Backdoor Discovered In Netgear and Linkys Routers 189
An anonymous reader writes "A hacker has found a backdoor in the Linksys WAG200G router, that gives access to the admin panel without authentication. Further research shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others maybe affected as well. From the article: 'The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.'"
So much for competition (Score:5, Insightful)
"Linksys (...) devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin (...)"
It reminds me that scary graph where half a dozen companies control almost all the stuff you see on supermarket shelves.
I remember reading nice fairy tales in school about open markets, and fair and diverse competition being paramount to the western economic model...
Re:So much for competition (Score:5, Insightful)
That fairy tale stopped existing once companies could buy the laws they need to create barriers to entry.
Re:DSL? (Score:5, Insightful)
Who has that anymore?
People that don't want to give any money to a cable company and want to give as little money as possible to the AT&T monopoly, and would rather have their money go to a friendly CLEC [sonic.net]. I gave up my 50mbit Comcast cable internet connection for a 14mbit DSL connection because several times a week, packet loss would go through the roof and throughput would slow to a crawl on the Comcast connection, while the DSL provider has been rock solid.
Re:Return to vendor (Score:5, Insightful)
On what grounds? They'll just say "It's a bug, we're working on a patch". Has anyone ever been able to get a refund because of a software bug?
Excuse me, but accepting commands and executing scripts received on an unusual port is not a bug. That is code that is there 100% intentional. In the UK, I'd call it defective; it would be pretty obvious that it was defective as sold, so you can return it to the shop where you bought it for a reasonable time (maybe 2 years).
Re:malware = local (Score:5, Insightful)
Attacking the router from inside the network is only a matter of infecting a computer inside the network.
Then the compromised computer is used to modify the DNS settings.
Then the whole network depending on the router to provide proper DNS is now visiting whatever hosts the attackers desire.
If you can already infect inside computers, do you really need to hack the router?
Re:Is this really a vulnerability or a feature? (Score:5, Insightful)
To add to the above, I see the WNDR3700 is specifically reported as not being vulnerable to the open port he found on some of the older models. I know for a fact (because I owned one), that the WNDR3700 is one of the models that requires the magic packet to open the telnet port, further leading me to believe he found a poorly documented (but not unknown) feature that should have been much more visible and better protected by default, rather than something more akin to a backdoor (after all, you have to be on the LAN side to use it).
Re:Is this really a vulnerability or a feature? (Score:5, Insightful)
Oh wow. Your inside network doesn't touch the outside network? You don't visit websites? You do not run javascript on your browsers? You personally scan each piece of javascript to make sure it cannot get your IP address (yes it can), your gateway (yes it can) and send packets to your gateway (yes it can)?
Seriously, if you don't know what you're talking about, lurk and learn.
And default username/passwords means that malicious javascript can be very very simple indeed.
Your kind of thinking is why we have so much insecurity on the Internet. Please update and upgrade your skills.
Re:So much for competition (Score:4, Insightful)
Oh. There's a problem with your market? Sounds like the job for The Invisible Hand! Invisible Hand will fix it!
Sorry, the Invisible Hand is unavailable for comment. It's been bound, gagged (handcuffed?), indefinitely detained and sent to Gitmo for questioning by the State.
Re:Return to vendor (Score:5, Insightful)
The free dictionary:
http://www.thefreedictionary.com/back+door [thefreedictionary.com]
Noun 2. back door - an undocumented way to get access to a computer system or the data it containsback door - an undocumented way to get access to a computer system or the data it contains
backdoor
access code, access - a code (a series of characters or digits) that must be entered in some way (typed or dialed or spoken) to get the use of something (a telephone line or a computer or a local area network etc.)
Oxford:
http://www.oxforddictionaries.com/us/definition/american_english/back-door [oxforddictionaries.com]
noun
the door or entrance at the back of a building.
a feature or defect of a computer system that allows surreptitious unauthorized access to data.
So obviously it does not matter if it was a "published interface" or even if it was on purpose. It still qualifies as a backdoor. Frankly it does not sound like an accident either so I wouldn't even classify it as a bug. I certainly dont think it is unintended, a mistake, or an error. That means it does not fit your definition.
