Netgear's Amusing "fix" for WG602v1 Backdoor

An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "

Mickey Mouse

[msgmonkey]

If this their idea of pluging a security hole then I don't think I will be purchasing any kind of routing equipment from this mickey mouse outfit in the future.

I would say this qualifies more as ...

[burgburgburg]

"security through stupidity".

But that's just me.

Re:Oops...

[isthisthingon]

Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?

Any open source coder would be summarily flogged for such a transgression. Why on EARTH is this not literally considered a criminal offense for a company to do?

And I for one used to hold Netgear in reasonably high regard, too.

Never again.

Very sad

[Sandman1971]

Now this is very sad. How can any semi-reputable company call changing the admin username and password for a major security hole a fix? Especially since they should have realized this new username/password would hit the net faster than Homer at an all you can eat buffet.

Since these things have built in firewalls, wouldnt the fix just include a user-invisible firewall rule preventing access to the router on whatever the admin port is (80, 8080, etc..)? Seems like a fairly simple fix to me.

Thanks Netgear! You've just assured that I'll never buy one of your products!

Link on securityfocus

[Gyorg_Lavode]

I couldn't find the exact link at first glance, but this one is a reply to it: http://www.securityfocus.com/archive/1/365292/2004 -06-05/2004-06-11/0 [securityfocus.com]

Re:A joke surely?

[CaptainZapp]

I wish it was true.

Unfortunately Heise (publisher of c't and iX) is the probably most clueful German publishing house when it comes to technology.

Those Netgear bozos really seem to be dumber then my cigar cutter.

The other explanation is that the equipment has such a fundamental design flaw that it can't be fixed at all. But then they act damn unresponsible.

Then again: Thanks to such blunders I know what equipment not to buy.

Re:I wonder...

[pe1rxq]

The user changing a password and thereby closing the backdoor is a good idea.
The company changing a backdoor password into another but keeping the backdoor is a bad idea.

Jeroen

Re:Oops...

[chris_mahan]

>Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?

The answer lies within the question: Because we pay them.

If someone paid you to paint a building and didn't care whether you stripped off the old paint first, I guarantee you you would just slap a coat over the old paint.

>And I for one used to hold Netgear in reasonably high regard, too.

Your mistake, then.

>Never again.

You should not say never if you want to reach them. This just makes the company execs think that since they can never reach you as a customer again, they won't make the effort. What you should say instead is: "I will purchase products from other companies since theirs do not address my needs at this time."

This is reasonable to them, and they won't discount you as a hot-head but rather may take your advice.

Just my .016 euro

More like...

[qualico]

cat knowledge |grep -v understanding

There is certainly no understanding comeing through their pipe.

Re:Oops...

[timeOday]

Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?

The answer lies within the question: Because we pay them.

Don't blame this on consumers. We don't have real choice until we have the relevant information. Things might be quite different with a bit of truth in advertising, like a sticker on the box which reads "Router WG602 - Now With Even More Backdoors!"

The question of "why are companies allowed to get away with this crap" is a good one. They should either be forced to tell people what they're buying, or be accountable for the consequences of deception.

Security fix?

[Anonymous Coward]

This is preaching to the choir anyway. Who actually updates the firmware on anything? People who are at least knowlegeable to know what firmware is. Those are the same people who probably change the default username and password. Anyone not thinking of firmware updates, is also probably to lazy (or not knowlegeable enough) to change the firmware OR the default username/password.

Here's why they didn't remove it

[Anonymous Coward]

Yes, you're asking yourself "why didn't they just remove it, instead of changing it? Why was it there in the first place?"

Well, it seems pretty obvious to me... it's supposed to be there.

This shows that it was Netgear's intention to purposely put back doors into the product. The reason "why" is not really evident. I can leave that up to the tinfoil hat crowd.

Re:Not funny at all

[kfg]

. . .though i'm not even sure that's possible due to the EULA.

EULAs cannot prevent lawsuits. The EULA becomes part of the evidence of the suit and the suit itself determines to what degree, if any, its terms effect a possible ruling.

In fact, this is precisely how the legality of a EULA is tested. A EULA is a just a contract. Contracts don't prevent lawsuits, they become the object of them.

KFG

blimey

[doofusclam]

That's crap. There may be a multitude of reasons why they couldn't remove the backdoor (no access to source code, the guy who wrote it was on holiday, whatever...) but they could have at least changed the password with a hex editor to something that was difficult to type from a keyboard, low-ascii values for example.

