Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Security

Netgear's Amusing "fix" for WG602v1 Backdoor 515

An anonymous reader writes "Recently Slashdot reported that the Netgear router has as WLAN backdoor. According to this report by the news service of the German publisher Heise Netgear "fixed" the problem with a firmware update. And what is the fix? According to Heise, they didn't remove the backdoor at all. Instead they just changed the login information! They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "
This discussion has been archived. No new comments can be posted.

Netgear's Amusing "fix" for WG602v1 Backdoor

Comments Filter:
  • Oops... (Score:5, Funny)

    by danielrm26 ( 567852 ) * on Tuesday June 08, 2004 @09:38AM (#9365838) Homepage
    Chalk up another loss for 'security by obscurity'.
    • Re:Oops... (Score:5, Informative)

      by einhverfr ( 238914 ) <[moc.liamg] [ta] [srevart.sirhc]> on Tuesday June 08, 2004 @09:42AM (#9365890) Homepage Journal
      Chalk up another loss for 'security by obscurity'.

      Well, that might be good enough, if they could choose the login information. But now that they published it....

      First rule of passwords is that you don't talk about your passwords....
    • by burgburgburg ( 574866 ) <splisken06&email,com> on Tuesday June 08, 2004 @09:44AM (#9365918)
      "security through stupidity".

      But that's just me.

    • Re:Oops... (Score:5, Insightful)

      by isthisthingon ( 785412 ) on Tuesday June 08, 2004 @09:45AM (#9365937) Homepage
      Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?

      Any open source coder would be summarily flogged for such a transgression. Why on EARTH is this not literally considered a criminal offense for a company to do?

      And I for one used to hold Netgear in reasonably high regard, too.

      Never again.
      • Re:Oops... (Score:5, Insightful)

        by chris_mahan ( 256577 ) <chris.mahan@gmail.com> on Tuesday June 08, 2004 @09:53AM (#9366043) Homepage
        >Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?

        The answer lies within the question: Because we pay them.

        If someone paid you to paint a building and didn't care whether you stripped off the old paint first, I guarantee you you would just slap a coat over the old paint.

        >And I for one used to hold Netgear in reasonably high regard, too.

        Your mistake, then.

        >Never again.

        You should not say never if you want to reach them. This just makes the company execs think that since they can never reach you as a customer again, they won't make the effort. What you should say instead is: "I will purchase products from other companies since theirs do not address my needs at this time."

        This is reasonable to them, and they won't discount you as a hot-head but rather may take your advice.

        Just my .016 euro
        • Re:Oops... (Score:5, Funny)

          by NickFortune ( 613926 ) on Tuesday June 08, 2004 @09:55AM (#9366078) Homepage Journal
          In future I will purchase products from other companies since theirs do not address my needs at this time.

          I feel better for that...

        • Re:Oops... (Score:5, Insightful)

          by timeOday ( 582209 ) on Tuesday June 08, 2004 @10:11AM (#9366281)
          Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?
          The answer lies within the question: Because we pay them.
          Don't blame this on consumers. We don't have real choice until we have the relevant information. Things might be quite different with a bit of truth in advertising, like a sticker on the box which reads "Router WG602 - Now With Even More Backdoors!"

          The question of "why are companies allowed to get away with this crap" is a good one. They should either be forced to tell people what they're buying, or be accountable for the consequences of deception.

          • Re:Oops... (Score:3, Insightful)

            by chris_mahan ( 256577 )
            Do you shop around for cars? Do you drive a few, ask your friends/coworkers before you decide what kind of Toyota to get?
            • Re:Oops... (Score:5, Interesting)

              by arivanov ( 12034 ) on Tuesday June 08, 2004 @11:04AM (#9366983) Homepage
              I do.

