Netgear's Amusing "fix" for WG602v1 Backdoor 515
An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
noo! (Score:1, Informative)
Anyways.. For those that can't read German.... Here is the Babelfish translation (kind of).
Re:Oops... (Score:5, Informative)
Well, that might be good enough, if they could choose the login information. But now that they published it....
First rule of passwords is that you don't talk about your passwords....
Google's translation is a little clearer (Score:3, Informative)
Netgear reacted to the messages over a Backdoor in the wl to ACCESS POINT WG602 Version1 promptly with a firmware update, however the Backdoor is still present -- this time only with new user name and password. With the name one was a little creative and extended the original character string "super" too "superman". With the password Netgear obviously took forum contributions for the first message of the safety gap seriously and changed the number on 21241036. To whom however this telephone number is to belong, Netgear Germany could not say to us -- there one knew nothing from the new problem and wanted only to make itself once kundig.
An again updated firmware design does not give it yet. Anyway the question arises whether users are still determined after the second Patzer to bring new software in. In opinion of lawyers this problem could quite be reason of enough to return the devices to the dealer and back-demand the purchase price. The salesman can try to improve the lack however the chances stand for it for the moment obviously quite badly.
Re:Bianry Edit (Score:4, Informative)
I'd imagine it wouldn't work. They've probably checksummed the file, and if you change any of the content you'd have to rechecksum it, if you even knew what kind of checksum (if any) they'd used.
Nice idea though.
Article Text (Score:5, Informative)
Netgear has promptly reacted to the reports of a backdoor in the WLAN-Access-Point WG602 Version 1 with a Firmware-Update, however, the backdoor is still present, but with a new user name and password. They were a little creative with the name and extended the original character string "super" to "superman." With the password, Netgear has obviously taken the message of security seriously and changed the password to "21241036." However, to whom this telephone number points, Netgear did not comment. There, they knew nothing and initially only wanted to make themselves aware of the (details of the) problem.
Again, there is not a real updated firmware design yet. The question arises whether users are still determined--after the second patch--to get new software. In the lawyer's opinions, this problem could be reason enough to take back the device to the retailer and receive a refund of the purchase price. For now, the retailer can try to fix the shortcoming, however, the chances of that are not very good.
Re:Calm down... (Score:5, Informative)
Re:Not funny at all (Score:5, Informative)
Jeroen
Re:Calm down... (Score:2, Informative)
SO now the Linksys is ok and the Netgear is not. Someone buy me a program so I can tell the players apart.
Not the first boner NetGear's pulled (Score:5, Informative)
http://www.cs.wisc.edu/~plonka/netgear-sntp/ [wisc.edu]
Abstract:
"In May 2003, the University of Wisconsin - Madison found that it was the recipient of a continuous large scale flood of inbound Internet traffic destined for one of the campus' public Network Time Protocol (NTP) servers. The flood traffic rate was hundreds-of-thousands of packets-per-second, and hundreds of megabits-per-second.
Subsequently, we have determined the sources of this flooding to be literally hundreds of thousands of real Internet hosts throughout the world. However, rather than having originated as a malicious distributed denial-of-service (DDoS) attack, the root cause is actually a serious flaw in the design of hundreds of thousands of one vendor's low-cost Internet products targeted for residential use. The unexpected behavior of these products presents a significant operational problem for UW-Madison for years to come.
This document includes the initial public disclosure of details of these products' serious design flaw. Furthermore, it discusses our ongoing, multifaceted approach toward the solution which involves the University, the products' manufacturer, the relevant Internet standards (RFCs), and the public Internet service and user communities."
Re:Not funny at all (Score:3, Informative)
Strictly speaking, it's a licence. It's different. It gives you permission to do certain things with it assuming certain limitiations. e.g. You may use this product for reasons X and Y but not Z. As a licence, it cannot require the licencee to give up anything in return.
Re:A joke surely? (Score:3, Informative)
Apple? [apple.com]
According to Netgear... (Score:4, Informative)
Re:Firmware 1.5.67 doesn't take this password... (Score:4, Informative)
As a matter of fact it was me who found the 1.7.14 username and password and posted it to securityfocus after updating my firmware from 1.5.67(which I tested with the super username and password) to 1.7.14.
Re:According to Netgear... (Score:5, Informative)
Re:Change the fix to something else! (Score:4, Informative)
Almost certainly. Vendors normally checksum firmware to avoid the possibility of flashing the hardware with corrupt firmware data. However, given Netgear's track record, you could probably flash it with a JPEG file and it'd accept it OK.
This sort of thing makes me wonder what backdoors are in other firmware and software that have not yet been discovered. I'm glad that there are people like SecurityFocus looking out for these exploits. Endless numbers of ADSL modems, routers and other equipment seem to have backdoors in them. I'm glad I route my ADSL through a switch and Slackware
Has anyone looked at the website? (Score:5, Informative)
http://kbserver.netgear.com/kb_web_files/n101383.
Now, there is a firmware from the 4th:
http://kbserver.netgear.com/support_details.asp?d
that claims to fix the problem, but I'm tempted to suggest what's happened is they've changed the username and password while they test a full fix. After all, changing data is generally less likely to break stuff than changing code...
Re:A joke surely? (Score:2, Informative)
Re:A joke surely? (Score:3, Informative)
Re:A joke surely? (Score:1, Informative)
Re:A joke surely? (Score:4, Informative)
Re:Oops... (Score:2, Informative)
While the grandparent makes some good points, you do realize that he/she/it was parodying Fight Club, right? Right?? I mean, I got it and I haven't even seen the movie.
Still, you do have to realize that the safeguards against which you rail -- the ones that you're saying make users lazy -- are put in place because users are lazy in the first place.
Re:Oops... (Score:4, Informative)
I don't see how forcing a company to take a defective product back and returning the purchasers money is "wildy disproportionate." It's seems exactly proportionate, no more, no less.
If I sold computers that didn't work as advertised, and the consumer was out $200 for it, then giving them a coupon for $5 off their next purchase is hardly compensatory. Compensatory... I need to compensate them. They spent $200 for a product that did not work as advertised...