Forgot your password?
typodupeerror
Security

Backdoor Discovered In Netgear and Linkys Routers 189

Posted by samzenpus
from the protect-ya-neck dept.
An anonymous reader writes "A hacker has found a backdoor in the Linksys WAG200G router, that gives access to the admin panel without authentication. Further research shows that these devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin and various others maybe affected as well. From the article: 'The backdoor requires that the attacker be on the local network, so this isn’t something that could be used to remotely attack DSL users. However, it could be used to commandeer a wireless access point and allow an attacker to get unfettered access to local network resources.'"
This discussion has been archived. No new comments can be posted.

Backdoor Discovered In Netgear and Linkys Routers

Comments Filter:
  • by Anonymous Coward on Thursday January 02, 2014 @07:38PM (#45851713)

    http://www.shodanhq.com/search?q=port%3A32764

    • by Anonymous Coward on Thursday January 02, 2014 @09:38PM (#45852775)
      Of course it's spying on you.

      Which part of "Made in the USA" did you not understand?

  • OpenBSD (Score:4, Informative)

    by grub (11606) <slashdot@grub.net> on Thursday January 02, 2014 @07:41PM (#45851747) Homepage Journal

    Thank goodness for OpenBSD [openbsd.org] and a bit of elbow grease.
    • by mikael (484)

      But if you want to use your mobile phone with your own wifi router, you still have to give the phone the user password, which then ends up being backed up on some server elsewhere, if it isn't snaffled by some Google wi-fi surveillance vehicle.

    • by LoRdTAW (99712)

      Though FreeBSD based, and easy to set up, m0n0wall ftw. Running on an Alix board it hasn't been rebooted since I bought the router hardware five years ago. Though it has been unplugged for wire "maintenance" a few times and the blackout from hurricane Sandy. Other than those few planned and unplanned power downs, its simple, easy to use and Rock solid.

      I have also ran its protégé, pfSense at work where it proved to be very reliable and had a boatload of features compared to m0n0wall.

  • malware = local (Score:5, Informative)

    by SethJohnson (112166) on Thursday January 02, 2014 @07:47PM (#45851831) Homepage Journal
    Attacking the router from inside the network is only a matter of infecting a computer inside the network.

    Then the compromised computer is used to modify the DNS settings.

    Then the whole network depending on the router to provide proper DNS is now visiting whatever hosts the attackers desire.
    • Re:malware = local (Score:5, Interesting)

      by Qzukk (229616) on Thursday January 02, 2014 @08:02PM (#45851993) Journal

      is only a matter of infecting a computer inside the network.

      Not even that. If dicking around with the port caused a hard reset of the router, who knows what would happen if you got someone to click on this link [192.168.1.1]. (or set it as an img tag for automatic fun)

      • by hawguy (1600213) on Thursday January 02, 2014 @08:05PM (#45852021)

        is only a matter of infecting a computer inside the network.

        Not even that. If dicking around with the port caused a hard reset of the router, who knows what would happen if you got someone to click on this link [192.168.1.1]. (or set it as an img tag for automatic fun)

        I think that's a bad link. Every time I click on it, I can't reach the internet for a few minutes.

      • ...only if you set your router to be 192.168.1.1 - which I carefully avoided.
        But I got your point nevertheless :)

    • Re:malware = local (Score:5, Insightful)

      by hawguy (1600213) on Thursday January 02, 2014 @08:18PM (#45852129)

      Attacking the router from inside the network is only a matter of infecting a computer inside the network.

      Then the compromised computer is used to modify the DNS settings.

      Then the whole network depending on the router to provide proper DNS is now visiting whatever hosts the attackers desire.

      If you can already infect inside computers, do you really need to hack the router?

      • Not usually much av software on a router.
      • If you can already infect inside computers, do you really need to hack the router?

        The first computer is compromised via email spam, spearfishing, drive-by browser vulnerability, etc. That computer is the beachhead for the attack on the router.

        The router is then used to compromise all the other computers on the network. DNS is the easiest way. When the other users attempt to access URL's for Microsoft Outlook webmail, bank accounts, etc. the router misdirects them to fake websites that capture their login

        • by fnj (64210)

          I don't use the DHCP and DNS proxy services on the router. Beats me why anybody would. I run them on a BeagleBone which has so far shown five nines reliability, much more power and flexibility, and no vulnerabilities. The cost is about $50 up front and under 3 watts of AC power.

