Slashdot Mirror

← Back to Stories (view on slashdot.org)

Intentional Backdoor In Consumer Routers Found

Posted by Unknown on from the insecurity-through-idiocy dept.

New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..." Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."

11 of 236 comments (clear)

  1. Meanwhile, in the Media... by bengoerz · · Score: 4, Interesting

    ...US tech firms blame Snowden for failing confidence in the safety of using US tech companies: The 'Snowden Effect' Is Crushing US Tech Firms In China

    Pot, meet Kettle.

    1. Re:Meanwhile, in the Media... by zifnabxar · · Score: 5, Insightful

      It's blaming Snowden in the sense that he way the one that let everyone know what was happening. I don't feel like that article his blaming him ethically for the billions lost. They're laying a fair amount of the blame on the companies' practices and close cooperation with the US government.

  2. This sure makes bugging easier . . . by PolygamousRanchKid+ · · Score: 4, Insightful

    . . . the spooks used to have to break into your home to plant bugging devices.

    Now, you bring the bugging devices home as consumer appliances, and install then them yourself for the spooks.

    This saves them a lot of effort. Cost effective.

    --
    Schroedinger's Brexit: The UK is both in and out of the EU at the same time!
  3. You say tomato? by bobbied · · Score: 4, Insightful

    I say tomato..

    Just load OpenWRT or some other open source firmware, problem solved.

    What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.

    NEVER buy hardware without a open source port at least in progress.. You have been warned!

    --
    "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
  4. What surprises me... by fuzzyfuzzyfungus · · Score: 5, Insightful

    I'm not surprised that there is a backdoor ('Hey guys! Should we add a remote management feature that will automagically Just Work with ISPs 'setup disks' and/or remote troubleshooting systems even if the clueless user has forgotten their password, or would that be too scary?' is not a difficult question, especially given how many of these things are sold to ISPs in bulk and not to end users, especially the lousy combined router/modem devices), I am a trifle surprised that it's so slapped-together looking.

    It's not exactly a secret that ISPs and providers of combination internet/TV/voice services tend to view customer-controlled equipment as something between a painful support headache and the blasphemous spawn of an unnatural coupling between internet piracy and absolute evil. Hence their enthusiasm for pushing their pet 'home gateway'/'set top box'/etc. with greater or lesser force, and the existence of standards like TR-069 ('CPE WAN Management Protocol') and organizations like the 'Home Gateway Initiative' that seek to standardize a nice, tame, appliance that can be used to sell services to consumers without confusing their little brains or letting them meddle.

    That's what surprises me about seeing a comparatively dodgy-looking; but vendor/OEM provided, back door not only present but deliberately preserved even after being discovered, and sufficiently badly as to be rediscovered. There are remote management systems that, by design, are not under the control of the user, present for the convenience of the operator; but those are in the 'bydesign, wontfix' bucket. There are also malicious backdoors; but if this is one the party inserting it was far too arrogant for their own good. There are probably also legacy backdoors, used by some specific ISPs or the like; but those would presumably show up in their hardware, since Sercomm doesn't control enough of the market to assure that all customer-supplied devices will have the backdoor; but they do control enough that a single ISP's backdoor would be splashed all over the place.

    Who is the expected user here, and what did they gain by trying to hold on to an existing backdoor so shoddily as to have it detected again?

  5. Partial vulnerability list by Zitchas · · Score: 5, Informative

    In the pdf of his presentation he mentions that there are 24 router models confirmed vulnerable spanning Cisco, Linksys, NetGear, and Diamond. I have yet to spot the actual list of vulnerable routers, though.

    He also elaborates on how a technically skilled person can figure out if any particular router is vulnerable.

    The link to the list of vulnerabilities is found in the pdf. Here's a copy/pasted list of the ones known so far.

    BEGIN COPIED TEXT:

    Backdoor LISTENING ON THE INTERNET confirmed in :

            Linksys WAG120N (@p_w999)
            Netgear DG834B V5.01.14 (@domainzero)
            Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
            Netgear WPNT834 (issue 79)
            OpenWAG200 maybe a little bit TOO open ;) (issue 49)

    Backdoor confirmed in:

            Cisco RVS4000 fwv 2.0.3.2 (issue 57)
            Cisco WAP4410N (issue 11)
            Cisco WRVS4400N
            Cisco WRVS4400N (issue 36)
            Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
            LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
            Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
            Linksys WAG120N (issue 58)
            Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
            Linksys WAG200G
            Linksys WAG320N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
            Linksys WAG54G2 (@_xistence)
            Linksys WAG54GS (@henkka7)
            Linksys WRT350N v2 fw 2.00.19 (issue 39)
            Linksys WRT300N fw 2.00.17 (issue 34)
            Netgear DG834[â..., GB, N, PN, GT] version 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
            Netgear DGN1000 (don't know if there is a difference with the others N150 ones... issue 27)
            Netgear DGN1000[B] N150 (issue 3)
            Netgear DGN2000B (issue 26)
            Netgear DGN3500 (issue 13)
            Netgear DGND3300 (issue 56)
            Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
            Netgear DM111Pv2 (@eguaj)
            Netgear JNR3210 (issue 37)

    Backdoor may be present in:

            all SerComm manufactured devices (https://news.ycombinator.com/item?id=6998258)
            Linksys WAG160N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
            Netgear DG934 probability: probability: 99.99% (http://codeinsecurity.wordpress.com/category/reverse-engineering/)
            Netgear WG602, WGR614 (v3 doesn't work, maybe others...) (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/) :END COPIED TEXT

    --
    Z
  6. Re:List of affected devices please.... by Anaerin · · Score: 4, Informative

    As linked in TFA: Have a link to a list of devices (Not necessarily complete).

  7. Nice. Caught red-handed... by gweihir · · Score: 4, Interesting

    I predict we will see more of that. Congratulations to the finder! Maybe we should start to offer "public safety" bounties to people that find these acts of sabotage.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  8. Re:intentional back-door? by gweihir · · Score: 5, Funny

    No, it just means that if you have one of these devices, then you are fucked.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  9. Re:Lemme guess.... by Anonymous Coward · · Score: 5, Insightful

    The Chinese want their access too, and look what they did with the US solar industry (by hacking and swiping masks, then making panels cheaper than rare earth cost to shutter companies via predatory trade practices.)

    The NSA, I'm not worried about. They don't want me out of a job. China, definitely.

  10. Re:Your first action after purchasing a router by Gaygirlie · · Score: 5, Informative

    yep, then you can just be vulnerable to the NSA heartbleed instead.

    You might want to research things before you go off on a tangent like this. As http://www.dd-wrt.com/site/content/heartbleed-dd-wrtdd-wrt-online-services quite well explains it, DD-WRT is only vulnerable if you run any of the following services on it: openvpn, squid, freeradius, asterisk, curl, pound, tor, transmission. None of these are enabled by default and most people don't use these services in the first place. DD-WRT's configuration interface, its own, built-in SSH-server and the likes are not vulnerable.

    The link also quite conveniently mentions the following tidbit: "OpenSSL was updated immediately in the DD-WRT SVN repository. It can take a view days until we can provide updated versions for all routers."