Backdoor Account Discovered in More Than 100,000 Zyxel Firewalls, VPN Gateways (zdnet.com) 74
More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel. From a report: The backdoor account, discovered by a team of Dutch security researchers from Eye Control, is considered as bad as it gets in terms of vulnerabilities. Device owners are advised to update systems as soon as time permits. Security experts warn that anyone ranging from DDoS botnet operators to state-sponsored hacking groups and ransomware gangs could abuse this backdoor account to access vulnerable devices and pivot to internal networks for additional attacks.
Wrong advice (Score:5, Insightful)
How about throw it in the trashcan and buy a new one from a more trustworthy manufacturer? This is totally unacceptable!
Re:Wrong advice (Score:5, Interesting)
If it can't run openwrt or similar, it's poop.
Not only can't you trust it, but you can't keep it updated for the lifetime of the device, the manufacturer never keeps up with that stuff for long enough.
Re: (Score:2)
It's free advice. If you don't like it, don't take it. No skin off any of my parts.
I've had routers which ran Linux and had enough room to reasonable be upgraded and I've had routers which didn't, and only the former turned out to be maintainable over the long term.
If your experience differs, feel free to share with the class.
Re: (Score:2)
My "router" is a Linux PC with several network interfaces.
Re: (Score:2)
And my "router" is a Linux ARM SBC with several network interfaces.
The big difference is that mine is much lower-power, and designed for purpose, so it's compact.
I've done the PC-as-router thing before. It's sensible when the router you would need for your network is the size of a PC anyway. I'm not in that position.
Re: Wrong advice (Score:2)
Do you mind sharing which sbc you're using? I don't remember seeing one with multiple interfaces.
Unless you're saying you're using a RPI with its wired and wireless interfaces?
Re: (Score:2)
No, I'm saying I'm using a consumer router which runs Linux.
In my case it's ye olde Linksys WRT1200AC, running openwrt.
When I first installed tracking down the right image was a bit of a bother, but I upgraded recently and it was easy.
It's really about what you can run on it. If it's running Linux and it has decent RAM/flash then you can almost certainly run a current openwrt on it, though it depends somewhat on who made the wifi chips.
Re: (Score:2)
Not everyone even knows what openwrt is, let alone how to use it.
And those are exactly the people that should be seeking the advice of someone more knowledgeable. GP offered that good advice free of charge.
Re: (Score:2)
You can't trust any of them.
Either build your network so it doesn't have to trust these devices, or roll your own with a mini PC and PFSense.
Re: Wrong advice (Score:3)
Re: (Score:2)
Open-source does no one any good against problems embedded into the design of the hardware the software is dependent upon.
Re: (Score:2)
True, but those flaws are more likely to come to light if the software running on top is open.
Re: Wrong advice (Score:2)
Open Source is not just software.
Re: (Score:2)
from a more trustworthy manufacturer
Like who? Cisco?
Re: (Score:2)
That's who I got mine from (Linksys WRT1200AC).
But I bought it because I could load openwrt on it.
Vendor is less important than whose distribution you're running...except when the vendor makes that impossible or improbable.
Why would you put an SSH module on this (Score:2)
Why does it need to run SSH anyhow?
Re: (Score:2)
Why does it need to run SSH anyhow?
I think mostly so you can script for automated deployments
Re: Why would you put an SSH module on this (Score:2)
So you can ssh on it from somewhere else and access the machine on the loan behind it without having to configure port forwarding or reverse ssh tunnels.
The real question is: is the ssh server enabled by default, and if yes, just why?
Database with vulnerable devices/firmware versions (Score:5, Interesting)
I don't have a Zyxel device, so this vulnerability doesn't affect me. It did make me think though.
Is there any service or software that can make it somewhat easy to check if your devices (or your relatives' devices) have known vulnerabilities?
I don't think I'd want to share a list of all my devices and firmware versions with a 3rd party service though.
So I'd probably prefer to keep the device data local, but I would like something that allows me to (anonymously) check for vulnerabilities.
Hmm, is there an online database of devices and firmware versions with vulnerabilities? Might be a little to helpful for hackers though:-(
Re: (Score:1)
Re: (Score:2)
It wouldn't help with the devices in the networks of my parents/aunt/brother etc.