          • by drinkypoo (153816)

            I don't use the DHCP and DNS proxy services on the router. Beats me why anybody would. I run them on a BeagleBone which has so far shown five nines reliability, much more power and flexibility, and no vulnerabilities. The cost is about $50 up front and under 3 watts of AC power.

            You know, for $30 (or less!) you could get a pogoplug series 4 and run debian on it. And it has USB3. That's the complete package with case and power supply. You could use an earlier pogo, but the newer ones have SD slots.

            Personally, I use the DNS on my router, which is a Linksys WRT54G of some sort. But it's running Tomato. Any nerd worth their salt is doing the same or similar, if not building an appliance from scratch. There's just no cheaper way, though, than to use a WAP you got at a yard sale. I've ye

      • Yes. Most of the time you may not get root on the infected device. Or the device will be some limited piece of crap. With an attack like this it is a stepping stone to get every device on the network under your control. Many computers will firewall themselves off from other devices on the network, yet allow some communications with the router. Also, most home routers provide DNS to the client computers.

      • Re:malware = local (Score:5, Interesting)

        by fuzzyfuzzyfungus (1223518) on Friday January 03, 2014 @05:32AM (#45854711) Journal

        If you can already infect inside computers, do you really need to hack the router?

        Two major upsides: hitting the router is a handy way to turn an exploit of a single machine into a position for eavesdropping and/or DNS attacking every device on the network. Odds are good that the one you exploited directly isn't the only one, and the others may be harder targets from the outside. Plus, the router is a handy 'bastion' for re-infection and persistence in case the luckless user finally ditches or wipes his worm farm of a system. Unless you screw it up, badly, most people are barely aware that routers contain software at all, so odds are excellent that they won't be getting rid of you in the near future...

    • Re:malware = local (Score:5, Interesting)

      by toygeek (473120) on Thursday January 02, 2014 @09:37PM (#45852763) Homepage Journal

      This is exactly what happened with Apple a couple of years ago. The DNS Changer virus

      http://www.f-secure.com/v-descs/trojan_osx_dnschanger.shtml [f-secure.com]

      It infected OSX machines and logged in the users router using the biggest "back door": admin/password. Then it changed to some DNS servers in Russia, and any device on the network was getting redirected to death to all sorts of sites.

      Yes, this is a big back door, but no bigger than the admin/password admin/admin default credentials that 99% of people never changed. Thankfully, these days the routers come with better defaults.

  • Oh wait, if anyone edited this shit instead of piling more images and whatever else Dice's marketing team deems "awesome and revolutionary to leverage for Slashdot," this might be a reputable god-damned tech news site anymore.

  • (insert expected comment about how Slashdot editors... don't).
    It is LinkSys, not Linkys.

    Although "Linky" seems almost appropriate, considering that's what routers do!

  • by richlv (778496) on Thursday January 02, 2014 @07:48PM (#45851851)

    "Linkys". because details are for samzenpussies.
    this is getting annoying enough.

  • by bob_super (3391281) on Thursday January 02, 2014 @07:57PM (#45851935)

    "Linksys (...) devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin (...)"

    It reminds me that scary graph where half a dozen companies control almost all the stuff you see on supermarket shelves.
    I remember reading nice fairy tales in school about open markets, and fair and diverse competition being paramount to the western economic model...

    • by Gothmolly (148874) on Thursday January 02, 2014 @08:04PM (#45852019)

      That fairy tale stopped existing once companies could buy the laws they need to create barriers to entry.

      • by jafac (1449)

        That fairy tale stopped existing once companies could buy the laws they need to create barriers to entry.

        . . . . like Corporate Charters, for instance.

        • . . . . like Corporate Charters, for instance.

          Most Americans don't realize that the country got by on its first hundred years with no permanent corporations. JD Rockefeller found the right price.

          • by drinkypoo (153816)

            Most Americans don't realize that the country got by on its first hundred years with no permanent corporations. JD Rockefeller found the right price.

            Jingoism is a terrible thing. If I tell people that corporations should not exist unless they serve the public good, they often call me a communist. But that's precisely what corporations originally had to do, at least in theory, in order to be granted incorporation.

    • Cisco Systems' dominance in the enterprise gear should also be discussed more often.
    • by besalope (1186101)

      "Linksys (...) devices are made by Sercomm, meaning that Cisco, Watchguard, Belkin (...)"

      It reminds me that scary graph where half a dozen companies control almost all the stuff you see on supermarket shelves. I remember reading nice fairy tales in school about open markets, and fair and diverse competition being paramount to the western economic model...

