Forgot your password?
typodupeerror
Networking Security

Intentional Backdoor In Consumer Routers Found 236

Posted by Unknown Lamer
from the insecurity-through-idiocy dept.
New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..." Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."
This discussion has been archived. No new comments can be posted.

Intentional Backdoor In Consumer Routers Found

Comments Filter:
  • by Zitchas (713512) on Monday April 21, 2014 @08:39PM (#46811329) Journal

    In the pdf of his presentation he mentions that there are 24 router models confirmed vulnerable spanning Cisco, Linksys, NetGear, and Diamond. I have yet to spot the actual list of vulnerable routers, though.

    He also elaborates on how a technically skilled person can figure out if any particular router is vulnerable.

    The link to the list of vulnerabilities is found in the pdf. Here's a copy/pasted list of the ones known so far.

    BEGIN COPIED TEXT:

    Backdoor LISTENING ON THE INTERNET confirmed in :

            Linksys WAG120N (@p_w999)
            Netgear DG834B V5.01.14 (@domainzero)
            Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
            Netgear WPNT834 (issue 79)
            OpenWAG200 maybe a little bit TOO open ;) (issue 49)

    Backdoor confirmed in:

            Cisco RVS4000 fwv 2.0.3.2 (issue 57)
            Cisco WAP4410N (issue 11)
            Cisco WRVS4400N
            Cisco WRVS4400N (issue 36)
            Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
            LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
            Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
            Linksys WAG120N (issue 58)
            Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
            Linksys WAG200G
            Linksys WAG320N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
            Linksys WAG54G2 (@_xistence)
            Linksys WAG54GS (@henkka7)
            Linksys WRT350N v2 fw 2.00.19 (issue 39)
            Linksys WRT300N fw 2.00.17 (issue 34)
            Netgear DG834[â..., GB, N, PN, GT] version 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
            Netgear DGN1000 (don't know if there is a difference with the others N150 ones... issue 27)
            Netgear DGN1000[B] N150 (issue 3)
            Netgear DGN2000B (issue 26)
            Netgear DGN3500 (issue 13)
            Netgear DGND3300 (issue 56)
            Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
            Netgear DM111Pv2 (@eguaj)
            Netgear JNR3210 (issue 37)

    Backdoor may be present in:

            all SerComm manufactured devices (https://news.ycombinator.com/item?id=6998258)
            Linksys WAG160N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
            Netgear DG934 probability: probability: 99.99% (http://codeinsecurity.wordpress.com/category/reverse-engineering/)
            Netgear WG602, WGR614 (v3 doesn't work, maybe others...) (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/) :END COPIED TEXT

  • by Anaerin (905998) on Monday April 21, 2014 @08:57PM (#46811481)
    As linked in TFA: Have a link to a list of devices [wikidevi.com] (Not necessarily complete).
  • by ShaunC (203807) on Monday April 21, 2014 @08:57PM (#46811487)

    It depends on which version of dd-wrt you installed, not necessarily when you installed it. I have a WRT54G that I just flashed r14929 on a few weeks ago, but it's fine, because that build is from 2010 and predates the Heartbleed vulnerability. The vulnerable builds are 19163 to 23882, see here [dd-wrt.com].

  • Snowden effect (Score:4, Informative)

    by OFnow (1098151) on Monday April 21, 2014 @10:04PM (#46811897)
    What Snowden was turn a suspicion into knowledge. That is a big deal. (Hal Berghel pointed this out first).
  • Re:You say tomato? (Score:4, Informative)

    by hobarrera (2008506) on Monday April 21, 2014 @10:18PM (#46811979) Homepage

    Freedns [afraid.org] has been around for ages, and doesn't seem to be going anywhere. They include DDNS for free as well.

  • yep, then you can just be vulnerable to the NSA heartbleed instead.

    You might want to research things before you go off on a tangent like this. As http://www.dd-wrt.com/site/content/heartbleed-dd-wrtdd-wrt-online-services [dd-wrt.com] quite well explains it, DD-WRT is only vulnerable if you run any of the following services on it: openvpn, squid, freeradius, asterisk, curl, pound, tor, transmission. None of these are enabled by default and most people don't use these services in the first place. DD-WRT's configuration interface, its own, built-in SSH-server and the likes are not vulnerable.

    The link also quite conveniently mentions the following tidbit: "OpenSSL was updated immediately in the DD-WRT SVN repository. It can take a view days until we can provide updated versions for all routers."

  • by Gaygirlie (1657131) <(gaygirlie) (at) (hotmail.com)> on Tuesday April 22, 2014 @01:11AM (#46812743) Homepage

    So, you login to your router via http instead of https?

    DD-WRT uses matrixssl to provide SSL/TLS when using HTTPS, not OpenSSL. As such it is not vulnerable.

  • no (Score:2, Informative)

    by Anonymous Coward on Tuesday April 22, 2014 @03:28AM (#46813135)

    because when the knock arrives, the first who is in charge is hardware, afterwards firmware, and than goes user setup

Successful and fortunate crime is called virtue. - Seneca

Working...