Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Intentional Backdoor In Consumer Routers Found

Unknown Lamer posted about 6 months ago | from the insecurity-through-idiocy dept.

Networking 236

New submitter janoc (699997) writes about a backdoor that was fixed (only not). "Eloi Vanderbeken from Synacktiv has identified an intentional backdoor in a module by Sercomm used by major router manufacturers (Cisco, Linksys, Netgear, etc.). The backdoor was ostensibly fixed — by obfuscating it and making it harder to access. The original report (PDF). And yeah, there is an exploit available ..." Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet. Quoting Ars Technica: "The nature of the change, which leverages the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware ... Because of the format of the packets—raw Ethernet packets, not Internet Protocol packets—they would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. But they could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched."

Sorry! There are no comments related to the filter you selected.

Lemme guess.... (0, Flamebait)

Anonymous Coward | about 6 months ago | (#46811117)

...NSA?

Re:Lemme guess.... (1, Flamebait)

Austrian Anarchy (3010653) | about 6 months ago | (#46811171)

...NSA?

Other guess, just someone at the manufacturer who wanted to do it that way. However, that does not stop NSA from discovering it in 2 seconds and exploiting it too.

Re:Lemme guess.... (-1, Troll)

NemoinSpace (1118137) | about 6 months ago | (#46811317)

What's with all the NSA stuff already? Your ISP is tired of sending out techs to swap your perfectly good leased router that the tech from india was unable to talk you into resetting, because you would have lost your pirate bay port forwarding setup. Just because the tech from india is following a script, doesn't mean your not stupid.
Or to paraphrase Obama, - "you didn't build that internet!" . We have come a long way since Al Gore, haven't we?

Re:Lemme guess.... (2, Insightful)

Anonymous Coward | about 6 months ago | (#46811353)

Yes, I cannot possibly fathom why anyone would dislike having a backdoor in their router unless they were pirating material from a well-known public tracker. Brilliant deduction.

Why the fuck would anybody mod this nonsense up? What is wrong with you people?

Re:Lemme guess.... (1)

x0ra (1249540) | about 6 months ago | (#46811587)

This the good old, petty, "why are you so anal on privacy ? Do you have something to hide ?"

Re:Lemme guess.... (-1)

Anonymous Coward | about 6 months ago | (#46811605)

...doesn't mean your not stupid.

Thanks for demonstrating that you, in fact, are.

Re:Lemme guess.... (0, Offtopic)

Anonymous Coward | about 6 months ago | (#46812065)

your = 2nd person possessive.

you're = you are.

It'd be nice if they were interchangeable, but they aren't.

Re:Lemme guess.... (5, Insightful)

Anonymous Coward | about 6 months ago | (#46811703)

The Chinese want their access too, and look what they did with the US solar industry (by hacking and swiping masks, then making panels cheaper than rare earth cost to shutter companies via predatory trade practices.)

The NSA, I'm not worried about. They don't want me out of a job. China, definitely.

Re:Lemme guess.... (0)

Anonymous Coward | about 6 months ago | (#46811755)

Sercomm is Taiwanese.

Re:Lemme guess.... (-1)

Anonymous Coward | about 6 months ago | (#46811811)

Yes, China, like he said.

Re:Lemme guess.... (-1)

Anonymous Coward | about 6 months ago | (#46812103)

Chinks under a different flag.

NSA (-1)

Anonymous Coward | about 6 months ago | (#46811123)

How convenient... for the NSA.

Your first action after purchasing a router (2, Insightful)

Anonymous Coward | about 6 months ago | (#46811161)

Should be installing DD-WRT [dd-wrt.com]

Re:Your first action after purchasing a router (-1)

Anonymous Coward | about 6 months ago | (#46811247)

yep, then you can just be vulnerable to the NSA heartbleed instead.

Re:Your first action after purchasing a router (0)

Anonymous Coward | about 6 months ago | (#46811367)

The latest nightly builds have it fixed, smart guy.