              In fact I drove all possible candidates for several days before I bought what I have now. It is quite easy. Every time you go on a holiday rent one of the candidates for "next thing to buy". You get to see it in all of its "glory" - lowest spec, run down by tourists and badly maintained. If it is still OK you go and buy it. You may suffer some minor discomfort compared to renting "the old familiar", but you save a lot of money :-)

              I also do the same stuff with computer equipment. Buy, test drive if it is shit - return. It is quite easy to do it in EU due to distance selling regulations. You are entitled to a free return no questions asked of anything you have bought over phone or Internet within 1 week after purchase. This limits you to internt purchases, but once you add this along with observations of company kit you are reasonably well positioned to get the right stuff...
              • Re:Oops... (Score:4, Interesting)

                by DaveJay ( 133437 ) on Tuesday June 08, 2004 @12:53PM (#9368288)
                I did the same thing. Was going to buy a specific car, and my wife and I loved it during the test drive -- so we rented one for a week's road trip. By the end of the first day, we HATED it, and couldn't wait to return it.

                We then rented the car we ultimately bought, and it's been so good to us, she's still got the first one, I bought a second one, and I have since traded it in for a high-performance version of the same. Whee!

                And no, I'm not going to tell you the cars, but I'll give you a hint: the one we hated rhymes with bored locus, and the one we love (sort of) rhymes with grease-on ben-tra. Hard to rhyme with car names that are invented words. Heh.
                • by cgenman ( 325138 ) on Tuesday June 08, 2004 @09:14PM (#9373311) Homepage
                  In my day, the grease-on ben-tra ran like grease on a pan - that had been burned in place and left there for weeks. Our grease-on ben-tra had a zero to sixty time of sixty seconds, and couldn't steer without rattling like the bones of Buddy Holly. Fuel efficiency? That thing drank like an ex army sergent. And it broke down more often than Tammy Fae. Often times we would be driving it to the shop, and it would break down again on the way. You'd hook it up to the tow truck because of a broken front wheel and the rear axle would crack. Load it on the back, and the bumper would fall off. That thing wasn't a deathtrap: deathtraps have moving parts.

                  Hope you like it. Have fun with your car!

                  (note: it was an '86. I've heard they have gotten better.)

          • Re:Oops... (Score:5, Insightful)

            by gfxguy ( 98788 ) on Tuesday June 08, 2004 @10:16AM (#9366354)
            Your last line says it all - they should be held accountable. If it's advertised as being secure, and a backdoor is found, they should have to buy back every single unit or replace every single unit with a working one.

            If anyone has been damaged by the availability of the back door they should be held liable even if they claim you waive that right in their license agreement (their license agreement does not state there may be the possibility of back doors, no?)

            If you claim something is secure, but that you can't prevent all future attacks so you can't be liable, that's one thing, but when the liability is clearly your fault, it's another.
          • Re:Oops... (Score:5, Funny)

            by chrispl ( 189217 ) on Tuesday June 08, 2004 @11:03AM (#9366975) Homepage
            Be realistic, if the box DID have a sticker saying "Router WG602 - Now With Even More Backdoors!" most Joe-BestBuy-Consumers would flip it over and look for little doors on the back of it.

            Face it, until there is a major disaster involving IT security most of this type of information will remain the exclusive domain of security geeks and haxors.
          • Re:Oops... (Score:3, Interesting)

            by TyrranzzX ( 617713 )
            Agreed. I like to use the pair of pants example. I can pick up a pair of pants and see what it's made of; the quality of the stiching, weither it's double or triple stiched, the quality of the fabric, dye, etc. Even with military camo, you've got different patterns, different fabrics and synthetics, etc.

            When I go down to the military surplus store, I can refuse to buy clothing wrapped in boxes and bags, because I don't get to see them. Instead, I go to the shelves and take a good look at what's on th
      • Re:Oops... (Score:5, Interesting)

        by div_2n ( 525075 ) on Tuesday June 08, 2004 @10:03AM (#9366180)
        My experience with Netgear products has led me to believe their quality has diminished dramatically.

        IANAL, but I seem to recall a lawyer I know telling me that with product liability, a company is liable if due diligence is not performed to fix an issue when a known problem exists. Of course, the trick becomes can you call changing a username and password due diligence? I feel certain every computer expert in the world would say no.
        • Re:Oops... (Score:3, Insightful)

          by gfxguy ( 98788 )
          The fact that the backdoor existed at all makes them liable, IMO, because it proactively defeats the supposed security they used to sell their product.

