Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intentional Backdoor In Consumer Routers Found

Posted by Unknown on from the insecurity-through-idiocy dept.

New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..." Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."

40 of 236 comments (clear)

  1. Your first action after purchasing a router by Anonymous Coward · · Score: 2, Insightful

    Should be installing DD-WRT

    1. Re:Your first action after purchasing a router by ShaunC · · Score: 3, Informative

      It depends on which version of dd-wrt you installed, not necessarily when you installed it. I have a WRT54G that I just flashed r14929 on a few weeks ago, but it's fine, because that build is from 2010 and predates the Heartbleed vulnerability. The vulnerable builds are 19163 to 23882, see here.

      --
      Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
    2. Re:Your first action after purchasing a router by Gaygirlie · · Score: 5, Informative

      yep, then you can just be vulnerable to the NSA heartbleed instead.

      You might want to research things before you go off on a tangent like this. As http://www.dd-wrt.com/site/content/heartbleed-dd-wrtdd-wrt-online-services quite well explains it, DD-WRT is only vulnerable if you run any of the following services on it: openvpn, squid, freeradius, asterisk, curl, pound, tor, transmission. None of these are enabled by default and most people don't use these services in the first place. DD-WRT's configuration interface, its own, built-in SSH-server and the likes are not vulnerable.

      The link also quite conveniently mentions the following tidbit: "OpenSSL was updated immediately in the DD-WRT SVN repository. It can take a view days until we can provide updated versions for all routers."

    3. Re:Your first action after purchasing a router by amxcoder · · Score: 2

      This is a good idea, yes, but unfortunately, many makes/models of popular routers are not supported by DD-WRT or Tomato yet. There are some chipsets that they don't have builds for, or at least the last time I checked. (note to self: need to check the list again to see if my router has been added to the compatibility list recently...)

    4. Re:Your first action after purchasing a router by Duggeek · · Score: 2

      This is exactly why shopping for a router isn't as simple as finding the best bang/buck. It's a concerted effort of finding good deals (generally refurb/overstock, avoiding rebates) along with verifying open firmware support. Finding that HW version can be tricky. Just apply Occam's razor to it; there's probably a good reason that gigabit N-600 dual-band router only costs thirty bucks.

      My house runs on DD-WRT (one main router, one dedicated for WiFi, both D-Link) and I've never looked back. I'm on DD-WRT forums at least quarterly to check for important updates, and it just keeps getting better. The conversations may be less-than-friendly, but they do make solid firmware.

      --
      This post © Copyrite Duggeek, all rights reversed.
  2. Meanwhile, in the Media... by bengoerz · · Score: 4, Interesting

    ...US tech firms blame Snowden for failing confidence in the safety of using US tech companies: The 'Snowden Effect' Is Crushing US Tech Firms In China

    Pot, meet Kettle.

    1. Re:Meanwhile, in the Media... by zifnabxar · · Score: 5, Insightful

      It's blaming Snowden in the sense that he way the one that let everyone know what was happening. I don't feel like that article his blaming him ethically for the billions lost. They're laying a fair amount of the blame on the companies' practices and close cooperation with the US government.

  3. This sure makes bugging easier . . . by PolygamousRanchKid+ · · Score: 4, Insightful

    . . . the spooks used to have to break into your home to plant bugging devices.

    Now, you bring the bugging devices home as consumer appliances, and install then them yourself for the spooks.

    This saves them a lot of effort. Cost effective.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
    1. Re:This sure makes bugging easier . . . by viperidaenz · · Score: 3, Insightful

      So all I have to do to fool you is install my malware as a service that gets hosted by svchost.exe?
      Of if my purpose was to control the microphone, a driver that hooks in to the existing audio driver?

  4. You say tomato? by bobbied · · Score: 4, Insightful

    I say tomato..

    Just load OpenWRT or some other open source firmware, problem solved.

    What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.

    NEVER buy hardware without a open source port at least in progress.. You have been warned!