Re:Your first action after purchasing a router (0)

Anonymous Coward | about 6 months ago | (#46811387)

When was this and the heartbleed fixed? I installed ddrt a year ago, are those versions vulnerable?

Re:Your first action after purchasing a router (3, Informative)

ShaunC (203807) | about 6 months ago | (#46811487)

It depends on which version of dd-wrt you installed, not necessarily when you installed it. I have a WRT54G that I just flashed r14929 on a few weeks ago, but it's fine, because that build is from 2010 and predates the Heartbleed vulnerability. The vulnerable builds are 19163 to 23882, see here [dd-wrt.com] .

SSL isn'tusually in the router (0)

Anonymous Coward | about 6 months ago | (#46811535)

A lot of people using SSL, including me, don't deploy it in the router so heartbleed is not such a big issue for DDWRT.

Re:SSL isn'tusually in the router (1)

the_B0fh (208483) | about 6 months ago | (#46812289)

So, you login to your router via http instead of https?

Re:Your first action after purchasing a router (0)

Anonymous Coward | about 6 months ago | (#46811523)

Tomato fixed this awhile ago.

I prefer the Shibby [groov.pl] branch.

...er... (1)

Anonymous Coward | about 6 months ago | (#46811193)

how is this not illegal? who has an advantage from this backdoor?

Re:...er... (2)

Yaur (1069446) | about 6 months ago | (#46811409)

You have to be on the LAN... DOCSIS tends to be pretty picky and I doubt raw Ethernet would be passed (been a while since I looked at the spec though). Sounds like its part of some kind of firmware upgrade type feature to me.

Re:...er... (1)

Tokolosh (1256448) | about 6 months ago | (#46811619)

Unless the router firmware is open source, you have no way of knowing what it is doing, DOCSIS or not.

Re:...er... (-1, Troll)

Rockoon (1252108) | about 6 months ago | (#46811749)

Unless the router firmware is open source, you have no way of knowing what it is doing, DOCSIS or not.

..and when it is open source, we get our hearts bled anyways.

Instead of jabber-jawing about your religious crusade to promote open source, why dont you instead focus on reviewing some open source codebases. Maybe if you are really diligent for a long enough period of time, your religion will earn our trust.

Re:...er... (0)

Anonymous Coward | about 6 months ago | (#46811927)

at least it gets fixed when it gets "fixed".

Re:...er... (0)

Anonymous Coward | about 6 months ago | (#46811935)

Actually, moron, his statement was one of fact and yours was the obvious religious crusade. He merely stated that unless you can see the code that is running, you don't know what it is doing. Factual statement. Yours, however, wreaks of religious thought and then you babble about earning your trust.

Re:...er... (0)

cusco (717999) | about 6 months ago | (#46811947)

Know what? I don't give a flying fuck, I'm not a coder so I still wouldn't know what it was doing. Even if I was, I wouldn't spend hours on end going over every line of every piece of software that I installed, so I still wouldn't know. And even if I did take that amount of time, there is no way that I could be so marvelously talented that I would recognize what every line of firmware did, especially when its calling some subroutine from some other portion of some other piece of software so I still wouldn't know.

Re:...er... (1)

Yaur (1069446) | about 6 months ago | (#46811981)

Sure, if your technically competent enough to put OpenWRT on your router go for it but there is some advantage for "grandma" to be able to upgrade her firmware. I have no inside knowledge here but the AC basically asked if there is a potential legitimate use here and in fat there is... whether they are using it for good or evil I doubt anyone here can say.

Re:...er... (1)

Streetlight (1102081) | about 6 months ago | (#46812191)

Open source code is only as good as its writer and those who check it. Apparently the Heartbleed got through to its users from an error by the code writer and the one person checking it didn't find it. Probably the same problem with closed source software. Why only one person checked the SSL/TLS code is a mystery to me.

It's just a coincidence (1)

WillAffleckUW (858324) | about 6 months ago | (#46811199)

Oh, and you should really trust all the encryption protocols since Reagan.

(under breath ... suckers ...)