Re:Oops...

[chris_mahan]

Do you shop around for cars? Do you drive a few, ask your friends/coworkers before you decide what kind of Toyota to get?

Re:Oops...

[gfxguy]

Your last line says it all - they should be held accountable. If it's advertised as being secure, and a backdoor is found, they should have to buy back every single unit or replace every single unit with a working one.

If anyone has been damaged by the availability of the back door they should be held liable even if they claim you waive that right in their license agreement (their license agreement does not state there may be the possibility of back doors, no?)

If you claim something is secure, but that you can't prevent all future attacks so you can't be liable, that's one thing, but when the liability is clearly your fault, it's another.

Re:A joke surely?

[pongo000]

Then again: Thanks to such blunders I know what equipment not to buy.

The fundamental problem here is that we're running out of vendors! Linksys [slashdot.org] and Belkin [slashdot.org] are on the shitlist; now NetGear. Who, exactly, does that leave for consumer-grade networking equipment? I don't know about where you live, but where I live, these are about the only three vendors that show up on the computer store shelves (well, there are some cheapo brands, but they suffer even worse quality control problems).

Re:Oops...

[gfxguy]

The fact that the backdoor existed at all makes them liable, IMO, because it proactively defeats the supposed security they used to sell their product.

Normally you'd find them liable if they showed negligence, but in this case they themselves proactively introduced the security risk. It's worse then merely being negligent.

Re:Oops...

[Enigma_Man]

But the masses don't know better. The free market isn't "geeks who know better" unfortunately. Best Buy and Circuit City will continue to sell these to people who just need something that "works".

-Jesse

Re:Oops...

[R.Caley]

Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?

You answered your own question. If everyone who owns one of these took it back and demanded their money back because it is not suitable for the purpose for which it was sold, they'd soon get the message.

Why on EARTH is this not literally considered a criminal offense for a company to do?

Because the civil courts are there to cope with this kind of thing?

Re:Mickey Mouse

[antime]

The original coders are probably emplyed by the same Korean company that made the hardware. I guess Netgear only get a limited "customisation kit" so they can put in their own name and change the backdoor password - but not completely disable it.

Outsourcing security from a net security product?

[Sleepy]

Ah, yes, the lovely irony of a security company outsourcing their own product's security.

Nothing like trusting your future to some shady fly-by-night low-bidder who's not an employee. Whoever at Netgear argued this process saves money, I almost pity you. Almost.

Although in this case, you can't argue that specs called FOR a backdoor... but maybe there were no specs at all.

I don't blame them for this "quick fix".. as a longtime Software QA engineer I can tell you it takes more than 1 day to test something, unless you're willing to accept the risk that the fix could be worse. I'm willing to bet the OEM developer is probably just a one or two man shop, has no QA and might not even have source code control.

off-topic:
I run m0n0wall [m0n0.ch], a BSD distribution just for firewalls & routers. It doesn't need a hard drive so it's quiet.

I even yanked the CPU fan off the AMD K6/450 it is running on. CAUTION: passive cooling a CPU risks burning out the processor. To prevent this I fitted a stock AMD CPU sink from an Athlon 1800, and made a small duct for the power supply to draw air over the CPU (this was an OLD old ATX case with the PS directly above the CPU so it was easy).

Works great!

Too bad you can't upload monowall into consumer routers. I think this is the next step. Some vendor will start making it very easy to do such a thing (discoveries like the Linksys WRT54G hacking do not count).

Re:Oops...

[timeOday]

The whole notion of making buying decisions carefully is irrelevant if companies are dishonest about what their products do. Sure, if you're lucky somebody like heise will eventually shed some light so you can make informed decisions. Until the truth is known, you can't act on it no matter how vigilant you are. The geek world at large was just as surprised as anybody else when it turned out that Cisco had been selling products with backdoors.

