Forgot your password?
typodupeerror
Networking Security

Intentional Backdoor In Consumer Routers Found 236

Posted by Unknown Lamer
from the insecurity-through-idiocy dept.
New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..." Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."
This discussion has been archived. No new comments can be posted.

Intentional Backdoor In Consumer Routers Found

Comments Filter:
  • by Anonymous Coward on Monday April 21, 2014 @08:19PM (#46811161)
    Should be installing DD-WRT [dd-wrt.com]
  • by bengoerz (581218) on Monday April 21, 2014 @08:34PM (#46811281)
    ...US tech firms blame Snowden for failing confidence in the safety of using US tech companies: The 'Snowden Effect' Is Crushing US Tech Firms In China [businessinsider.com]

    Pot, meet Kettle.
  • by PolygamousRanchKid (1290638) on Monday April 21, 2014 @08:34PM (#46811285)

    . . . the spooks used to have to break into your home to plant bugging devices.

    Now, you bring the bugging devices home as consumer appliances, and install then them yourself for the spooks.

    This saves them a lot of effort. Cost effective.

  • You say tomato? (Score:5, Insightful)

    by bobbied (2522392) on Monday April 21, 2014 @08:34PM (#46811293)

    I say tomato..

    Just load OpenWRT or some other open source firmware, problem solved.

    What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.

    NEVER buy hardware without a open source port at least in progress.. You have been warned!

    • Re:You say tomato? (Score:3, Interesting)

      by networkzombie (921324) on Monday April 21, 2014 @08:55PM (#46811469)
      That is all fine and I did purchase my Asus router (third one, among others) with Tomato or DD-WRT in mind, but free DDNS providers drop like flies and Asus' DDNS is free and reliable as long as I am using their firmware. My last DD-WRT lasted many years, but a worry-free DDNS is nice also.
    • by hobarrera (2008506) on Monday April 21, 2014 @10:16PM (#46811973) Homepage

      Came here to say exactly that. Unless it's done in hardware (which would be EXTREMELY complicated), OpenWRT can do away with that. Plus, you get all the extra free features, and, with luci, a DECENT http interface (contrary to what most routers include).

    • by Eravnrekaree (467752) on Tuesday April 22, 2014 @12:24AM (#46812515)

      If you do install OpenWRT, can you revert back to the manufacturers software at a later time or is it a one way street? Lets say OpenWRT did not work properly.

      • by bobbied (2522392) on Tuesday April 22, 2014 @10:17AM (#46814693)

        If you do install OpenWRT, can you revert back to the manufacturers software at a later time or is it a one way street? Lets say OpenWRT did not work properly.

        Most of the modern Netgar routers are drop dead simple to revert back, but that's not always the case. It's usually not too hard, but there ARE some models that can be pretty difficult and require special equipment. I suggest you check with the place you get your open source firmware for instructions on how to get back to stock, before you put your toe in the water. You might also consider playing with the firmware of choice on separate hardware, say your old but supported router. Learn what you need to w/o having to risk your network, then once you are comfortable with the firmware, jump in with both feet.

    • by Sycraft-fu (314770) on Tuesday April 22, 2014 @01:12AM (#46812749)

      If you presume that a backdoor like this is intentional, and is there for some nefarious purpose like the NSA or something, they can just move it to the chips themselves. The code that runs on on the CPU is only one small part of what goes on in there. It would be very easy to have code baked in to a chip with a backdoor that couldn't be removed or altered by the OS, because it is lower level.

      So don't assume an OSS firmware gets you out of trouble.

      • by bobbied (2522392) on Tuesday April 22, 2014 @10:07AM (#46814599)

        If you presume that a backdoor like this is intentional, and is there for some nefarious purpose like the NSA or something, they can just move it to the chips themselves. The code that runs on on the CPU is only one small part of what goes on in there. It would be very easy to have code baked in to a chip with a backdoor that couldn't be removed or altered by the OS, because it is lower level.

        So don't assume an OSS firmware gets you out of trouble.

        Shesh, really?

        OK, open source may not get you out of *everything* but logically it's going to fix 99.999% of what's possibly going to get you. Not to mention, firmware "built in" to hardware is going to have a seriously difficult time doing anything but crashing the hardware unless it has a *whole lot* of the network stack built into it. So, I'd rather take my chances with open source over the manufacturer's stock firmware, the odds are better, MUCH better.

  • by Anonymous Coward on Monday April 21, 2014 @08:36PM (#46811311)

    Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet.

    Well, somebody paid good money for that backdoor. If Sercomm closed it, they'd have to issue a refund.

    • by rtb61 (674572) on Tuesday April 22, 2014 @02:13AM (#46812919) Homepage

      The first question that needs to be asked is was it a corporate back door or a government back door. A lot of governments always seem to be rather conveniently forgetful when it comes to how profitable insider trading is and how corporate fiscal espionage readily facilitates it. This allowing profits in the billions and if you don't think that it is one of the biggest drivers of government contracted to private corporations espionage than you are truly gullible and foolish, seriously billions of dollars of profits are up for grabs based upon private access to fiscal data for publicly traded companies, prior to that information being available to the public, especially upon a global scale.