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
    1. Re:You say tomato? by networkzombie · · Score: 2, Interesting

      That is all fine and I did purchase my Asus router (third one, among others) with Tomato or DD-WRT in mind, but free DDNS providers drop like flies and Asus' DDNS is free and reliable as long as I am using their firmware. My last DD-WRT lasted many years, but a worry-free DDNS is nice also.

    2. Re:You say tomato? by hobarrera · · Score: 3, Informative

      Freedns has been around for ages, and doesn't seem to be going anywhere. They include DDNS for free as well.

    3. Re:You say tomato? by Anonymous Coward · · Score: 3, Insightful

      Right, because people magically know about _yet undiscovered_ vulnerabilities. Don't pretend to be obtuse.

      Once we knew about Heartbleed (and it was found by two independendent teams of researchers), we immediately had a fix, knew what goes into the fix and can administer it by ourself.

      This one backdoor was accidentally stumbled on after being there for a decade - some vulnerable models from the list are from 2004 - and nobody could fix it but the maker, and nobody could even verify the fix but the maker. Look how nicely it worked out.

      Don't go "But opensource too!..", when this "too" is like fucking heaven and earth when compared with opensource bugs.

    4. Re:You say tomato? by TCM · · Score: 2

      You base the choice about which router and firmware to run on a measly side-feature, that also locks you into the router vendor? What. The. Fuck.

      --
      Of course it runs NetBSD. BTC: 1NT7QvbetmANwaMzhpVL6
    5. Re:You say tomato? by Anonymous+Psychopath · · Score: 2

      Except, of course, open source code also contains horrific security vulnerabilities.

      But you know about those, and can fix them if you want. That's the difference between open and closed source.

      It's not that simple. My point, before it was moderated into oblivion, is that there is no implied additional security just because something is FOSS. I've contributed code to FOSS projects from time to time and I know I am not qualified to audit source for security vulnerabilities. There's appears to be an assumption that "someone" is doing this, but the reality is this doesn't happen often. TrueCrypt is an example of where this is being addressed, but how many projects have had an independant code review? Hardly any. So when you say you know about [vulnerabilities]... maybe you do, and maybe you don't. And when you say you can fix them if you want, maybe you can and maybe you can't.

      Look, everyone seemed to assume I was attacking FOSS for some reason. I'm not. I like FOSS, I use it every day, and I contribute to it when I am capable of doing so. The OP's position that simply installing FOSS firmware instead of proprietary firmware somehow magically equated to a secure platform is severely flawed and should be examined critically and objectively.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

  5. to be expected by Anonymous Coward · · Score: 2, Funny

    Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet.

    Well, somebody paid good money for that backdoor. If Sercomm closed it, they'd have to issue a refund.

  6. What surprises me... by fuzzyfuzzyfungus · · Score: 5, Insightful

    I'm not surprised that there is a backdoor ('Hey guys! Should we add a remote management feature that will automagically Just Work with ISPs 'setup disks' and/or remote troubleshooting systems even if the clueless user has forgotten their password, or would that be too scary?' is not a difficult question, especially given how many of these things are sold to ISPs in bulk and not to end users, especially the lousy combined router/modem devices), I am a trifle surprised that it's so slapped-together looking.

    It's not exactly a secret that ISPs and providers of combination internet/TV/voice services tend to view customer-controlled equipment as something between a painful support headache and the blasphemous spawn of an unnatural coupling between internet piracy and absolute evil. Hence their enthusiasm for pushing their pet 'home gateway'/'set top box'/etc. with greater or lesser force, and the existence of standards like TR-069 ('CPE WAN Management Protocol') and organizations like the 'Home Gateway Initiative' that seek to standardize a nice, tame, appliance that can be used to sell services to consumers without confusing their little brains or letting them meddle.

    That's what surprises me about seeing a comparatively dodgy-looking; but vendor/OEM provided, back door not only present but deliberately preserved even after being discovered, and sufficiently badly as to be rediscovered. There are remote management systems that, by design, are not under the control of the user, present for the convenience of the operator; but those are in the 'bydesign, wontfix' bucket. There are also malicious backdoors; but if this is one the party inserting it was far too arrogant for their own good. There are probably also legacy backdoors, used by some specific ISPs or the like; but those would presumably show up in their hardware, since Sercomm doesn't control enough of the market to assure that all customer-supplied devices will have the backdoor; but they do control enough that a single ISP's backdoor would be splashed all over the place.