Re:Reputation damage

[Marcus Erroneous]

I concur, their reputation is badly damaged now. Fortunately, I don't have this WAP in my house, nor am I now likely to use their gear in the future. I can't trust them and that lack of trust will be multiplied as I tell the people that come to me for advice not to use NetGear equipment.
From other postings, it appears that until this, technically they appear to produce good equipment. However, undocumented "features" ;) like this are inexcusable, all the more so when the end user cannot fix it themselves, even if they want to! I'll agree that most people don't read slashdot and so might not know (nor care in many cases), but for those of us that do, it would be nice if we could fix it. If the firmware made it something that the end user could correct, and end users then did not, that would be one thing. But, to use the car scenario again, to unweld the hood, make a change and then weld it shut again is a poor decision.
Those of us that regularly read Slashdot are probably the alpha geeks of our groups. The person that many people come to for informal IT support at home and at work. I am frequently asked my opinion about gear and for recommendations on what gear to buy. These people then tell their friends what they use, why they use it and how satisfied they are. This "viral" type of advertising is the kind that you can't buy when it's good and can't kill when it's not. I will not recommend products by a company that, when caught with it's hand in the cookie jar, merely switches hands. It was bad enough to get caught doing this but to change the password rather than remove the exploit reveals a mindset that I will keep in mind during future work in this field.
Can they recover from this? I would imagine that there are ways to do so aside from the usual corporate tactic of relying on consumer apathy and time. I'll be curious to see if they bother and what they do if they do bother to try.

Re:Not funny at all

[Grishnakh]

This is BS. There are many responsible companies. Unfortunately they usually don't become big because being responsible usually means that they have to have higher prices.

No, there aren't many responsible companies at all, and your post illustrates why. They have higher prices, less effective marketing (because they don't lie like their irresponsible competition), don't get ahead because they don't do unethical backroom deals, etc., so in the end they just go belly-up, and all the irresponsible companies get bigger.

Re:Oops...

[jrvz]

US law includes the concept of "reasonable expectation of privacy". We badly need a "reasonable expectation of security".

Re:BULLSHIT

[homer_ca]

It's more than just the mere fact of the backdoor. It's the amateur way they coded the backdoor. They found the strings in plaintext after gunzipping the image file. And to further insult our intelligence, they changed the password and left it coded the same way thinking we're too dumb to find the new one. There's no obfuscation at all except for the gzipping. Linux and open source make no difference here. You can at least give some credit to a well hidden backdoor. What's disturbing is their naive, amateur approach to security.

Re:Bad Idea

[gfxguy]

But the point isn't that it had security flaws (a lot of things do), it's that they proactively put it there.

It's not some logic flaw someone found, like a buffer overflow (which no one would blame them for), it's something extra they put into their product specifically making it insecure.

If a car company finds a flaw in it's airbag system, they replace the airbags and no one blames them - they fixed the problem they saw. If they specifically used flawed airbags, it's entirely different matter. I know we are not talking life and death, but it's a similar principle - only it could result in financial loss instead of physical. People take the risk with airbags, but they should be secure in the knowledge that, while they may still die or be seriously injured in an accident, that the airbag should help. People who buy even a cheap router should be secure in the knowledge that, while they may still be broken into, there are adequate protections.

In this case, it's not merely negligence on netgear's part, they proactively eliminated any security their products may have offered.

Where is the outrage?

[gad_zuki!]

Heck, where is the story? I've only seen this at slashdot and the few media articles it links to.

I mean, I can turn on my nightly news and hear about "getting ripped off at the dry cleaners? Let our investigative unit show you how!" but when your personal home network with all your work, personal stuff, family photos, etc are now open to the world because of some backdoor its like its no big deal.

It seems like until someone writes a worm to really screw these people over, no one is going to care. And I'm sure lots of people are testing worms as we speak.

The larger issue here is the complete disregard for security. A backdoor should never be installed. The firmware reset is more than enough to get back to the default settings. So what if you lose your "settings." That's the price of losing your password info or buying a shoddy product.

I can't believe my ears when i hear about backdoors, especially from companies like Cisco. What are we telling the industry, that we'll roll over for whatever they do? Are we telling the government that their next USA PATRIOT act might as well have mandatory Ashcroftian backdoors because corporate america is apathetic to security?

Its mind-boggling. I hope a Netgear gets equated with untrustworthiness and falls from their market position.

Re:Not funny at all

[johnnyb]

"so in the end they just go belly-up"

Not really. They are usually just smaller and local. That's the real reason behind the "buy local" idea. It's not necessarily that paying money to someone to your home town is better than paying someone in Oregon or wherever, it's that if they live in your town, then your own community holds them to higher standards.