Re:It's just a coincidence (1)

smitty_one_each (243267) | about 6 months ago | (#46811579)

Hey, if they can't break the password, they just break the admin, amiright?

Re:It's just a coincidence (1)

x0ra (1249540) | about 6 months ago | (#46811593)

Or you just have kids to feed and your boss told you to implement that feature.

Re:It's just a coincidence (1)

x0ra (1249540) | about 6 months ago | (#46811601)

wrong post replied, my bad.

Re:It's just a coincidence (1)

jebblue (1160883) | about 6 months ago | (#46812019)

Reagan? Really? Reagan?

JAIL JAIL JAIL (0)

Anonymous Coward | about 6 months ago | (#46811213)

if you were in the system that let this occur -> YOU BELONG IN JAIL

Re:JAIL JAIL JAIL (1)

x0ra (1249540) | about 6 months ago | (#46811609)

Or you just have kids to feed and your boss told you to implement that feature. [ps: /., I know I already posted the exact same comment, in the wrong thread above. I am merely trying to fix a mistake, but you obviously forgot to think about that case when you implemented the "duplicate post" feature...]

List of affected devices please.... (1)

zenlessyank (748553) | about 6 months ago | (#46811225)

Thank You.

Re:List of affected devices please.... (4, Informative)

Anaerin (905998) | about 6 months ago | (#46811481)

As linked in TFA: Have a link to a list of devices [wikidevi.com] (Not necessarily complete).

intentional back-door? (-1)

turkeydance (1266624) | about 6 months ago | (#46811237)

is this a pron site?

Re:intentional back-door? (5, Funny)

gweihir (88907) | about 6 months ago | (#46811569)

No, it just means that if you have one of these devices, then you are fucked.

Meanwhile, in the Media... (4, Interesting)

bengoerz (581218) | about 6 months ago | (#46811281)

...US tech firms blame Snowden for failing confidence in the safety of using US tech companies: The 'Snowden Effect' Is Crushing US Tech Firms In China [businessinsider.com]

Pot, meet Kettle.

Re:Meanwhile, in the Media... (5, Insightful)

zifnabxar (2976799) | about 6 months ago | (#46811475)

It's blaming Snowden in the sense that he way the one that let everyone know what was happening. I don't feel like that article his blaming him ethically for the billions lost. They're laying a fair amount of the blame on the companies' practices and close cooperation with the US government.

Re:Meanwhile, in the Media... (0)

Anonymous Coward | about 6 months ago | (#46811705)

...US tech firms blame Snowden for failing confidence in the safety of using US tech companies: The 'Snowden Effect' Is Crushing US Tech Firms In China [businessinsider.com]

Pot, meet Kettle.

Sercomm is a Taiwanese company.

Foot, meet mouth

This sure makes bugging easier . . . (4, Insightful)

PolygamousRanchKid (1290638) | about 6 months ago | (#46811285)

. . . the spooks used to have to break into your home to plant bugging devices.

Now, you bring the bugging devices home as consumer appliances, and install then them yourself for the spooks.

This saves them a lot of effort. Cost effective.

Re:This sure makes bugging easier . . . (0)

Anonymous Coward | about 6 months ago | (#46811341)

yes, and everyone carries around a microphone/camera with wifi and bluetooth as well as gps! if someone did want to watch you, it would be pretty easy

Re:This sure makes bugging easier . . . (0)

Anonymous Coward | about 6 months ago | (#46811641)

Nope, I carry a laptop, and that stays in something that should muffle the whole thing, that is if they can reenable the mic remotely, without letting the process show up when taskmanager is in show all mode, and defeat the indicators for disk access, as I don't have enough RAM to record onto, then not get yelled at by the DOE for it.

Re:This sure makes bugging easier . . . (1)

Arker (91948) | about 6 months ago | (#46811661)

Task manager?

Task freaking manager?

You have got to be kidding me. I use process explorer (when in windows) and I STILL know for a fact it does not show me everything. Taskman is a toy.