    Who is the expected user here, and what did they gain by trying to hold on to an existing backdoor so shoddily as to have it detected again?

    1. Re:What surprises me... by tolkienfan · · Score: 2

      If it was a feature they'd put it in fine print, and make it more secure. Then they're legally covered. This is not some remote management hack.

  7. Partial vulnerability list by Zitchas · · Score: 5, Informative

    In the pdf of his presentation he mentions that there are 24 router models confirmed vulnerable spanning Cisco, Linksys, NetGear, and Diamond. I have yet to spot the actual list of vulnerable routers, though.

    He also elaborates on how a technically skilled person can figure out if any particular router is vulnerable.

    The link to the list of vulnerabilities is found in the pdf. Here's a copy/pasted list of the ones known so far.

    BEGIN COPIED TEXT:

    Backdoor LISTENING ON THE INTERNET confirmed in :

            Linksys WAG120N (@p_w999)
            Netgear DG834B V5.01.14 (@domainzero)
            Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
            Netgear WPNT834 (issue 79)
            OpenWAG200 maybe a little bit TOO open ;) (issue 49)

    Backdoor confirmed in:

            Cisco RVS4000 fwv 2.0.3.2 (issue 57)
            Cisco WAP4410N (issue 11)
            Cisco WRVS4400N
            Cisco WRVS4400N (issue 36)
            Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
            LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
            Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
            Linksys WAG120N (issue 58)
            Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
            Linksys WAG200G
            Linksys WAG320N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
            Linksys WAG54G2 (@_xistence)
            Linksys WAG54GS (@henkka7)
            Linksys WRT350N v2 fw 2.00.19 (issue 39)
            Linksys WRT300N fw 2.00.17 (issue 34)
            Netgear DG834[â..., GB, N, PN, GT] version 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
            Netgear DGN1000 (don't know if there is a difference with the others N150 ones... issue 27)
            Netgear DGN1000[B] N150 (issue 3)
            Netgear DGN2000B (issue 26)
            Netgear DGN3500 (issue 13)
            Netgear DGND3300 (issue 56)
            Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
            Netgear DM111Pv2 (@eguaj)
            Netgear JNR3210 (issue 37)

    Backdoor may be present in:

            all SerComm manufactured devices (https://news.ycombinator.com/item?id=6998258)
            Linksys WAG160N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
            Netgear DG934 probability: probability: 99.99% (http://codeinsecurity.wordpress.com/category/reverse-engineering/)
            Netgear WG602, WGR614 (v3 doesn't work, maybe others...) (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/) :END COPIED TEXT

    --
    Z
  8. Re:Lemme guess.... by Anonymous Coward · · Score: 2, Insightful

    Yes, I cannot possibly fathom why anyone would dislike having a backdoor in their router unless they were pirating material from a well-known public tracker. Brilliant deduction.

    Why the fuck would anybody mod this nonsense up? What is wrong with you people?

  9. Re:...er... by Yaur · · Score: 2

    You have to be on the LAN... DOCSIS tends to be pretty picky and I doubt raw Ethernet would be passed (been a while since I looked at the spec though). Sounds like its part of some kind of firmware upgrade type feature to me.

  10. Re:List of affected devices please.... by Anaerin · · Score: 4, Informative

    As linked in TFA: Have a link to a list of devices (Not necessarily complete).

  11. Simple fix by Anaerin · · Score: 3, Interesting

    Wouldn't it be a simple "Fix" to set up port forwarding to redirect traffic directed to port 32768 to a "dead" address. Then the port would already be allocated, and when the "Knock" arrives, the port is already in use, and data goes nowhere.

    1. Re:Simple fix by Anonymous Coward · · Score: 2, Insightful

      and what device is doing the forwarding, and seeing the "knock" ?

