, they need to OSS the firmware so that others will feel comfortable with buying these, knowing that they can get true secured systems.
I prefer the "u" in honour as it seems to be missing these days.
For enterprises, such a vulnerability could be catastrophic and would require immediate remediation regardless of budget considerations. Or more accurately, many enterprises would be forced to choose between preserving their network security and preserving their operating capital. The cost to commerce for this could be devastating if this exploit is not confined to consumer-grade equipment.
TFA only mentions consumer grade routers. Please let that be the extent of this . . .
Why does everything need to be free? Providers need to eat and pay staff too.
DynDNS is $40/2y. Yearly, that's less than the cost of a movie and popcorn. For the type of person that uses the service, that doesn't seem like a major financial burden.
Much of the world is connected by DSL, good luck getting a modern ADSL 2+ compliant Router, with say gigabit ports and 11N or better wifi fully supported in OpenWRT.
If not, I am sure you can find an under employed lawyer to sue somebody for something... maybe even if it is NOT in the EULA.
This issue is a bit more complicated than you think.
If you presume that a backdoor like this is intentional, and is there for some nefarious purpose like the NSA or something, they can just move it to the chips themselves. The code that runs on on the CPU is only one small part of what goes on in there. It would be very easy to have code baked in to a chip with a backdoor that couldn't be removed or altered by the OS, because it is lower level.
So don't assume an OSS firmware gets you out of trouble.
I don't see Apple in that list. However, that doesn't mean it's certainly not impacted. Does anyone have any guess about this?
Make sure everyone's vote counts: Verified Voting
Its hardware, local manul operation, and it reset the router to its default configuration, including default admin password.
"How Does Heartbleed Alter the 'Open Source Is Safer' Discussion?"
It is fixed already before we even hear about this announcement. This is why I prefer closed source: I hear about vulnerabilities and they are fixed quickly.
My ISP gave me a new gateway about two years ago. Its made by ZyXEL. The literature for this unit states "Remote provision and management through TR-069", and even my friend lists it like this. "It defines an application layer protocol for remote management of end-user devices. As a bidirectional SOAP/HTTP-based protocol, it provides the communication between customer-premises equipment (CPE) and Auto Configuration Servers (ACS)". So they can poke into the unit any time they like, get a log listing of the last 200 places (via IP address) you visited, and change any setting at any time. This guy makes it sound like its something clandestine they are adding, but it reality, its something they are putting in as a matter of public policy.
i'm afraid this wouldn't help, since the firmware of the chip is not replaced by the tomato, which is saved as a firmware of the whole router rather than a small chip.
this is a paradox, no matter how open you build your hardware, you still need to buy some closed chips from third company
because when the knock arrives, the first who is in charge is hardware, afterwards firmware, and than goes user setup
And thanks Obama! :|
Tell me, what motivating factors could grandma have for wanting to update the firmware in her router?
I hate printers.
a second router... My ISP provides the cable modem/router and I hang my own router/wi-fi hub off that...
Donald 'Duck' Dunn: We had a band powerful enough to turn goat piss into gasoline.
If it truly bothers me, I can buy a compatible cable or DSL modem
I bought my own cable modem after TWC increased the monthly charge for the modem lease and I realized that if I bought my own it would pay for itself in only a year.
The configuration page for the modem has two buttons. One resets the modem. The other disables a DHCP feature which is only in effect when the modem isn't connected to the cable company's network, as the only reason for the feature is to allow you to view the modem's status pages. (Normally the device behind the modem gets its address via DHCP, and so without a cable connection, you wouldn't get an address and so you'd be unable to access the status pages.) There's literally nothing else the modem does that is under my control. I can't even update the firmware -- any firmware updates have to come over the cable network.
Apparently this is what the DOCSIS standards require. I may own the device, but the cable company determines how it operates, since they own the network.
The only good side of this is that it really doesn't matter as long as your modem isn't also your firewall. Even if your ISP couldn't spy on you by hacking your modem, they could still spy on you from the next hop towards the internet which is also under their control. It only becomes interesting if they can hack a device with access to your LAN, which is the case if your modem is also your router, which is a strong argument for why it shouldn't be.
The really shocking thing about this story is that the backdoor was (and still is) so unprotected. You expect that your ISP can snoop on your internet traffic, but when anyone anywhere on the internet can, that's a serious vulnerability. From the sound of it, the fix apparently closes the backdoor only until it is explicitly opened by the ISP, at which point it is once again available to anyone anywhere on the internet. How can people be this incompetent?
The next time a kiddie-porn person gets arrested for having illegal images, I imagine all he'll have to say is that somebody used this back door to use his wi-fi router to download the bad files, despite his encryption.
Get-out-of-jail-free card.
Anyone know what this is exactly? I can't shut it off, or block it(its not mentioned whatsoever in the UI). I discovered it with netcat. /usr/sbin/potval, google doesn't turn up anything useful. It might be something originally from openwrt or so, but I couldn't find anything on the OpenWRT site which documents this thing. ... ... /tmp/pot_value /usr/bin/killall potd 2> /dev/null /dev/mtd/5 /usr/sbin/potd
I digged around a bit and found the corresponding daemon:
Some Strings:
strings potval
libgcc_s.so.1
_gp_disp
_DYNAMIC_LINKING
__RLD_MAP
libc.so.0
_DYNAMIC
_GLOBAL_OFFSET_TABLE_
_ftext
_fdata
_edata
__bss_start
_fbss
_end
GCC_3.0
@ !$
!'
@ !'
@ !'
The POT-(Get/Set) Demo is Running
Can't bind the POT socket
error socket