Re:This sure makes bugging easier . . . (0)

Anonymous Coward | about 6 months ago | (#46812293)

Oh dear...

Re:This sure makes bugging easier . . . (3, Insightful)

viperidaenz (2515578) | about 6 months ago | (#46812307)

So all I have to do to fool you is install my malware as a service that gets hosted by svchost.exe?
Of if my purpose was to control the microphone, a driver that hooks in to the existing audio driver?

Re:This sure makes bugging easier . . . (0)

Anonymous Coward | about 6 months ago | (#46811851)

yes, and everyone carries around a microphone/camera with wifi and bluetooth as well as gps! if someone did want to watch you, it would be pretty easy

If this were actually true, then people would never really go missing, now would they?

Yes, there's an electronic leash is shoved up most everyones ass these days, and yet police budgets just keep getting bigger and bigger and bigger, don't they...

If it's so easy, it should be cheap to find someone, right? And if it's not, then I'm curious why it hasn't been outsourced yet.

Re:This sure makes bugging easier . . . (0)

Anonymous Coward | about 6 months ago | (#46811509)

No difference to breaking into my house.

Re:This sure makes bugging easier . . . (0)

Anonymous Coward | about 6 months ago | (#46812121)

Don't forget the gooks.

And the spooky gooks as well.

You say tomato? (4, Insightful)

bobbied (2522392) | about 6 months ago | (#46811293)

I say tomato..

Just load OpenWRT or some other open source firmware, problem solved.

What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.

NEVER buy hardware without a open source port at least in progress.. You have been warned!

Re:You say tomato? (0)

Anonymous Coward | about 6 months ago | (#46811369)

Says the person using a OpenWRT platform to firewall his high traffic site....

Re:You say tomato? (1)

Anonymous Coward | about 6 months ago | (#46811429)

You say tomato, I say m0n0wall.

Re:You say tomato? (0)

Anonymous Coward | about 6 months ago | (#46811519)

I say fuck running a full computer as a router when I can sip just a few watts with an actual router.

Re:You say tomato? (1)

Astronomerguy (1541977) | about 6 months ago | (#46811969)

Bah! I run a freaking HP ML360 with dual redundant power supplies connected to redundant UPS's running Sophos Home UTM! IT slurrrrrrrps electrons like a fratboy guzzles hop-based alcohol. Ooooohhhhh yeaaaahhhhh! My protection is extensive and expensive.

Re:You say tomato? (-1, Troll)

Anonymous Psychopath (18031) | about 6 months ago | (#46811443)

I say tomato..

Just load OpenWRT or some other open source firmware, problem solved.

What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.

NEVER buy hardware without a open source port at least in progress.. You have been warned!

Except, of course, open source code also contains horrific security vulnerabilities.

Re:You say tomato? (1)

Charliemopps (1157495) | about 6 months ago | (#46811623)

Except, of course, open source code also contains horrific security vulnerabilities.

But you know about those, and can fix them if you want. That's the difference between open and closed source.

Re:You say tomato? (1)

i.r.id10t (595143) | about 6 months ago | (#46811751)

Really? How many people knew about heartbleed 3 weeks ago?

Re:You say tomato? (0)

Anonymous Coward | about 6 months ago | (#46811955)

At least it was fixed when it was "fixed".

Re:You say tomato? (3, Insightful)

Anonymous Coward | about 6 months ago | (#46812081)

Right, because people magically know about _yet undiscovered_ vulnerabilities. Don't pretend to be obtuse.

Once we knew about Heartbleed (and it was found by two independendent teams of researchers), we immediately had a fix, knew what goes into the fix and can administer it by ourself.

This one backdoor was accidentally stumbled on after being there for a decade - some vulnerable models from the list are from 2004 - and nobody could fix it but the maker, and nobody could even verify the fix but the maker. Look how nicely it worked out.

Don't go "But opensource too!..", when this "too" is like fucking heaven and earth when compared with opensource bugs.