          Normally you'd find them liable if they showed negligence, but in this case they themselves proactively introduced the security risk. It's worse then merely being negligent.
        • Re:Oops... (Score:4, Interesting)

          by stienman ( 51024 ) <.adavis. .at. .ubasics.com.> on Tuesday June 08, 2004 @10:52AM (#9366804) Homepage Journal
          The interesting thing about liability is that if they have some control over your routers, then you can hold them more liable than if they had no control. Further, now that everyone knows they can 'dial in' then hopefully customers will pester them to fix their products remotely instead of spending hours on the phone. In the end a backdoor is *much* more work than a product without one.

          Silly programmer, backdoors are for script kiddies.

          -Adam
      • Re:Oops... (Score:5, Interesting)

        by Twirlip of the Mists ( 615030 ) <twirlipofthemists@yahoo.com> on Tuesday June 08, 2004 @10:06AM (#9366223)
        Why on EARTH is this not literally considered a criminal offense for a company to do?

        Just how many criminal laws do you think we need? Seriously. Do you think we need another one?

        There's no doubt in my mind that the vendor would be held liable for damages if anybody were harmed--financially I mean--by this kind of thing. But should somebody really go to jail over it?

        Geez. And I thought I was a fascist.
      • Re:Oops... (Score:5, Insightful)

        by R.Caley ( 126968 ) on Tuesday June 08, 2004 @10:39AM (#9366652)
        Why are companies allowed to get away with this crap just because we pay them for their shoddy wares?

        You answered your own question. If everyone who owns one of these took it back and demanded their money back because it is not suitable for the purpose for which it was sold, they'd soon get the message.

        Why on EARTH is this not literally considered a criminal offense for a company to do?

        Because the civil courts are there to cope with this kind of thing?

    • Re:Oops... (Score:5, Funny)

      by AndroidCat ( 229562 ) on Tuesday June 08, 2004 @09:51AM (#9366016) Homepage
      If someone war-chalks it up, it won't be obscure for long. What is the symbol for "lame gateway security"?
    • Re:Oops... (Score:5, Funny)

      by djansen ( 67143 ) on Tuesday June 08, 2004 @09:52AM (#9366028) Homepage
      Well, it IS an improvement. The increase from 5 characters for the login to 8 now makes it SO much harder to crack. What was the old password? Someone do the math and figure out the number of new permutations they've added. Ha. I bet this is how the guy who did it justified the whole thing.

      "What da ya mean? It's MUCH more secure than it was before."

      Doh.
    • Re:Oops... (Score:5, Funny)

      by D-Cypell ( 446534 ) on Tuesday June 08, 2004 @10:09AM (#9366261)
      Well... if there is one thing that can be said of slashdot... we certainly know how to fix that pesky 'obscurity' problem ;o)
  • Nice fix. (Score:5, Funny)

    by SpyPlane ( 733043 ) on Tuesday June 08, 2004 @09:39AM (#9365846)
    That would be like "fixing" Windows 95 with Windows ME.
  • I wonder... (Score:5, Funny)

    by barcodez ( 580516 ) on Tuesday June 08, 2004 @09:40AM (#9365866)
    I thought the last article said changing passwords was a good idea! Make your minds up.

    I jest of course.
  • Superman!! (Score:5, Funny)

    by Claire-plus-plus ( 786407 ) on Tuesday June 08, 2004 @09:40AM (#9365868) Journal
    Well at least sys-admins and network engineers can finally use the login name they think they deserve.
  • Not funny at all (Score:5, Interesting)

    by Ckwop ( 707653 ) * on Tuesday June 08, 2004 @09:42AM (#9365889) Homepage
    I don't think there's anything amusing about this at all. I think the owners of these units should file a class action lawsuit, though i'm not even sure that's possible due to the EULA. If the EULA does get in the way then
    I think it's time the government steped in to protect the consumer and started making companies liable for acts as stupid as this. This just isn't the way a responsible company behaves.

    Simon.
    • by Dutchmaan ( 442553 ) on Tuesday June 08, 2004 @09:53AM (#9366051) Homepage
      This just isn't the way a responsible company behaves.

      responsible company

      Trying to put these two words together is like trying to touch two magnet ends with the same polarity.
    • by kfg ( 145172 )
      . . .though i'm not even sure that's possible due to the EULA.