  12. Nice. Caught red-handed... by gweihir · · Score: 4, Interesting

    I predict we will see more of that. Congratulations to the finder! Maybe we should start to offer "public safety" bounties to people that find these acts of sabotage.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  13. Re:intentional back-door? by gweihir · · Score: 5, Funny

    No, it just means that if you have one of these devices, then you are fucked.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  14. Re:Lemme guess.... by Anonymous Coward · · Score: 5, Insightful

    The Chinese want their access too, and look what they did with the US solar industry (by hacking and swiping masks, then making panels cheaper than rare earth cost to shutter companies via predatory trade practices.)

    The NSA, I'm not worried about. They don't want me out of a job. China, definitely.

  15. Pace/2wire all listen on 3479/tcp by CrAlt · · Score: 3, Insightful

    The 2wire/pace (3600,3800,etc) all have TCP port 3479 open to the internet.This is what you are forced to use if you have AT&T U-verse. There is no way to block it and AT&T says its for "updates and trouble shooting".
    http://forums.att.com/t5/forum...

    I wonder what great backdoors are in these gateways?

    --
    I have to return some videotapes...
    1. Re:Pace/2wire all listen on 3479/tcp by rsborg · · Score: 2

      The 2wire/pace (3600,3800,etc) all have TCP port 3479 open to the internet.This is what you are forced to use if you have AT&T U-verse. There is no way to block it and AT&T says its for "updates and trouble shooting".
      http://forums.att.com/t5/forum...

      I wonder what great backdoors are in these gateways?

      While I find that's pretty infuriating, I do think that if you're forced to have U-Verse (e.g.: alternatives suck speed wise), then it's probably recommended to have another (non-vulnerable) router between you and the 2-wire and to turn off the wifi radio.

      --
      Make sure everyone's vote counts: Verified Voting
  16. Snowden effect by OFnow · · Score: 3, Informative

    What Snowden was turn a suspicion into knowledge. That is a big deal. (Hal Berghel pointed this out first).

  17. Re:PLA? by jrumney · · Score: 3, Funny

    Worrying about Chinese intelligence being involved because the product is from Taiwan is like worrying that North Korea is spying on you through Samsung products, or Mossad has added miniature tracking devices to gasoline imported from the Middle East.

  18. How many vulnerable routers are in enterprise use? by mmell · · Score: 2
    The ability of my ISP to hack and slash my router is nominally annoying. If it truly bothers me, I can buy a compatible cable or DSL modem and use my own router (or even buy my own cable/DSL wireless router) and ensure that it is not vulnerable - assuming such a piece of equipment is available on the consumer market. The cost won't break my bank.

    For enterprises, such a vulnerability could be catastrophic and would require immediate remediation regardless of budget considerations. Or more accurately, many enterprises would be forced to choose between preserving their network security and preserving their operating capital. The cost to commerce for this could be devastating if this exploit is not confined to consumer-grade equipment.

    TFA only mentions consumer grade routers. Please let that be the extent of this . . .

  19. Re:...er... by sjames · · Score: 2

    There are coders out there who might care, look, and warn you *IF* it's open source. If not, you'll just wonder why your friends always snicker and call you 'spammy'.

  20. Re:SSL isn'tusually in the router by Gaygirlie · · Score: 3, Informative

    So, you login to your router via http instead of https?

    DD-WRT uses matrixssl to provide SSL/TLS when using HTTPS, not OpenSSL. As such it is not vulnerable.

  21. Apple AirPort Extreme/Express? by rsborg · · Score: 2

    I don't see Apple in that list. However, that doesn't mean it's certainly not impacted. Does anyone have any guess about this?

    --
    Make sure everyone's vote counts: Verified Voting
  22. no by Anonymous Coward · · Score: 2, Informative

    because when the knock arrives, the first who is in charge is hardware, afterwards firmware, and than goes user setup

  23. Re:How many vulnerable routers are in enterprise u by Sanians · · Score: 2

    If it truly bothers me, I can buy a compatible cable or DSL modem

    I bought my own cable modem after TWC increased the monthly charge for the modem lease and I realized that if I bought my own it would pay for itself in only a year.