Re:You say tomato? (1)

mysidia (191772) | about 6 months ago | (#46812203)

Really? How many people knew about heartbleed 3 weeks ago?

I didn't know about it 3 weeks ago. But none of my Linux SSL-enabled servers were affected, either.

It did help that most daemons were linked against libNSS. Many of the Apache installs were using mod_nss for SSL instead of mod_ssl, and.... most of the other servers were CentOS5 with openssl, but not a buggy version.

Re:You say tomato? (1)

DarwinSurvivor (1752106) | about 6 months ago | (#46812237)

And how long did it take to fix it once it was discovered? Not only was this bug NOT fixed the first time (only hidden better), but it probably won't get fixed very quickly (if at all) and we'll have no way to verify they actually DID fix it.

With open source, you can see the change logs and verify that the version you are running is no longer vulnerable to the attack. With proprietary software you just have to trust them that they fixed it this time...

Re:You say tomato? (1)

lister king of smeg (2481612) | about 6 months ago | (#46811645)

I say tomato..

Just load OpenWRT or some other open source firmware, problem solved.

What do you mean there isn't a port for your hardware? Why did you buy it in the first place? Throw it away (or donate it to someone who can do the port) and buy something that has been ported.

NEVER buy hardware without a open source port at least in progress.. You have been warned!

Except, of course, open source code also contains horrific security vulnerabilities.

as is the propriatry we just got board of yelling about them years ago.

Re:You say tomato? (1)

Mashiki (184564) | about 6 months ago | (#46811761)

Except, of course, open source code also contains horrific security vulnerabilities.

Everyone raise your hand if you know the difference between proprietary software that's closed source, and open source with viewable binaries! That's right kiddies, if you have open source with viewable binaries you can even compile your own, and fix any bugs you find. You can even fork it! You can't do that with closed source, you're at their mercy for patches, fixes, and security holes.

Re:You say tomato? (2, Interesting)

networkzombie (921324) | about 6 months ago | (#46811469)

That is all fine and I did purchase my Asus router (third one, among others) with Tomato or DD-WRT in mind, but free DDNS providers drop like flies and Asus' DDNS is free and reliable as long as I am using their firmware. My last DD-WRT lasted many years, but a worry-free DDNS is nice also.

Re:You say tomato? (3, Informative)

hobarrera (2008506) | about 6 months ago | (#46811979)

Freedns [afraid.org] has been around for ages, and doesn't seem to be going anywhere. They include DDNS for free as well.

Re:You say tomato? (-1)

Anonymous Coward | about 6 months ago | (#46812001)

DDNS? lol, run a proper system with actual DNS servers, moron

Re:You say tomato? (0)

Anonymous Coward | about 6 months ago | (#46811533)

Yeah like OpenSSL was so robust

Re:You say tomato? (0)

Anonymous Coward | about 6 months ago | (#46811977)

So... when they "fix" this backdoor, this time you'll be confident that it's actually fixed? I know my version of OpenSSL is well and truly fixed. How about your router?

Re:You say tomato? (1)

hobarrera (2008506) | about 6 months ago | (#46811973)

Came here to say exactly that. Unless it's done in hardware (which would be EXTREMELY complicated), OpenWRT can do away with that. Plus, you get all the extra free features, and, with luci, a DECENT http interface (contrary to what most routers include).

to be expected (2, Funny)

Anonymous Coward | about 6 months ago | (#46811311)

Rather than actually closing the backdoor, they just altered it so that the service was not enabled until you knocked the portal with a specially crafted Ethernet packet.

Well, somebody paid good money for that backdoor. If Sercomm closed it, they'd have to issue a refund.

What surprises me... (5, Insightful)

fuzzyfuzzyfungus (1223518) | about 6 months ago | (#46811321)

I'm not surprised that there is a backdoor ('Hey guys! Should we add a remote management feature that will automagically Just Work with ISPs 'setup disks' and/or remote troubleshooting systems even if the clueless user has forgotten their password, or would that be too scary?' is not a difficult question, especially given how many of these things are sold to ISPs in bulk and not to end users, especially the lousy combined router/modem devices), I am a trifle surprised that it's so slapped-together looking.