  • by fuzzyfuzzyfungus (1223518) on Monday April 21, 2014 @08:38PM (#46811321) Journal
    I'm not surprised that there is a backdoor ('Hey guys! Should we add a remote management feature that will automagically Just Work with ISPs 'setup disks' and/or remote troubleshooting systems even if the clueless user has forgotten their password, or would that be too scary?' is not a difficult question, especially given how many of these things are sold to ISPs in bulk and not to end users, especially the lousy combined router/modem devices), I am a trifle surprised that it's so slapped-together looking.

    It's not exactly a secret that ISPs and providers of combination internet/TV/voice services tend to view customer-controlled equipment as something between a painful support headache and the blasphemous spawn of an unnatural coupling between internet piracy and absolute evil. Hence their enthusiasm for pushing their pet 'home gateway'/'set top box'/etc. with greater or lesser force, and the existence of standards like TR-069 ('CPE WAN Management Protocol') and organizations like the 'Home Gateway Initiative' [homegatewa...iative.org] that seek to standardize a nice, tame, appliance that can be used to sell services to consumers without confusing their little brains or letting them meddle.

    That's what surprises me about seeing a comparatively dodgy-looking; but vendor/OEM provided, back door not only present but deliberately preserved even after being discovered, and sufficiently badly as to be rediscovered. There are remote management systems that, by design, are not under the control of the user, present for the convenience of the operator; but those are in the 'bydesign, wontfix' bucket. There are also malicious backdoors; but if this is one the party inserting it was far too arrogant for their own good. There are probably also legacy backdoors, used by some specific ISPs or the like; but those would presumably show up in their hardware, since Sercomm doesn't control enough of the market to assure that all customer-supplied devices will have the backdoor; but they do control enough that a single ISP's backdoor would be splashed all over the place.

    Who is the expected user here, and what did they gain by trying to hold on to an existing backdoor so shoddily as to have it detected again?
    • by pipedwho (1174327) on Monday April 21, 2014 @08:59PM (#46811493)

      It doesn't look like they went out of their way to hide it as such. But, they did try to change its operating mode from remotely exploitable at any time by anyone, to only usable by someone on the local ethernet segment. Unfortunately, as most here are aware, that kind of 'fix' isn't a solid solution, and still remains exploitable.

    • by gweihir (88907) on Monday April 21, 2014 @09:14PM (#46811585)

      They probably were incompetent enough to not realize this was easy (for somebody very bright, experienced and capable) to find again.

      If you think intelligence agencies cannot be terminally incompetent, then there is a recent story of one really large and important one that had its crown-jewels stolen by a contractor...

    • by rsmith-mac (639075) on Monday April 21, 2014 @09:15PM (#46811589)

      Who is the expected user here, and what did they gain by trying to hold on to an existing backdoor so shoddily as to have it detected again?

      I think you hit the nail on the head. This is clearly meant to be a remote management backdoor for the ISPs, hence the need to secure it but not remove it. As dodgy as it is, the fact that it can now only be triggered by the local network and can't be passed over IP means that it's probably good enough by ISP and Sercomm standards, especially if it's treated as a little-used feature and not as a security concern.

  • by Zitchas (713512) on Monday April 21, 2014 @08:39PM (#46811329) Journal

    In the pdf of his presentation he mentions that there are 24 router models confirmed vulnerable spanning Cisco, Linksys, NetGear, and Diamond. I have yet to spot the actual list of vulnerable routers, though.

    He also elaborates on how a technically skilled person can figure out if any particular router is vulnerable.

    The link to the list of vulnerabilities is found in the pdf. Here's a copy/pasted list of the ones known so far.

    BEGIN COPIED TEXT:

    Backdoor LISTENING ON THE INTERNET confirmed in :

            Linksys WAG120N (@p_w999)
            Netgear DG834B V5.01.14 (@domainzero)
            Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
            Netgear WPNT834 (issue 79)
            OpenWAG200 maybe a little bit TOO open ;) (issue 49)

    Backdoor confirmed in:

            Cisco RVS4000 fwv 2.0.3.2 (issue 57)
            Cisco WAP4410N (issue 11)
            Cisco WRVS4400N
            Cisco WRVS4400N (issue 36)
            Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
            LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
            Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
            Linksys WAG120N (issue 58)
            Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
            Linksys WAG200G
            Linksys WAG320N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
            Linksys WAG54G2 (@_xistence)
            Linksys WAG54GS (@henkka7)
            Linksys WRT350N v2 fw 2.00.19 (issue 39)
            Linksys WRT300N fw 2.00.17 (issue 34)
            Netgear DG834[â..., GB, N, PN, GT] version 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
            Netgear DGN1000 (don't know if there is a difference with the others N150 ones... issue 27)
            Netgear DGN1000[B] N150 (issue 3)
            Netgear DGN2000B (issue 26)
            Netgear DGN3500 (issue 13)
            Netgear DGND3300 (issue 56)
            Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
            Netgear DM111Pv2 (@eguaj)
            Netgear JNR3210 (issue 37)