      EULAs cannot prevent lawsuits. The EULA becomes part of the evidence of the suit and the suit itself determines to what degree, if any, its terms effect a possible ruling.

      In fact, this is precisely how the legality of a EULA is tested. A EULA is a just a contract. Contracts don't prevent lawsuits, they become the object of them.

      KFG
      • Re:Not funny at all (Score:3, Informative)

        by 91degrees ( 207121 )
        In fact, this is precisely how the legality of a EULA is tested. A EULA is a just a contract. Contracts don't prevent lawsuits, they become the object of them.

        Strictly speaking, it's a licence. It's different. It gives you permission to do certain things with it assuming certain limitiations. e.g. You may use this product for reasons X and Y but not Z. As a licence, it cannot require the licencee to give up anything in return.
    • Heck, where is the story? I've only seen this at slashdot and the few media articles it links to.

      I mean, I can turn on my nightly news and hear about "getting ripped off at the dry cleaners? Let our investigative unit show you how!" but when your personal home network with all your work, personal stuff, family photos, etc are now open to the world because of some backdoor its like its no big deal.

      It seems like until someone writes a worm to really screw these people over, no one is going to care. And I'm
  • by saddino ( 183491 ) on Tuesday June 08, 2004 @09:44AM (#9365911)
    They replaced the old user name 'super' with 'superman', and changed the old password to '21241036'. "

    And thanks to Slashdot, thus begins an endless stream of firmware updates; every time Netgear "fixes" their problem, I'm sure an article here will put the cycle in motion again. Let's see, who wants to guess what they change the password to next?

    "superduperman", anyone?
  • Bianry Edit (Score:5, Interesting)

    by HogGeek ( 456673 ) on Tuesday June 08, 2004 @09:44AM (#9365914)
    I'm wondering if one could use something like bvi [sourceforge.net] to change the username and password to something private.

    I've done it with other types of binary files, but never tried with firmware.

    Anyone try this?

    • Re:Bianry Edit (Score:4, Informative)

      by catmaker ( 209612 ) on Tuesday June 08, 2004 @09:54AM (#9366057) Homepage Journal

      I'd imagine it wouldn't work. They've probably checksummed the file, and if you change any of the content you'd have to rechecksum it, if you even knew what kind of checksum (if any) they'd used.

      Nice idea though.
      • Re:Bianry Edit (Score:5, Interesting)

        by MrBlue VT ( 245806 ) on Tuesday June 08, 2004 @10:44AM (#9366697) Homepage
        I have an earlier Netgear product (RT314). It's actually a rebranded Zytel product, so this trick may not work on other models.

        However, it was possible to edit the firmware in a binary editor. There was a checksum in the firmware, but you could fix it. You needed to connect a serial cable to the management port. When you made a change and uploaded the new firmware to the router and rebooted, the router would helpfully tell you what the old checksum was and what it expected the new checksum to be. You could then just search for the old checksum string and replace it with the new one the router calculated for you.

        Pretty easy to do. And allowed you to run some of the newer Zytel firmware on the Netgear boxes.
    • Re:Bianry[sic] Edit (Score:3, Interesting)

      by phaze3000 ( 204500 )
      The firmware is gzip compressed, so you'd need to do a bit more than just use bvi. But I suspect if you extracted the gzip'd portion, edited the firmware, re-gzipped it, put it back in the firmware and updated any crc/md5 checks in there it might work.
  • Reputation damage (Score:4, Interesting)