It's not exactly a secret that ISPs and providers of combination internet/TV/voice services tend to view customer-controlled equipment as something between a painful support headache and the blasphemous spawn of an unnatural coupling between internet piracy and absolute evil. Hence their enthusiasm for pushing their pet 'home gateway'/'set top box'/etc. with greater or lesser force, and the existence of standards like TR-069 ('CPE WAN Management Protocol') and organizations like the 'Home Gateway Initiative' [homegatewa...iative.org] that seek to standardize a nice, tame, appliance that can be used to sell services to consumers without confusing their little brains or letting them meddle.

That's what surprises me about seeing a comparatively dodgy-looking; but vendor/OEM provided, back door not only present but deliberately preserved even after being discovered, and sufficiently badly as to be rediscovered. There are remote management systems that, by design, are not under the control of the user, present for the convenience of the operator; but those are in the 'bydesign, wontfix' bucket. There are also malicious backdoors; but if this is one the party inserting it was far too arrogant for their own good. There are probably also legacy backdoors, used by some specific ISPs or the like; but those would presumably show up in their hardware, since Sercomm doesn't control enough of the market to assure that all customer-supplied devices will have the backdoor; but they do control enough that a single ISP's backdoor would be splashed all over the place.

Who is the expected user here, and what did they gain by trying to hold on to an existing backdoor so shoddily as to have it detected again?

Re:What surprises me... (1)

pipedwho (1174327) | about 6 months ago | (#46811493)

It doesn't look like they went out of their way to hide it as such. But, they did try to change its operating mode from remotely exploitable at any time by anyone, to only usable by someone on the local ethernet segment. Unfortunately, as most here are aware, that kind of 'fix' isn't a solid solution, and still remains exploitable.

Re:What surprises me... (1)

gweihir (88907) | about 6 months ago | (#46811585)

They probably were incompetent enough to not realize this was easy (for somebody very bright, experienced and capable) to find again.

If you think intelligence agencies cannot be terminally incompetent, then there is a recent story of one really large and important one that had its crown-jewels stolen by a contractor...

Re:What surprises me... (1)

rsmith-mac (639075) | about 6 months ago | (#46811589)

Who is the expected user here, and what did they gain by trying to hold on to an existing backdoor so shoddily as to have it detected again?

I think you hit the nail on the head. This is clearly meant to be a remote management backdoor for the ISPs, hence the need to secure it but not remove it. As dodgy as it is, the fact that it can now only be triggered by the local network and can't be passed over IP means that it's probably good enough by ISP and Sercomm standards, especially if it's treated as a little-used feature and not as a security concern.

Partial vulnerability list (5, Informative)

Zitchas (713512) | about 6 months ago | (#46811329)

In the pdf of his presentation he mentions that there are 24 router models confirmed vulnerable spanning Cisco, Linksys, NetGear, and Diamond. I have yet to spot the actual list of vulnerable routers, though.

He also elaborates on how a technically skilled person can figure out if any particular router is vulnerable.

The link to the list of vulnerabilities is found in the pdf. Here's a copy/pasted list of the ones known so far.

BEGIN COPIED TEXT:

Backdoor LISTENING ON THE INTERNET confirmed in :

        Linksys WAG120N (@p_w999)
        Netgear DG834B V5.01.14 (@domainzero)
        Netgear DGN2000 1.1.1, 1.1.11.0, 1.3.10.0, 1.3.11.0, 1.3.12.0 (issue 44)
        Netgear WPNT834 (issue 79)
        OpenWAG200 maybe a little bit TOO open ;) (issue 49)

Backdoor confirmed in:

        Cisco RVS4000 fwv 2.0.3.2 (issue 57)
        Cisco WAP4410N (issue 11)
        Cisco WRVS4400N
        Cisco WRVS4400N (issue 36)
        Diamond DSL642WLG / SerComm IP806Gx v2 TI (https://news.ycombinator.com/item?id=6998682)
        LevelOne WBR3460B (http://www.securityfocus.com/archive/101/507219/30/0/threaded)
        Linksys RVS4000 Firmware V1.3.3.5 (issue 55)
        Linksys WAG120N (issue 58)
        Linksys WAG160n v1 and v2 (@xxchinasaurxx @saltspork)
        Linksys WAG200G
        Linksys WAG320N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
        Linksys WAG54G2 (@_xistence)
        Linksys WAG54GS (@henkka7)
        Linksys WRT350N v2 fw 2.00.19 (issue 39)
        Linksys WRT300N fw 2.00.17 (issue 34)
        Netgear DG834[â..., GB, N, PN, GT] version 5 (issue 19 & issue 25 & issue 62 & jd & Burn2 Dev)
        Netgear DGN1000 (don't know if there is a difference with the others N150 ones... issue 27)
        Netgear DGN1000[B] N150 (issue 3)
        Netgear DGN2000B (issue 26)
        Netgear DGN3500 (issue 13)
        Netgear DGND3300 (issue 56)
        Netgear DGND3300Bv2 fwv 2.1.00.53_1.00.53GR (issue 59)
        Netgear DM111Pv2 (@eguaj)
        Netgear JNR3210 (issue 37)

Backdoor may be present in:

        all SerComm manufactured devices (https://news.ycombinator.com/item?id=6998258)
        Linksys WAG160N (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/)
        Netgear DG934 probability: probability: 99.99% (http://codeinsecurity.wordpress.com/category/reverse-engineering/)
        Netgear WG602, WGR614 (v3 doesn't work, maybe others...) (http://zaufanatrzeciastrona.pl/post/smieszna-tylna-furtka-w-ruterach-linksysa-i-prawdopodobnie-netgeara/) :END COPIED TEXT

Re:Partial vulnerability list (1)

Tokolosh (1256448) | about 6 months ago | (#46811649)

Are there any government agencies that use these routers? Just curious...

Hardware backdoors in the actual CPUs ? (0)

Anonymous Coward | about 6 months ago | (#46811385)

What about the CPUs themselves ?

Backdoors in software, while scary, can be worked around by using software you trust or write yourself.

But what about backdoors in CPUs which only trigger, for example, as a result of a specific data sequence ?

Is there any evidence that anyone has been stupid enough to implement such hardware back doors in general purpose CPUs ?

Re:Hardware backdoors in the actual CPUs ? (0)

gweihir (88907) | about 6 months ago | (#46811639)

These are not generally doable. The CPU just does not have enough independence to run special code or the like to any meaningful extent. It may be able to jump to a specific place on specific triggers, but there would still need to be attack-code somewhere in FLASH or the OS and always at the same place.

But, for example, Google RDRAND for a back-doored (or rather: prepared to be backdoored) specific function in Intel CPUs. The thing done here is to make it exceedingly hard to identify a compromised hardware random number generator. (I.e. this is a compromised architecture and design, rather than a sabotaged implementation, because the design was done in a way that makes analysis very, very hard. Then they lied about the reasons and did it badly.) Intel then pushed to have RDRAND used as the only randomness source in the Linux kernel, which makes it even more clear what was going on: https://plus.google.com/+Theod... [google.com]
 

Re:Hardware backdoors in the actual CPUs ? (1)

pipedwho (1174327) | about 6 months ago | (#46811659)

What about the CPUs themselves ?

Backdoors in software, while scary, can be worked around by using software you trust or write yourself.

But what about backdoors in CPUs which only trigger, for example, as a result of a specific data sequence ?

The problem with the obvious kind of hardware backdoor in the CPU is that it needs to interact with an unknown and otherwise complex operating system. And that is extremely difficult to do without associated exploit software running on the same system.

The real problematic standalone hardware 'backdoors' would be things like predictable patterns from a hardware random number generator, secret ways to override memory protection, a way to expose the private/secret keys in crypto hardware, etc.