    Backdoor may be present in:

            all SerComm manufactured devices (https://news.ycombinator.com/item?id=6998258)
            Linksys WAG160N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
            Netgear DG934 probability: probability: 99.99% (http://codeinsecurity.wordpress.com/category/reverse-engineering/)
            Netgear WG602, WGR614 (v3 doesn't work, maybe others...) (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/) :END COPIED TEXT

  • Simple fix (Score:4, Interesting)

    by Anaerin (905998) on Monday April 21, 2014 @09:04PM (#46811525)
    Wouldn't it be a simple "Fix" to set up port forwarding to redirect traffic directed to port 32768 to a "dead" address. Then the port would already be allocated, and when the "Knock" arrives, the port is already in use, and data goes nowhere.
  • by gweihir (88907) on Monday April 21, 2014 @09:10PM (#46811559)

    I predict we will see more of that. Congratulations to the finder! Maybe we should start to offer "public safety" bounties to people that find these acts of sabotage.

  • by CrAlt (3208) on Monday April 21, 2014 @09:56PM (#46811861) Homepage Journal

    The 2wire/pace (3600,3800,etc) all have TCP port 3479 open to the internet.This is what you are forced to use if you have AT&T U-verse. There is no way to block it and AT&T says its for "updates and trouble shooting".
    http://forums.att.com/t5/forum... [att.com]

    I wonder what great backdoors are in these gateways?

    • by rsborg (111459) on Tuesday April 22, 2014 @02:28AM (#46812949) Homepage

      The 2wire/pace (3600,3800,etc) all have TCP port 3479 open to the internet.This is what you are forced to use if you have AT&T U-verse. There is no way to block it and AT&T says its for "updates and trouble shooting".
      http://forums.att.com/t5/forum... [att.com]

      I wonder what great backdoors are in these gateways?

      While I find that's pretty infuriating, I do think that if you're forced to have U-Verse (e.g.: alternatives suck speed wise), then it's probably recommended to have another (non-vulnerable) router between you and the 2-wire and to turn off the wifi radio.

  • Snowden effect (Score:4, Informative)

    by OFnow (1098151) on Monday April 21, 2014 @10:04PM (#46811897)
    What Snowden was turn a suspicion into knowledge. That is a big deal. (Hal Berghel pointed this out first).
  • by Just Brew It! (636086) on Monday April 21, 2014 @11:46PM (#46812333)

    It is crap like this, and the abysmally unreliable hardware most consumer routers seem to be based on, that has convinced me not to buy consumer routers any more. Been using an old PC (running a copy of Ubuntu Server booted from a CF card) as my router for several years now.

    Yeah, I know the power consumption of an old PC sucks compared to a consumer router. But after going through 3 routers in something like 5 years I was sick of dealing with that crap. The PC-based router is way more stable and reliable.

  • by WindBourne (631190) on Monday April 21, 2014 @11:56PM (#46812379) Journal
    Right now, most of all the western electronics come from China. As such, it makes it trivial for the CHinese gov. to do whatever they like.
    It is long past time for these western companies to bring back production.
    At the same time, they need to OSS the firmware so that others will feel comfortable with buying these, knowing that they can get true secured systems.
  • The ability of my ISP to hack and slash my router is nominally annoying. If it truly bothers me, I can buy a compatible cable or DSL modem and use my own router (or even buy my own cable/DSL wireless router) and ensure that it is not vulnerable - assuming such a piece of equipment is available on the consumer market. The cost won't break my bank.

    For enterprises, such a vulnerability could be catastrophic and would require immediate remediation regardless of budget considerations. Or more accurately, many enterprises would be forced to choose between preserving their network security and preserving their operating capital. The cost to commerce for this could be devastating if this exploit is not confined to consumer-grade equipment.

    TFA only mentions consumer grade routers. Please let that be the extent of this . . .

  • by NotQuiteReal (608241) on Tuesday April 22, 2014 @12:36AM (#46812575) Journal
    If not, I am sure you can find an under employed lawyer to sue somebody for something... maybe even if it is NOT in the EULA.
  • by rsborg (111459) on Tuesday April 22, 2014 @02:26AM (#46812941) Homepage

    I don't see Apple in that list. However, that doesn't mean it's certainly not impacted. Does anyone have any guess about this?

  • by advocate_one (662832) on Tuesday April 22, 2014 @08:32AM (#46813867)
    a second router... My ISP provides the cable modem/router and I hang my own router/wi-fi hub off that...

Some people have a great ambition: to build something that will last, at least until they've finished building it.

Working...