    by SamiousHaze ( 212418 ) on Tuesday June 08, 2004 @09:44AM (#9365919)
    I am so irritated I don't know what to say. Seriously, How can netgear expect people to trust them again, is there any way to repair their reputation?
    • by Marcus Erroneous ( 11660 ) on Tuesday June 08, 2004 @11:15AM (#9367115) Homepage
      I concur, their reputation is badly damaged now. Fortunately, I don't have this WAP in my house, nor am I now likely to use their gear in the future. I can't trust them and that lack of trust will be multiplied as I tell the people that come to me for advice not to use NetGear equipment.
      From other postings, it appears that until this, technically they appear to produce good equipment. However, undocumented "features" ;) like this are inexcusable, all the more so when the end user cannot fix it themselves, even if they want to! I'll agree that most people don't read slashdot and so might not know (nor care in many cases), but for those of us that do, it would be nice if we could fix it. If the firmware made it something that the end user could correct, and end users then did not, that would be one thing. But, to use the car scenario again, to unweld the hood, make a change and then weld it shut again is a poor decision.
      Those of us that regularly read Slashdot are probably the alpha geeks of our groups. The person that many people come to for informal IT support at home and at work. I am frequently asked my opinion about gear and for recommendations on what gear to buy. These people then tell their friends what they use, why they use it and how satisfied they are. This "viral" type of advertising is the kind that you can't buy when it's good and can't kill when it's not. I will not recommend products by a company that, when caught with it's hand in the cookie jar, merely switches hands. It was bad enough to get caught doing this but to change the password rather than remove the exploit reveals a mindset that I will keep in mind during future work in this field.
      Can they recover from this? I would imagine that there are ways to do so aside from the usual corporate tactic of relying on consumer apathy and time. I'll be curious to see if they bother and what they do if they do bother to try.
  • Very sad (Score:5, Insightful)

    by Sandman1971 ( 516283 ) on Tuesday June 08, 2004 @09:45AM (#9365945) Homepage Journal
    Now this is very sad. How can any semi-reputable company call changing the admin username and password for a major security hole a fix? Especially since they should have realized this new username/password would hit the net faster than Homer at an all you can eat buffet.

    Since these things have built in firewalls, wouldnt the fix just include a user-invisible firewall rule preventing access to the router on whatever the admin port is (80, 8080, etc..)? Seems like a fairly simple fix to me.

    Thanks Netgear! You've just assured that I'll never buy one of your products!
  • by Gyorg_Lavode ( 520114 ) on Tuesday June 08, 2004 @09:45AM (#9365950)
    I couldn't find the exact link at first glance, but this one is a reply to it: http://www.securityfocus.com/archive/1/365292/2004 -06-05/2004-06-11/0 [securityfocus.com]
  • by Anonymous Coward on Tuesday June 08, 2004 @09:45AM (#9365951)
    The blackhats that subscribe to

    http://lists.netsys.com/mailman/listinfo/full-di sc losure

    knew about this on irc for a while.

    EU via interpol desires, and us's NSA/NRO both desire various entrypoints.

    cisco's fiascos may be a trend. This netgear is only the tip of the iceberg I bet.

  • Who reads slashdot? (Score:5, Interesting)

    by tony_gardner ( 533494 ) on Tuesday June 08, 2004 @09:52AM (#9366035) Homepage
    I realise that this is a bit redundant, but I read the slashdot artile linked to, and what to I see but:

    Re:Fixed in new firmware, available here: (Score:3, Informative)
    by Chucky B. Bear (785810) on Saturday June 05, @03:10PM (#9345433)
    I've just upgraded to the latest firmware. It is NOT FIXED!!!! They have simply gone and changed the username and password to something else. There is STILL a default superuser account with password.

    (You can find it yourselve by just taking similiar steps as in the securityfoces article.)


    Maybe reading slashdot sometimes would be a good idea.
    • by Chucky B. Bear ( 785810 ) on Tuesday June 08, 2004 @10:25AM (#9366495)
      Yeah I hate to say it but told you so!!! ;-) I posted that just before the securityfocus mail. Its funny how this all ended up as a Heise article now. They could've at least given me some credit for finding it.

      I did talk to a netgear support engineer yesterday and he didn't know what I was talking about, so now I'm still waiting to hear anything back from them.