Further, I'd be hesitant running 3rd party SW that scans my network and then possibly phones home...
It would however be useful with a tool (open source?) that helps me compile a list of devices. Then again, the number of devices isn't that large - I could likely write down the information quicker than it'd take me to find/install/run such a tool.
Re: (Score:2)
Link for Nessus: https://en.wikipedia.org/wiki/... [wikipedia.org] where it says:
Nessus is a proprietary vulnerability scanner developed by Tenable, Inc. (NASDAQ: TENB) ...
The Nessus 2 engine and a minority of the plugins are still GPL, leading to forked open source projects based on Nessus like OpenVAS and Porz-Wahn
Re: (Score:3)
Nessus is all fine and dandy, but does not protect from these blatant backdoors until they are reported, and reported they are when they are found. There were hard coded backdoors in Cisco's line of products, in Juniper's line of products, in some of Netgear's products, so you basically have two options:
Re: (Score:2)
I may be an idiot, but a simple port scan is going to show an open SSH port. That's pretty trivial to do from Linux or BSD. That won't catch "phone home" style vulnerabilities, but if there's an undocumented listener on a device, a deep port scan is going to find it in most cases.
Re: Database with vulnerable devices/firmware vers (Score:2)
I imagine that a port knocking scheme of some kind is used with these backdoors. It would never be as obvious as an open SSH port, would it?
For devices that are expected to provide ssh access, the backdoor would take the form of a hidden/undocumented account, so again there would be no way to scan for something like this.
Re: Database with vulnerable devices/firmware ver (Score:2)
Not really. I would expect SSH to be open on a router, firewall, VPN device etc. else how do you expect me to admin the device. What we have here is hardcoded username/password combinations that give admin level access. No amount of network scanning is going to help in this scenario till they have been uncovered. I would expect Nessus scan to start flagging the devices soon now.
Re: (Score:2)
Another use case:
I have an old device, e.g an Apple TV 3, and _before_ connecting it to my network I would like to know if:
a) Does it have known vulnerabilities and what are they?
b) Has updated firmware been released, or is the device abandoned?
c) How to determine e.g. model number, hardware revision and firmware version version in the device
With a database of vulnerable devices I could look up a) and b). Something that scans my network can't help me with this, because it requires first connecting the devi
Re:Database with vulnerable devices/firmware versi (Score:5, Interesting)
Check out OpenVAS
https://openvas.org/ [openvas.org]
Why do they do this? (Score:5, Insightful)
The devs who create the firmware are not stupid so why do they leave these obvious backdoors in? If it was only 1 manufacturer who'd done it I'd say it was incompetance and/or an internal hack of the firmware to plant it, but it happens too often so is obviously deliberate. Yes they probably need easy root access during development and testing but don't tell me they "forgot" to remove it. To me these seem deliberate acts and they don't care how it might affect their customers.
Re:Why do they do this? (Score:4, Informative)
Re: (Score:3)
It's because it keeps support costs down. When a customer calls Cisco because they can't get their device to work the Cisco staff can get in using the backdoor and sort it out. Doesn't matter if the customer changed all the passwords and then forget them, or if something got corrupted, the backdoor is hard coded.
Re: Why do they do this? (Score:4, Interesting)
Or because they are paid to put backdoors in so the same people who wanted clipper and key escrow can access the equipment.
Re: (Score:2)
Unlikely. Far too easy to find.
Re: Why do they do this? (Score:2)
Great, so hash the MAC address written on the bottom and base the back door password on that. Thereâ(TM)s no reason to have the same password for every device.
Re: (Score:2)
It's because it keeps support costs down. When a customer calls Cisco because they can't get their device to work the Cisco staff can get in using the backdoor and sort it out. Doesn't matter if the customer changed all the passwords and then forget them, or if something got corrupted, the backdoor is hard coded.
Probably. Anything else makes very little sense. Once again, the customer gets what they pay for. But if you look, for example, at the lock industry, where gifted amateurs get into any lock, regardless of security levels within days of having gotten their hands on it, I guess a real security mind-set is just a very rare thing.