      Sorta like these conglomerates? Just to name a few :)

    • by n1c0 (999048)
      These devices are 'old', end of life, no longer supported and most non tech users won't ever know. And the non tech enduser will (once again) see personal or financial information compromised, or will participate in yet another botnet. It's public now, but nobody knows how much this has been exploited as zero day. Replace router/firmware with 'car' and we would see class action lawsuits as never before. I think that more strict regulation is needed or legislative work that hold companies accountable f
      • by DarkOx (621550)

        the non tech enduser will (once again) see personal or financial information compromised, or will participate in yet another botnet. It's public now, but nobody knows how much this has been exploited as zero day. Replace router/firmware with 'car' and we would see class action lawsuits as never before.

        If it were a car there would be a manufacturer recall. If the problem was discovered in the first decade, after that people would be expected to take care of it on their own.

        Device makers should be better behaved to do recalls for stuff like this, maybe they should be forced to, I don't know.

        These non tech enduers need to stop getting a free pass too though. "herp derp, gee I didn't know I needed to check for patches and updates, set a non-default password, and have some kind of port filtering" just can't

    • by jafac (1449)

      Oh. There's a problem with your market? Sounds like the job for The Invisible Hand! Invisible Hand will fix it!

  • by Anonymous Coward

    I did a web search for "linksys router backdoor" and this story was one of the top results:
    http://news.techworld.com/security/1682/critical-flaws-in-linksys-and-netgear-kit/

    "...a hard-wired user account with a known password. Any user with access to a LAN with an affected WG602 device connected to it would be able to gain full administrator access to the device..."

  • by vik (17857) on Thursday January 02, 2014 @08:14PM (#45852099) Homepage Journal

    You can telnet into most Huawei/Vodafone DSL modems with admin/{VF-}[Countrycode]hg[ModelId] through the ethernet port...

  • by CajunArson (465943) on Thursday January 02, 2014 @08:16PM (#45852115) Journal

    Their backdoors are implemented at much higher quality level.

    • by AHuxley (892839)
      It could depend on where the tech ended up. Ex staff, former staff, ex contractors, former contractors could have created their own 'lite' deniable offering for sale to state and federal law enforcement?
      Why just log from an isp/telco level when you can get much closer?
  • by DigitAl56K (805623) on Thursday January 02, 2014 @08:21PM (#45852145)

    There is a supported feature on Netgear routers where so long as you're on the internal network you can send a magic packet (using a utility called TelnetEnable) to open up the telnet port, then you can telnet in and issue commands as the super user. All TelnetEnable needs is the IP address of the router, it's MAC address, and a widely known default username and password - all things anyone connected to the network can get easily.

    It seems like this guy stumbled upon a similar feature.

    Yes, this stuff should be better protected, but it's not necessarily a vulnerability. For example, you can log into your router this way and use iptables to add some custom firewall rules that the web admin interface doesn't support. The main hole here is A) Most people don't know it's even there, and B) The default username/password is the same for every router by default. You do need to be on the LAN side to send the magic packet in the first place.

    • by DigitAl56K (805623) on Thursday January 02, 2014 @08:25PM (#45852187)

      To add to the above, I see the WNDR3700 is specifically reported as not being vulnerable to the open port he found on some of the older models. I know for a fact (because I owned one), that the WNDR3700 is one of the models that requires the magic packet to open the telnet port, further leading me to believe he found a poorly documented (but not unknown) feature that should have been much more visible and better protected by default, rather than something more akin to a backdoor (after all, you have to be on the LAN side to use it).

    • by hawguy (1600213)

      There is a supported feature on Netgear routers where so long as you're on the internal network you can send a magic packet (using a utility called TelnetEnable) to open up the telnet port, then you can telnet in and issue commands as the super user. All TelnetEnable needs is the IP address of the router, it's MAC address, and a widely known default username and password - all things anyone connected to the network can get easily.

      It seems like this guy stumbled upon a similar feature.

      Yes, this stuff should be better protected, but it's not necessarily a vulnerability. For example, you can log into your router this way and use iptables to add some custom firewall rules that the web admin interface doesn't support. The main hole here is A) Most people don't know it's even there, and B) The default username/password is the same for every router by default. You do need to be on the LAN side to send the magic packet in the first place.

      Why is a method to log into the router without any password not classified as a "vulnerability"? If I let my roommate's sketchy friend plug his laptop into the ethernet network because I don't trust him with the Wifi password, I wouldn't expect him to be able to telnet into to my wifi router without a password.