    The configuration page for the modem has two buttons. One resets the modem. The other disables a DHCP feature which is only in effect when the modem isn't connected to the cable company's network, as the only reason for the feature is to allow you to view the modem's status pages. (Normally the device behind the modem gets its address via DHCP, and so without a cable connection, you wouldn't get an address and so you'd be unable to access the status pages.) There's literally nothing else the modem does that is under my control. I can't even update the firmware -- any firmware updates have to come over the cable network.

    Apparently this is what the DOCSIS standards require. I may own the device, but the cable company determines how it operates, since they own the network.

    The only good side of this is that it really doesn't matter as long as your modem isn't also your firewall. Even if your ISP couldn't spy on you by hacking your modem, they could still spy on you from the next hop towards the internet which is also under their control. It only becomes interesting if they can hack a device with access to your LAN, which is the case if your modem is also your router, which is a strong argument for why it shouldn't be.

    The really shocking thing about this story is that the backdoor was (and still is) so unprotected. You expect that your ISP can snoop on your internet traffic, but when anyone anywhere on the internet can, that's a serious vulnerability. From the sound of it, the fix apparently closes the backdoor only until it is explicitly opened by the ISP, at which point it is once again available to anyone anywhere on the internet. How can people be this incompetent?

  24. Re:Hardware backdoors in the actual CPUs ? by gweihir · · Score: 3, Interesting

    You are either ignorant or a liar. (Maybe a paid-for liar?). Just read this: https://plus.google.com/+Theod...

    That is a few more people than "nobody". The flaw is that the whole design does not allow verification that it is non-compromised. The claim that including its bits in JTAG would be a security risk is completely bogus, as an attacker with access to the JTAG pins can do whatever they like already. With those bits in JTAG, it would be relatively easy to verify the analog-side is actually analog and is actually what feeds the whitener. That possibility was intentionally sabotaged, and the _only_ good reason for that is that they want to be able to compromise the CPRNG in select batches and make detection of that very hard. And no, there is no software access to those JTAG pins and yes, the hardware to query the internal CPRNG state and analog bit stream must be in place to test the CPU. That means they are switching this access explicitly off after they have verified the hardware works. So not only is this a compromised architecture and design, it is also more effort than doing it right. IT does not get more obvious than this.

    Your link, BTW, is worthless. It does not go into the needed level of detail. The contrast with what you get for the VIA C3 generator (e.g.), is quite telling: http://www.cryptography.com/pu.... And VIA has a non-compromised design as they do not desperately try to hide what the analog random source spits out.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  25. Re:Lemme guess.... by Anonymous Coward · · Score: 2, Insightful

    Your priorities are 100% backwards. Let me walk you through why this is so dangerous.
    - The NSA works at for the executive branch
    - Therefore one must assume, from statements made and logic, that intelligence gathered are passed on to their bosses.
    - Politicians have only 2 priorities in life: To be (re-)elected, and power. All your other piddling concerns are insignificant compared to those.
    - Therefore, the most interesting thing to a politician is anyone who stands in their way from their re-election or in gaining more power.
    - If left to their own devices, politicians would use the NSA on political opponents and people who stand in their way (like Joe Nacchio former CEO of Qwest). The fact they are doing these shady things would of course be classified because of "national security".
    - These people become targets, their pasts are combed through, their reputations and/or lives destroyed.
    - In place of the people that were destroyed, the politician will allow a yes-man to operate that are obedient to them.

    Wake up! Your freedom is at stake! It damn well DOES affect you! We all whine about how our representatives suck - now we know why!
    If you want to live in such a monarchy, at least have the decency to vote on it, rather than sticking your head in the sand and pretending not to see it.

  26. Re:Lemme guess.... by Opportunist · · Score: 2

    I'm kinda glad I am NOT living in your country. Laws here specifically state that he must not.

    I still change the lock as one of the first actions when I move into a new apartment.

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.