Re: (Score:2)
But if you look, for example, at the lock industry, where gifted amateurs get into any lock, regardless of security levels within days of having gotten their hands on it, I guess a real security mind-set is just a very rare thing.
It's a very hard thing. When you build a commercial product you have considerations beyond "is this thing secure" and that is ultimately where the failures begin. You could make a more secure lock if you required the user to move the key more and differently, but the lock would be bigger and more expensive and harder to use. And we have locks like that, and we put them on bank vaults. And even those can be defeated, but it takes a lot more time and equipment.*
Most people know dick about security and don't w
Re: (Score:1)
I don't know one way or another if this is malevolent. But it is certainly possible for thousands of programmers to fuck up on security. Look up the CVE security vulnerability database, historically there have been thousands of bugs in windows & linux systems.
Think of the loads of github trees that were discovered to have plaintext API keys.
People fuck up security a lot because being quick & dirty gets you out the door faster, security is an afterthought. There are countless non-deliberate ways to f
Re: (Score:2)
Don't let coders get away with what's OBVIOUSLY and UNAMBIGUOUSLY bad practice. ALL SIMPLE AUTH BACK DOORS ARE BAD PRACTICE. Don't let weasel words distract from that. These flaws, by the sloth of the coders and all those that did QA work on the code, is MALEVOLENT. Don't BS around about it, don't let them escape the crap on their faces for doing such a thing. I don't care if their name is Cisco or Zyxel or SonicWall. There is no excuse; they should resign for having made their customers vulnerable. They fa
Re: (Score:2)
Inaction is approval. Sloth when diligence was necessary is malevolent; should you have any questions--> look at the results. Sleazy back doors into your code is both slothful and malevolence. Don't mince words. Words DO mean things. Trust means something, too, especially in security appliances.
Trust and honor are more valuable than gold or BTC. Some coders at Zyxel have tarnished their company's reputation into the gutter. There are people deploying security components who really DO care about the integ
Re: (Score:2)
99% of the time things like this are a management decision. Unless you truly think that every dev and QA at Cisco is incompetent and lazy?
Re: (Score:2)
Your binary logic fails here. What in this thread indicates that I truly think that every dev and QA at Cisco is incompetent and lazy??
When your product is about to do harm, you STOP and PREVENT it from being released because of that harm. Did management do this? We don't know, but it was done. Trust was broken, and because of the nature of that breach, an entire company's efforts were slimed, and customers started doubting Cisco integrity as the backdoor they installed was so entirely stupid and profane. Q
Re: (Score:2)
Um, no. From Dictionary.com:
Sloth- habitual disinclination to exertion; laziness; indolence: Indifference, negligence, and sloth have no place in the classroom
Backdoors are the product of all these synonyms. You keep believing I'm using the word incorrectly when it's you that aren't understanding the problem and pointing it towards my own fawlty logic.
Re: (Score:2)
Yes, but you did not say that. You said ,essentially, sloth is malevolence.
That does not mean you don't have a valid point. However, when you specifically mention that words have meaning, then use an incorrect meaning, it lessens the strength of your argument.
Re: (Score:2)
Aha-- you've seen my point. Where you leave backdoors in consumer or any software, sloth==malevolence. The gap is responsibility; being irresponsible, like the act of manslaughter, is malevolent.
I didn't "essentially" say it, I fully meant it. No, it's not necessary to put zenith, unbelievably astute effort into all you do. But even at the bar of "good enough", this effort does not intersect with the set of "irresponsible". It is evil, harmful, and injurious in principle and practice because it is tacitly a
Re: (Score:2)
99% of the time things like this are a management decision. Unless you truly think that every dev and QA at Cisco is incompetent and lazy?
The two possibilities are not mutually exclusive. It is perfectly possible that every dev and QA person at Cisco is incompetent and lazy, and also that this was a management decision intended to reduce support costs without regard for the customer's security. I am assuming, of course, that there is a QA person at Cisco, a fact not in evidence.
Re: (Score:2)
Sufficiently crappy coding practices are indistinguishable from malice.
Re: Why do they do this? (Score:1)
Re: Why do they do this? (Score:2)
Re: (Score:2)
To be fair these aren't really backdoors, they're hardcoded admin accounts. ...