  • Supermaning it.... (Score:5, Interesting)

    by utlemming ( 654269 ) on Tuesday June 08, 2004 @09:58AM (#9366119) Homepage
    I am amused. When I say the headline I just about died laughing. The sad part is that most people that have a Netgear router aren't going to update the firmware, and they probably don't even care or understand the issues involved. Further, what about all those units that are on the shelf somewhere? The problem is that Netgear has admitted now that they are not interested in security and they are not offering a secured unit. I was amused when I installed one for a friend -- she had bought the unit. No user name, just a password. I am thinking that IEEE or ANSI or whoever should adopt a standard for baseline security for routers. That way even an idiot that wants to have an open WIFI device won't have to worry about some Wardriver taking over his device. Well, all I can say is that I am happy that I was not the executive that made the Superman call.
  • by Compulawyer ( 318018 ) on Tuesday June 08, 2004 @09:59AM (#9366126)
    The new password is apparently someone's PHONE NUMBER in Germany! No idea whose, but I gleaned this tidbit by getting a Babelfish translation of the page (orig, in German). For those in the US - Is this the networking equivalent of calling Jenny? (867-5309)
  • Sound familiar? (Score:4, Interesting)

    by merlin_jim ( 302773 ) <James@McCracken.stratapult@com> on Tuesday June 08, 2004 @10:02AM (#9366161)
    Was anyone else reminded of some of Mitnick's work where he'd call the manufacturer of the equipment to get the backdoor password? That most of the people using it didn't even know it had? And they gave it to him over the phone...
  • by daveschroeder ( 516195 ) * on Tuesday June 08, 2004 @10:09AM (#9366247)
    Flawed Routers Flood University of Wisconsin Internet Time Server

    http://www.cs.wisc.edu/~plonka/netgear-sntp/ [wisc.edu]

    Abstract:

    "In May 2003, the University of Wisconsin - Madison found that it was the recipient of a continuous large scale flood of inbound Internet traffic destined for one of the campus' public Network Time Protocol (NTP) servers. The flood traffic rate was hundreds-of-thousands of packets-per-second, and hundreds of megabits-per-second.

    Subsequently, we have determined the sources of this flooding to be literally hundreds of thousands of real Internet hosts throughout the world. However, rather than having originated as a malicious distributed denial-of-service (DDoS) attack, the root cause is actually a serious flaw in the design of hundreds of thousands of one vendor's low-cost Internet products targeted for residential use. The unexpected behavior of these products presents a significant operational problem for UW-Madison for years to come.

    This document includes the initial public disclosure of details of these products' serious design flaw. Furthermore, it discusses our ongoing, multifaceted approach toward the solution which involves the University, the products' manufacturer, the relevant Internet standards (RFCs), and the public Internet service and user communities."
  • by straponego ( 521991 ) on Tuesday June 08, 2004 @10:09AM (#9366256)
    By issuing this form of a fix, Netgear is stating that they are not just incompetent, they are deliberately so, and they think everybody else is as stupid as they are. I've rarely seen such negligence and contempt for customers. Well, not that rarely: The Winnuke Patch [unixgeeks.org]
  • by flux ( 5274 ) on Tuesday June 08, 2004 @10:10AM (#9366276) Homepage
    ..is that they lost the source, and all they could do was to binary patch the firmware image.

    Sad, but true ;-(.

    (or not)
  • by Anonymous Coward on Tuesday June 08, 2004 @10:12AM (#9366296)
    Yes, you're asking yourself "why didn't they just remove it, instead of changing it? Why was it there in the first place?"

    Well, it seems pretty obvious to me... it's supposed to be there.

    This shows that it was Netgear's intention to purposely put back doors into the product. The reason "why" is not really evident. I can leave that up to the tinfoil hat crowd.

  • Secure Backdoors (Score:4, Interesting)

    by DreadSpoon ( 653424 ) on Tuesday June 08, 2004 @10:13AM (#9366315) Journal
    Now, I'm not going to even start discussing whether the product *should* have a backdoor. There are many reasons for including them, and many obvious reasons to not.

    What I want to know is, why bother with user names and passwords in the backdoor? An SSH tunnel using only public key authentication would pretty much solve the problem of someone examining the firmware for the login information. You could also include multiple keys and provide a public key revokation server that the units automatically update from, as well as a general key update server that the units will grab new keys from using a callback mechanism (to guarantee that the key update servers have a valid private key for connecting to the unit).
  • blimey (Score:5, Insightful)

    by doofusclam ( 528746 ) <slash@seanyseansean.com> on Tuesday June 08, 2004 @10:14AM (#9366328) Homepage
    That's crap. There may be a multitude of reasons why they couldn't remove the backdoor (no access to source code, the guy who wrote it was on holiday, whatever...) but they could have at least changed the password with a hex editor to something that was difficult to type from a keyboard, low-ascii values for example.