    • by the_B0fh (208483) on Thursday January 02, 2014 @08:55PM (#45852437) Homepage

      Oh wow. Your inside network doesn't touch the outside network? You don't visit websites? You do not run javascript on your browsers? You personally scan each piece of javascript to make sure it cannot get your IP address (yes it can), your gateway (yes it can) and send packets to your gateway (yes it can)?

      Seriously, if you don't know what you're talking about, lurk and learn.

      And default username/passwords means that malicious javascript can be very very simple indeed.

      Your kind of thinking is why we have so much insecurity on the Internet. Please update and upgrade your skills.

      • Of course there is a risk there, that's probably why in newer models they require a magic packet in the first place. Can JavaScript in a browser construct such a magic packet? As far as I know it can only create TCP connections.

        I didn't say Netgear secured this thing well, did I? I was merely pointing out that this was likely not an NSA backdoor, and had already been "improved" in newer models.

        At least I felt like I contributed to the discussion. You, on the other hand, were just being a dick.

        • by the_B0fh (208483) on Thursday January 02, 2014 @10:58PM (#45853275) Homepage

          You understand that most of the botnets out there are the result of someone clicking on a link and visiting a site that had malicious code embedded in it (ActiveX/JavaScript)?

          While JavaScript might not natively be able to send a hand crafted magic packet, it can *take over your system* - which then allows it to download and install rootkits and other stuff - one of which can doing the magic packet tickling.

          You said:

          Yes, this stuff should be better protected, but it's not necessarily a vulnerability.

          *AND YOU ARE VERY VERY WRONG* I want to say this in the nicest way I can - if you are propagating wrong information, you should be stopped. If you think you are correct, you need to be corrected. If you think this is being a dick, I apologize, but you are still wrong, and you are still spreading bad information. Learn and improve your knowledge. Think things through.

          Think about it - the programmers who should know better thought the same as you. And as a result, now millions of routers are vulnerable, and open to being exploited. Every week, we see tons of news about basic infrastructure being insecure. Because no one said "that's a fucking stupid idea, don't do it" because saying that means they're being a dick.

  • With or without Dell. My bet is on the former.
  • While it's not a very big issue, it's a start... and all good things start with simple steps
    given it's been going on for a while, now the ball is rolling and the public is learning ...

    it's up to someone smarter than me to figure out how to get these little back doors
    more into the public eye.

  • You mean like how any web page with javascript? It's not that difficult to get $ethX and get the gateway, which will probably be the router. Ooops, it's now fully available to the attacker on the outside world.

  • by koan (80826)

    There an interesting video the other day http://boingboing.net/2013/12/31/jacob-appelbaums-must-watch.html [boingboing.net] I believe he mentions the NSA and hacking wireless routers, perhaps they created it.
    additional several router models are susceptible to a hack so easy it's ridiculous, namely adding a certain user agent string to your browser lets you in.

    I personally don't use wireless at home any longer,

  • So much for "business class" routers/firewalls, and it wasn't on the list.

    I've got a couple of old computers around. Time, again, to build my own. Another plus is that local DHCP addrersses will show up in DNS.

  • by dutchwhizzman (817898) on Friday January 03, 2014 @01:43AM (#45853985)

    These back doors may exist in new devices, but any older device is likely to have a back door. If the vendor updates the devices at all, they usually stop doing that shortly after they stop sales of the device. Your perfectly fine WiFi router or DSL box will most likely have vulnerabilities on it that make it just as insecure as these new devices.

    I actively check my DSL router and I know my ISP and several security minded customers do the same. Any WiFi router in my home runs a modified Linux distribution like Tomato, openWRT or DD-WRT that is actively maintained. While it's bad that A-brand companies evidently don't do this this the stuff they buy from other vendors, most devices in the field are just as vulnerable as these boxes are, simply because they don't get updates.

    Burning vendors for selling insecure devices is good practice to get this problem solved. Burning them for not being responsible for their sale and updating or liberating the devices they sold should be just as normal as burning them for new equipment. You can't expect people to buy a new device every year simply because the vendor refuses responsibility once it's left their factory.

  • Backdoors and more... I recently purchased a LinkSys and could not access the web interface unless a Windows machine was present on my network. I verified this my starting a Windows VM on the linux host where I was running my web browser. With the Windows VM running, my web browser (linux) could access the LinkSys. Without the Windows VM running, my web browser (linux) could NOT access the LinkSys. Once I got DD-WRT installed, problem fixed.

"Text processing has made it possible to right-justify any idea, even one which cannot be justified on any other grounds." -- J. Finnegan, USC.

Working...