Netgear's Amusing "fix" for WG602v1 Backdoor 515
An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
Not funny at all (Score:5, Interesting)
I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this. This just isn't the way a responsible company behaves.
Simon.
Bianry Edit (Score:5, Interesting)
I've done it with other types of binary files, but never tried with firmware.
Anyone try this?
Reputation damage (Score:4, Interesting)
full-disclosure hackers knew for a while (Score:5, Interesting)
http://lists.netsys.com/mailman/listinfo/full-d
knew about this on irc for a while.
EU via interpol desires, and us's NSA/NRO both desire various entrypoints.
cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.
Who reads slashdot? (Score:5, Interesting)
Re:Fixed in new firmware, available here: (Score:3, Informative)
by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.
(You can find it yourselve by just taking similiar steps as in the securityfoces article.)
Maybe reading slashdot sometimes would be a good idea.
Re:Bianry[sic] Edit (Score:3, Interesting)
Supermaning it.... (Score:5, Interesting)
Sound familiar? (Score:4, Interesting)
Re:Oops... (Score:5, Interesting)
IANAL, but I seem to recall a lawyer I know telling me that with product liability, a company is liable if due diligence is not performed to fix an issue when a known problem exists. Of course, the trick becomes can you call changing a username and password due diligence? I feel certain every computer expert in the world would say no.
Re:Oops... (Score:5, Interesting)
Just how many criminal laws do you think we need? Seriously. Do you think we need another one?
There's no doubt in my mind that the vendor would be held liable for damages if anybody were harmed--financially I mean--by this kind of thing. But should somebody really go to jail over it?
Geez. And I thought I was a fascist.
learned their security strategy from microsoft (Score:3, Interesting)
Secure Backdoors (Score:4, Interesting)
What I want to know is, why bother with user names and passwords in the backdoor? An SSH tunnel using only public key authentication would pretty much solve the problem of someone examining the firmware for the login information. You could also include multiple keys and provide a public key revokation server that the units automatically update from, as well as a general key update server that the units will grab new keys from using a callback mechanism (to guarantee that the key update servers have a valid private key for connecting to the unit).
I call troll, hello, anyone listening ? (Score:1, Interesting)
Ok, everyone read the following carefully:
The parent of this comment is a troll. It contains the spurious phrase: 'Michael Sims reports a large opening in his backdoor for all to use', which is certainly not in the original article.
Got that? Read the parent, see the line (it is the second to last line in the parent). Did you mod that comment as Informative? Then you should be ashamed of yourself.
Why do people mod comments if they haven't read them? Seems like a very perversive kind of logic indeed.
Change the fix to something else! (Score:5, Interesting)
Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?
Re:Are there others? (Score:3, Interesting)
Getting off topic here but the main advantage of full disclosure with bugs and similar issues like this is you have the ability to verify and test for yourself. Sure beats getting an email that a patch is available and you have no idea what it fixed or how it fixed it.
Firmware 1.5.67 doesn't take this password... (Score:2, Interesting)
Now maybe there are some firmware versions out there that have these vulnerabilities, but I haven't been able to confirm either report and am beginning to wonder whether any of these stories are true. Of course, my standard practice of getting the latest firmware when I buy some equipment may have shielded me from these problems, and there are probably plenty (fools?) out there that don't do this and may have opened themselves up. But to see two vulnerability reports I cannot confirm makes me wonder whether this is some sort of disinformation campaign.
I look at the comments on this thread and am amazed that the supposedly technically competent can rush to judgement so quickly and with so little evidence. Were this to hit the mainstream media, can you imagine how this could change the marketplace, even if the report isn't true?
Maybe I should be buying some Cisco stock...
Re:Netgear has awesome security awareness (Score:2, Interesting)
Re:Oops... (Score:2, Interesting)
As consumers we can, and do, put our money where our mouths are. Fine indeed. At what point though are companies really held accountable? Much later to their shareholders for dropped profits? No one will ever tie the two events together.
I agree it may be a bit over the top to say criminal offense, but at some point, at some point, this type of product negligence really is just that.
Re:Who reads slashdot? (Score:5, Interesting)
I did talk to a netgear support engineer yesterday and he didn't know what I was talking about, so now I'm still waiting to hear anything back from them.
Re:Bianry Edit (Score:5, Interesting)
However, it was possible to edit the firmware in a binary editor. There was a checksum in the firmware, but you could fix it. You needed to connect a serial cable to the management port. When you made a change and uploaded the new firmware to the router and rebooted, the router would helpfully tell you what the old checksum was and what it expected the new checksum to be. You could then just search for the old checksum string and replace it with the new one the router calculated for you.
Pretty easy to do. And allowed you to run some of the newer Zytel firmware on the Netgear boxes.
Has Linksys done ANYTHING regarding their backdoor (Score:2, Interesting)
Re:Oops... (Score:4, Interesting)
Silly programmer, backdoors are for script kiddies.