A hardcoded admin account is a very common type of backdoor.
Re: (Score:2)
How difficult is it to have a slightly different build for production that removes the backdoors?
At my small software company, we have automated builds that differ slightly between production releases and internal test releases. We build and test the production release weekly also, so that the production releases are also tested and a production build can be released at any time.
Re: (Score:3)
but it happens too often so is obviously deliberate.
I'd be hesitant to suggest that. I think you are making a very incorrect assumption that some genius wonderboy is responsible for bringing a product to market and nurturing it from concept design all the way to the customer's premises. In reality it's not one perfect superman, but rather 100 mediocre overworked drones whose goal in the workplace is to make it through to 5pm and clock out for the day, each giving just enough shits to make their paycheck, and each very much more than able to make a virtually
Re: (Score:2)
but it happens too often so is obviously deliberate.
I'd be hesitant to suggest that. I think you are making a very incorrect assumption that some genius wonderboy is responsible for bringing a product to market and nurturing it from concept design all the way to the customer's premises. In reality it's not one perfect superman, but rather 100 mediocre overworked drones
...only one of whom has to be bribed to insert a back door, which should be easy because they are both overworked and underpaid (even for their level of talent.)
Re: (Score:3)
What's worse is that Zyxel had a 2016 CVE for having a hardcoded plain text password in the firmware to elevate privileges of any user. This one's worse as it doesn't even need a non-privileged user, and in fact even works on the built in HTTPS server's admin interface. And these are mostly corporate devices too. This level of not giving a fuck when you're in that business should end said business.
Trust, once lost, is hard to regain. (Score:1)
Mine has been lost for years. Maybe it's time for responsible people to put ZyXEL on their personal and corporate blacklist too.
A Taiwanese Manufacturer (Score:2)
This Taiwanese company is doing what Huawei has been accused of but without any proof at all. With Huawei devices been junked by executive order, this is one of the companies picking up the slack and it's not even the first time they (Zyxel) have pulled a stunt like this.
I'm assuming someone like the NSA has been looking at Huawei devices, trying to find holes like these. They have not found any so far, time to rescind that executive order.
Oh, and maybe - just maybe - Zyxel are the victims here, think of
Re:A Taiwanese Manufacturer (Score:5, Informative)
Huawei backdoors were found more than a decade ago [bloomberg.com], and Huawei lied about fixing them.
Re: Typical Huawei/Chinese company behaviour. (Score:2)
I don't know why you're being down modded, your right. Maybe because of your tone.
If seems people are in denial. China is clearly hostile and has a clear agenda of global domination, and contrary to Western governments who worry more about reelected than about their country, and thus focus on sorry term agendas, China doesn't have that worry and can play the game on a much longer term.
They already hold the world by their balls of the supply chain, they have stolen enough IP to become competitive if not domi
Re: (Score:2)
Re: (Score:2)
Having looked up Jinping with a search engine, nope. My point was that all these claims against Huawei are hot air by politicians with an axe to grind, I have not seen one single CVE number.
As to Entrope's comment, I followed your link and it did say that the issue had later been resolved to their satisfaction.
There was an article here around a year ago going into Samsung's TV OS, it might possibly be called Baidu. It was apparently written by people who had absolutely no idea about security best (or any
Somebody needs to go to prison for this (Score:1)
And more than 100000 people need to be reimbursed for the extra work they have to do. Let's make it a good round $100 per device, paid to the actual customers, not lawyers or the government. If you show up with one of these devices at a store that sells Cisco gear, they record the serial number and pay you $100 cash.
FFS, this shit needs to stop, especially at Cisco.
Re: (Score:1)
Oops, Cisco bought Linksys, not Zyxel, so maybe let's not make Cisco pay for Zyxel's backdoor. It would be a good warning shot though. Cisco definitely needs one.
Re: Somebody needs to go to prison for this (Score:2)
They put the backdoors in so they wouldnt go to prison. That is to say governments pay them to have them. The same people who advocated the clipper chip and key escrow.
meh, Cisco did it better (Score:4, Informative)
Got a zyzel device some years back. (Score:2)
The first thing i did was installing debian.