  • by netringer ( 319831 ) <maaddr-slashdot@@@yahoo...com> on Tuesday June 08, 2004 @10:20AM (#9366417) Journal
    Doesn't having the username and password in the clear mean that anybody who knows how to use a Hex editor can make their own patch? Just find those two strings and change them to something else, or better some sequence of bits that don't map to text.

    Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?
    • by TwistedSpring ( 594284 ) * on Tuesday June 08, 2004 @11:03AM (#9366976) Homepage
      Is there a checksum or CRC check in the firmware loader on the router that keeps you from being able to do that?

      Almost certainly. Vendors normally checksum firmware to avoid the possibility of flashing the hardware with corrupt firmware data. However, given Netgear's track record, you could probably flash it with a JPEG file and it'd accept it OK.

      This sort of thing makes me wonder what backdoors are in other firmware and software that have not yet been discovered. I'm glad that there are people like SecurityFocus looking out for these exploits. Endless numbers of ADSL modems, routers and other equipment seem to have backdoors in them. I'm glad I route my ADSL through a switch and Slackware :)
  • by rice_burners_suck ( 243660 ) on Tuesday June 08, 2004 @10:42AM (#9366680)
    For immediate release. June 8, 2004. Netgear (NASDAQ: BLAH) today announced immediate release of new technology designed to eliminate enterprise security threats by thwarting hackers. By leveraging innovative technologies, content providers streamline compelling enterprise solutions.

    The technology, which allows anyone to access enterprise networks when they enter 'superman' for the username and and '21241036' for the password, frees enterprises from worrying about security issues and allows IT managers to focus on implementing talking paperclips on enterprise desktops. "We are excited about the new technology," commented Steve Hjarkblonka in an interview. "For the first time since the invention of computers, the threat of security intrusions has been completely eliminated. Enterprises can now enjoy 100% unbreakable security."

    Geoff Nikreny, chief security officer with Endostar Inc, calls the secure-by-default approach, in which once-vulnerable features are patched, a "mistake" that will lead to deployment confusion. But he doesn't know what he's talking about anyway. So for 100% unbreakable security, buy Netgear.

    Offer good while supplies last.

  • by Sleepy ( 4551 ) on Tuesday June 08, 2004 @11:04AM (#9366979) Homepage
    Ah, yes, the lovely irony of a security company outsourcing their own product's security.

    Nothing like trusting your future to some shady fly-by-night low-bidder who's not an employee. Whoever at Netgear argued this process saves money, I almost pity you. Almost.

    Although in this case, you can't argue that specs called FOR a backdoor... but maybe there were no specs at all.

    I don't blame them for this "quick fix".. as a longtime Software QA engineer I can tell you it takes more than 1 day to test something, unless you're willing to accept the risk that the fix could be worse. I'm willing to bet the OEM developer is probably just a one or two man shop, has no QA and might not even have source code control.

    off-topic:
    I run m0n0wall [m0n0.ch], a BSD distribution just for firewalls & routers. It doesn't need a hard drive so it's quiet.

    I even yanked the CPU fan off the AMD K6/450 it is running on. CAUTION: passive cooling a CPU risks burning out the processor. To prevent this I fitted a stock AMD CPU sink from an Athlon 1800, and made a small duct for the power supply to draw air over the CPU (this was an OLD old ATX case with the PS directly above the CPU so it was easy).

    Works great!

    Too bad you can't upload monowall into consumer routers. I think this is the next step. Some vendor will start making it very easy to do such a thing (discoveries like the Linksys WRT54G hacking do not count).
  • by OmniGeek ( 72743 ) on Tuesday June 08, 2004 @11:09AM (#9367037)
    The firmware for this box (or at least some of it) is offered for download on Netgear's site. I'm looking through the source, but I haven't seen anything relevant yet.