-Adam
Re:Oops... (Score:5, Interesting)
In fact I drove all possible candidates for several days before I bought what I have now. It is quite easy. Every time you go on a holiday rent one of the candidates for "next thing to buy". You get to see it in all of its "glory" - lowest spec, run down by tourists and badly maintained. If it is still OK you go and buy it. You may suffer some minor discomfort compared to renting "the old familiar", but you save a lot of money
I also do the same stuff with computer equipment. Buy, test drive if it is shit - return. It is quite easy to do it in EU due to distance selling regulations. You are entitled to a free return no questions asked of anything you have bought over phone or Internet within 1 week after purchase. This limits you to internt purchases, but once you add this along with observations of company kit you are reasonably well positioned to get the right stuff...
Anyone seen this in the GPL listings of the code? (Score:3, Interesting)
Has anyone seen where the backdoor is coded into the system? (Hint: if it's NOT in the source anywhere, Netgear is violating GPL here).
FVS318 (Score:3, Interesting)
I like it. It's a very solid, reliable firewall/router. I've had it for a number of years now, and Netgear to this day continues to put out new firmware updates that not only fix bugs, but implement new features. It works well, and I always liked it better than my friend's Linksys.
But this whole crisis makes me really really leary... How do I know there isn't a backdoor in my firewall/router as well? The fact is, now I don't.
Getting a Linksys that can run a custom Linux distribution becomes more appealing every single day. This may be what finally pushes me over the edge.
Bryan
Re:No harm, no foul (Score:3, Interesting)
40136 RingBack (Score:1, Interesting)
Can anyone else confirm my rememberances?
Re:Why post this? (Score:3, Interesting)
Allied Telesyn is the same way (Score:3, Interesting)
It's documented on their website that they do have a backdoor password, and what you need to do to get it. For me, it took a single email (ebay end of auction), and a 5 minute phone call to get the backdoor.
This would be fine, if the backdoor only worked on the serial console, but nope.. Works fine with the web interface too
Re:Oops... (Score:3, Interesting)
When I go down to the military surplus store, I can refuse to buy clothing wrapped in boxes and bags, because I don't get to see them. Instead, I go to the shelves and take a good look at what's on the shelf.
When I head down to the store to pick up a router, however, I'm only told which standards it's complaint with, not what it's capable of doing. I can't see the soldering, the capacitor branding, the capacitor capacitance tolerance and what range that tolerance is in. I can't take a look at the source to know weither or not someone can get in.
Inotherwords, all the pants in the military surplus store are in boxes I can't, by law, open up. I can use the pants, I just can't inspect them for flaws. I can see the box is labeled "surplus military pants 30/70, Chocolate chip camo pattern" but I can't open up the box to see.
CEO's just don't care; they want to maximise the profit to their investor, and to do that, they've got to crank out a whole lot of shitty product and sell it super expensive.
Re:Oops... (Score:1, Interesting)
Two words: "gross negligence" (Score:4, Interesting)
Why isn't this ilegal. (Score:5, Interesting)
Re:Oops... (Score:3, Interesting)
I would have swore the first two lines and the last line would have given it away tho.
Re:Oops... (Score:4, Interesting)
We then rented the car we ultimately bought, and it's been so good to us, she's still got the first one, I bought a second one, and I have since traded it in for a high-performance version of the same. Whee!
And no, I'm not going to tell you the cars, but I'll give you a hint: the one we hated rhymes with bored locus, and the one we love (sort of) rhymes with grease-on ben-tra. Hard to rhyme with car names that are invented words. Heh.
Hm (Score:4, Interesting)
Maybe somebody could make a program where:
Re:Not funny at all (Score:3, Interesting)
A license gives you the rigth to do something that would be, in the absence said license, illegal.
For example, you can get a concealed weapons license, which will make it legal for you to do something that would otherwise be illegae -- carry a concealed weapon in public.
Similarily, the GPL is a license -- it gives you the rigth to do certain things that would be illegal without a license, such as redistributing the software in original or altered form.
Most EULAs are not licenses. They do not let you do anything that would be illegal without one. Instead they typically attempt to do the reverse; they attempt to prevent you from stuff that are perfectly legal by default, such as for example reselling your property, publishing a test of a product you've purchased, or even using the product for producing a report critical of the producer.
That makes it different. If I want to give you permission for something that would otherwise be illegal, say I want to give you permission to enter my house, I can just do so. One-sided. There's no requirement for you to agree. If I demand something in return, like the GPL does, and say: "you may enter my house at will, provided you put a dollar in this box, and wear orange underpants." you're still not required to agree, though if you don't agree, then entering is unlawful.
EULAs are different. They typically don't offer you anything. And no, the "rigth to use software" doesn't fall in this category, because it's the *default* that you're allowed to use software that you legally bougth. (what a concept !)
The producers typically *claim* that they are not selling you one copy of the software, but rather they're selling you a license to the software. However this claim is pretty dubious. Anyone can go into a shop and say: "I would like to purchase a copy of Microsoft Office". They'll take your money, and hand over a copy of Microsoft Office. A reasonable person would then assume that he had, indeed, bougth one copy of Microsoft Office. It's not very likely that some text inside the box, or even worse, displayed as part of some installation-routine uniliterally can change this.