Note: Bold was added by me, and I did search other online dictionaries, most did not have definition that was technical in nature. Most referred to Back-door deals. Ones I checked were Miriam-Websters, Cambridge, and Oxford. If anyone does find a better definition I welcome being corrected.
Re:not exclusively local (Score:4, Insightful)
Which part of "Made in the USA" did you not understand?
Re:Is this really a vulnerability or a feature? (Score:4, Insightful)
You understand that most of the botnets out there are the result of someone clicking on a link and visiting a site that had malicious code embedded in it (ActiveX/JavaScript)?
While JavaScript might not natively be able to send a hand crafted magic packet, it can *take over your system* - which then allows it to download and install rootkits and other stuff - one of which can doing the magic packet tickling.
You said:
Yes, this stuff should be better protected, but it's not necessarily a vulnerability.
*AND YOU ARE VERY VERY WRONG* I want to say this in the nicest way I can - if you are propagating wrong information, you should be stopped. If you think you are correct, you need to be corrected. If you think this is being a dick, I apologize, but you are still wrong, and you are still spreading bad information. Learn and improve your knowledge. Think things through.
Think about it - the programmers who should know better thought the same as you. And as a result, now millions of routers are vulnerable, and open to being exploited. Every week, we see tons of news about basic infrastructure being insecure. Because no one said "that's a fucking stupid idea, don't do it" because saying that means they're being a dick.
The most expensive "cheap" you can get! (Score:5, Insightful)
Dear lord, I hate it when neckbeards such as yourself talk about how a full PC running OpenBSD or Linux is somehow the "cheap" option compared to a goddamn $40 home router. You make the entire IT profession seem like a bunch of blithering idiots.
Most civilized people don't have Alphas, SPARCs or even old PCs lying around. They'll end up paying more than $40 to acquire such a system, too.
Since most people have several devices on their home network these days, including wireless devices, they'll again need to buy several cabled network cards and at least one wireless network card. You're looking at $100 or more, depending on the type and number of network cards you need to buy.
Then they'll have to waste time setting up this system. If they don't already have experience with installing and configuring OpenBSD and Linux, they'll waste even more time. Good luck getting the wireless network card working! That can be a real battle under Linux, and absolute hell under OpenBSD, even for experienced sysadmins. Anyone with a real job paying a real salary or billing rate will be out hundreds of dollars.
If they manage to get this far, probably spending several hundred dollars getting the equipment in the first place, and then potentially spending at least a day (but likely far more) setting it up, then they'll have to actually start using it. This involves leaving a full computer running 24/7, likely consuming a large amount of power (especially if it's the outdated workstation or PCs that you're advocating). Electricity is quite expensive in many areas.
Way to go, neckbeard. Your "cheap" option only costs $600 or more, just to do the same job that a $40 home router can do. And that's ignoring the ongoing cost of running the system, which depending on local electricity rates can cost a few hundred dollars more per year. The $40 home router will consume a comparatively insignificant amount of electricity, likely costing less than $10 a year even in areas with extremely high electricity prices.
It's so hard to take you seriously when you advocate spending 10 or 20 times as much on some custom Linux or OpenBSD router than it'd cost to buy a cheap home router.
power makes that expensive (Score:5, Insightful)
Any device that's not updated (Score:4, Insightful)
These back doors may exist in new devices, but any older device is likely to have a back door. If the vendor updates the devices at all, they usually stop doing that shortly after they stop sales of the device. Your perfectly fine WiFi router or DSL box will most likely have vulnerabilities on it that make it just as insecure as these new devices.
I actively check my DSL router and I know my ISP and several security minded customers do the same. Any WiFi router in my home runs a modified Linux distribution like Tomato, openWRT or DD-WRT that is actively maintained. While it's bad that A-brand companies evidently don't do this this the stuff they buy from other vendors, most devices in the field are just as vulnerable as these boxes are, simply because they don't get updates.
Burning vendors for selling insecure devices is good practice to get this problem solved. Burning them for not being responsible for their sale and updating or liberating the devices they sold should be just as normal as burning them for new equipment. You can't expect people to buy a new device every year simply because the vendor refuses responsibility once it's left their factory.
Comment removed (Score:5, Insightful)