    Has anyone seen where the backdoor is coded into the system? (Hint: if it's NOT in the source anywhere, Netgear is violating GPL here).
  • by Xugumad ( 39311 ) on Tuesday June 08, 2004 @11:11AM (#9367071)
    It's just that, according to the site, there's no fix yet:

    http://kbserver.netgear.com/kb_web_files/n101383.a sp [netgear.com]

    Now, there is a firmware from the 4th:

    http://kbserver.netgear.com/support_details.asp?dn ldID=735 [netgear.com]

    that claims to fix the problem, but I'm tempted to suggest what's happened is they've changed the username and password while they test a full fix. After all, changing data is generally less likely to break stuff than changing code...
  • FVS318 (Score:3, Interesting)

    by Dalroth ( 85450 ) * on Tuesday June 08, 2004 @11:17AM (#9367145) Homepage Journal
    Man this sucks. I've got an FVS318. While, thankfully it's not the router that is the cause of this particular ruckus, it's a Netgear product.

    I like it. It's a very solid, reliable firewall/router. I've had it for a number of years now, and Netgear to this day continues to put out new firmware updates that not only fix bugs, but implement new features. It works well, and I always liked it better than my friend's Linksys.

    But this whole crisis makes me really really leary... How do I know there isn't a backdoor in my firewall/router as well? The fact is, now I don't.

    Getting a Linksys that can run a custom Linux distribution becomes more appealing every single day. This may be what finally pushes me over the edge.

    Bryan
  • by spoonyfork ( 23307 ) <spoonyfork@@@gmail...com> on Tuesday June 08, 2004 @11:24AM (#9367215) Journal
    > Do you have the password?
    > no
    Welcome to Abulafia!
  • by jdew ( 644405 ) on Tuesday June 08, 2004 @11:40AM (#9367408)
    I recently bought several 24 port switches off of ebay. There was no way to reset the password, but calling up tech support, and providing a small amount of proof that I did in fact buy these switches, they provided me with the backdoor username/password.

    It's documented on their website that they do have a backdoor password, and what you need to do to get it. For me, it took a single email (ebay end of auction), and a 5 minute phone call to get the backdoor.

    This would be fine, if the backdoor only worked on the serial console, but nope.. Works fine with the web interface too :(
  • by Genevish ( 93570 ) on Tuesday June 08, 2004 @11:53AM (#9367579) Homepage
    In a related story, Netgear has announced the formation of a new security division, formed with ex-Microsoft employees...
  • by Animats ( 122034 ) on Tuesday June 08, 2004 @12:13PM (#9367821) Homepage
    Someday, somebody from Netgear is going to have to explain that to a judge and jury. And it's not going to go over well. Once might be considered ordinary negligence. But the second time moves it into the "gross negligence" category: "an act or omission in reckless disregard of the consequences affecting the life or property of another."
  • by Dave21212 ( 256924 ) <dav@spamcop.net> on Tuesday June 08, 2004 @12:30PM (#9368008) Homepage Journal

    I wonder what DC Comics (and the other owners? [superman.ws]) have to say [dccomics.com] about NetGear using their copyrighted character in a commercial product ?
  • by Holi ( 250190 ) on Tuesday June 08, 2004 @12:33PM (#9368046)
    I would think under current laws that installing an undisclosed backdoor onto someone elses property would be akin to using a trojan to allow access to anothers system. Just becaujse they sell the system does not give them the right to access to it after it is sold. I can see no beneficial reason for this as most consumer routers have a hardware reset that reloads the factory defaults.
  • Hm (Score:4, Interesting)

    by David_Bloom ( 578245 ) <slashdot@3lesson.org> on Tuesday June 08, 2004 @05:21PM (#9371316) Homepage
    If you owned one of these routers, could you figure out where those strings are then just type in random letters of gobbleygook that are the same lengths, and use it on your own router (not distribute it, because then you'd be giving the pass away :))?

    Maybe somebody could make a program where:

    1. User opens program
    2. User points program to firmware file
    3. Program opens firmware file and replaces the hardcoded passwords with gobbleygook that is different each time the program is run
    4. Program writes new firmware to disk
    5. User reflashes router with firmware patched by program
    This seems like a good potential short-term solution to me...

"I'm a mean green mother from outer space" -- Audrey II, The Little Shop of Horrors

Working...