Forgot your password?
typodupeerror
Networking Security

Intentional Backdoor In Consumer Routers Found 236

Posted by Unknown Lamer
from the insecurity-through-idiocy dept.
New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..." Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."
This discussion has been archived. No new comments can be posted.

Intentional Backdoor In Consumer Routers Found

Comments Filter:
  • by Anonymous Coward on Monday April 21, 2014 @08:19PM (#46811161)
    Should be installing DD-WRT [dd-wrt.com]
  • by PolygamousRanchKid (1290638) on Monday April 21, 2014 @08:34PM (#46811285)

    . . . the spooks used to have to break into your home to plant bugging devices.

    Now, you bring the bugging devices home as consumer appliances, and install then them yourself for the spooks.

    This saves them a lot of effort. Cost effective.

  • You say tomato? (Score:5, Insightful)

    by bobbied (2522392) on Monday April 21, 2014 @08:34PM (#46811293)

    I say tomato..

    Just load OpenWRT or some other open source firmware, problem solved.

    What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.

    NEVER buy hardware without a open source port at least in progress.. You have been warned!

  • by fuzzyfuzzyfungus (1223518) on Monday April 21, 2014 @08:38PM (#46811321) Journal
    I'm not surprised that there is a backdoor ('Hey guys! Should we add a remote management feature that will automagically Just Work with ISPs 'setup disks' and/or remote troubleshooting systems even if the clueless user has forgotten their password, or would that be too scary?' is not a difficult question, especially given how many of these things are sold to ISPs in bulk and not to end users, especially the lousy combined router/modem devices), I am a trifle surprised that it's so slapped-together looking.

    It's not exactly a secret that ISPs and providers of combination internet/TV/voice services tend to view customer-controlled equipment as something between a painful support headache and the blasphemous spawn of an unnatural coupling between internet piracy and absolute evil. Hence their enthusiasm for pushing their pet 'home gateway'/'set top box'/etc. with greater or lesser force, and the existence of standards like TR-069 ('CPE WAN Management Protocol') and organizations like the 'Home Gateway Initiative' [homegatewa...iative.org] that seek to standardize a nice, tame, appliance that can be used to sell services to consumers without confusing their little brains or letting them meddle.

    That's what surprises me about seeing a comparatively dodgy-looking; but vendor/OEM provided, back door not only present but deliberately preserved even after being discovered, and sufficiently badly as to be rediscovered. There are remote management systems that, by design, are not under the control of the user, present for the convenience of the operator; but those are in the 'bydesign, wontfix' bucket. There are also malicious backdoors; but if this is one the party inserting it was far too arrogant for their own good. There are probably also legacy backdoors, used by some specific ISPs or the like; but those would presumably show up in their hardware, since Sercomm doesn't control enough of the market to assure that all customer-supplied devices will have the backdoor; but they do control enough that a single ISP's backdoor would be splashed all over the place.

    Who is the expected user here, and what did they gain by trying to hold on to an existing backdoor so shoddily as to have it detected again?
  • Re:Lemme guess.... (Score:2, Insightful)

    by Anonymous Coward on Monday April 21, 2014 @08:42PM (#46811353)

    Yes, I cannot possibly fathom why anyone would dislike having a backdoor in their router unless they were pirating material from a well-known public tracker. Brilliant deduction.

    Why the fuck would anybody mod this nonsense up? What is wrong with you people?

  • by zifnabxar (2976799) on Monday April 21, 2014 @08:56PM (#46811475)
    It's blaming Snowden in the sense that he way the one that let everyone know what was happening. I don't feel like that article his blaming him ethically for the billions lost. They're laying a fair amount of the blame on the companies' practices and close cooperation with the US government.
  • Re:Lemme guess.... (Score:5, Insightful)

    by Anonymous Coward on Monday April 21, 2014 @09:32PM (#46811703)

    The Chinese want their access too, and look what they did with the US solar industry (by hacking and swiping masks, then making panels cheaper than rare earth cost to shutter companies via predatory trade practices.)

    The NSA, I'm not worried about. They don't want me out of a job. China, definitely.

  • Re:Simple fix (Score:2, Insightful)

    by Anonymous Coward on Monday April 21, 2014 @09:44PM (#46811789)

    and what device is doing the forwarding, and seeing the "knock" ?

  • by CrAlt (3208) on Monday April 21, 2014 @09:56PM (#46811861) Homepage Journal

    The 2wire/pace (3600,3800,etc) all have TCP port 3479 open to the internet.This is what you are forced to use if you have AT&T U-verse. There is no way to block it and AT&T says its for "updates and trouble shooting".
    http://forums.att.com/t5/forum... [att.com]

    I wonder what great backdoors are in these gateways?

  • Re:You say tomato? (Score:3, Insightful)

    by Anonymous Coward on Monday April 21, 2014 @10:41PM (#46812081)

    Right, because people magically know about _yet undiscovered_ vulnerabilities. Don't pretend to be obtuse.

    Once we knew about Heartbleed (and it was found by two independendent teams of researchers), we immediately had a fix, knew what goes into the fix and can administer it by ourself.

    This one backdoor was accidentally stumbled on after being there for a decade - some vulnerable models from the list are from 2004 - and nobody could fix it but the maker, and nobody could even verify the fix but the maker. Look how nicely it worked out.

    Don't go "But opensource too!..", when this "too" is like fucking heaven and earth when compared with opensource bugs.

  • by viperidaenz (2515578) on Monday April 21, 2014 @11:35PM (#46812307)

    So all I have to do to fool you is install my malware as a service that gets hosted by svchost.exe?
    Of if my purpose was to control the microphone, a driver that hooks in to the existing audio driver?

  • Re:Lemme guess.... (Score:2, Insightful)

    by jbssm (961115) on Tuesday April 22, 2014 @08:41AM (#46813919)

    The NSA, I'm not worried about. They don't want me out of a job. China, definitely.

    The if world was comprised only of people like you, we would all still be slaves under the pharaoh absolute authority.

  • Re:Lemme guess.... (Score:2, Insightful)

    by Anonymous Coward on Tuesday April 22, 2014 @11:38AM (#46815517)

    Your priorities are 100% backwards. Let me walk you through why this is so dangerous.
    - The NSA works at for the executive branch
    - Therefore one must assume, from statements made and logic, that intelligence gathered are passed on to their bosses.
    - Politicians have only 2 priorities in life: To be (re-)elected, and power. All your other piddling concerns are insignificant compared to those.
    - Therefore, the most interesting thing to a politician is anyone who stands in their way from their re-election or in gaining more power.
    - If left to their own devices, politicians would use the NSA on political opponents and people who stand in their way (like Joe Nacchio former CEO of Qwest). The fact they are doing these shady things would of course be classified because of "national security".
    - These people become targets, their pasts are combed through, their reputations and/or lives destroyed.
    - In place of the people that were destroyed, the politician will allow a yes-man to operate that are obedient to them.

    Wake up! Your freedom is at stake! It damn well DOES affect you! We all whine about how our representatives suck - now we know why!
    If you want to live in such a monarchy, at least have the decency to vote on it, rather than sticking your head in the sand and pretending not to see it.

Do not simplify the design of a program if a way can be found to make it complex and wonderful.

Working...