Those more subtle 'backdoors' could then be further exploited by user land code for nefarious purposes. User land code that would have otherwise posed no danger to the system or the user.

That being said, if a 'hole' like that is discovered, it may be able to be partially worked around by trying to detect the use of the trigger patterns required to activate it, or by modifying the driver/system code that rely on those features.

PLA? (0)

Anonymous Coward | about 6 months ago | (#46811431)

sercomm is based in taiwan. i think chinese intelligence is a more likely culprit.

Re:PLA? (3, Funny)

jrumney (197329) | about 6 months ago | (#46811925)

Worrying about Chinese intelligence being involved because the product is from Taiwan is like worrying that North Korea is spying on you through Samsung products, or Mossad has added miniature tracking devices to gasoline imported from the Middle East.

Good reson to get off the internet. (0)

Anonymous Coward | about 6 months ago | (#46811489)

And stay off. All your banking is a open book to any and all.
Every thing about you.

Simple fix (3, Interesting)

Anaerin (905998) | about 6 months ago | (#46811525)

Wouldn't it be a simple "Fix" to set up port forwarding to redirect traffic directed to port 32768 to a "dead" address. Then the port would already be allocated, and when the "Knock" arrives, the port is already in use, and data goes nowhere.

Re:Simple fix (2, Insightful)

Anonymous Coward | about 6 months ago | (#46811789)

and what device is doing the forwarding, and seeing the "knock" ?

Nice. Caught red-handed... (4, Interesting)

gweihir (88907) | about 6 months ago | (#46811559)

I predict we will see more of that. Congratulations to the finder! Maybe we should start to offer "public safety" bounties to people that find these acts of sabotage.

Re:Nice. Caught red-handed... (1)

Arker (91948) | about 6 months ago | (#46811611)

I have a slightly more ambitious suggestion. We should make a list of every device that uses this 'sercomm' module and make a point never to buy them again.

Re:Nice. Caught red-handed... (1)

hawguy (1600213) | about 6 months ago | (#46811869)

I have a slightly more ambitious suggestion. We should make a list of every device that uses this 'sercomm' module and make a point never to buy them again.

Who is 'we'? The .01% of consumers that are tech savvy enough to know what a backdoor is and why we don't want one? Meanwhile everyone else will continue to buy routers based on which picture on the box looks better.

Re:Nice. Caught red-handed... (0)

Anonymous Coward | about 6 months ago | (#46812283)

The people who are buying the by the millions (ISPs) are the ones who WANT this capability because it lets them access the device remotely without sending a guy in a truck. Really if you want to apply market pressure, let your ISP know that they only way they should manage network devices for your service using a secure protocol, like SNMPv3.

Sercomm is a Chinese Company. Stop blaming the Ame (0)

Anonymous Coward | about 6 months ago | (#46811629)

If you go to Sercomm's web page you'll see they are headquartered in China.

what surprises me... (0)

Anonymous Coward | about 6 months ago | (#46811725)

I've got all you guys beat; I'm too inexperienced as a user to understand what the heck you're talking about. I just merrily read articles of interest that appeal to me. Nothing weird happens and I don't have to subscribe to a newspaper to get edjumicated about what's going on in the world!

How paranoid can we get? (0)

Anonymous Coward | about 6 months ago | (#46811823)

You know, I don't sit around worrying about my laptop camera watching me, or the NSA sifting through my data or Google monitoring my keystrokes. I guess many people worry about those things either because they are simply paranoid, or they know they are doing something wrong. The router is a obvious point of gathering data from multiple sources that connect through it. I have no doubt that agencies like the NSA work very hard to tap into such a vast resource for data.
Its difficult though for me to worry about this when tomorrow it will be just old news and some other potential privacy avenue will be found. If you truly do not find the internet or the hardware that is used to access it is safe and private. Then you better pull the plug now.

Maybe it is for manufacturing? (1)

invisi (531162) | about 6 months ago | (#46811835)

If I were to venture a guess, things like turning off and on LEDs remotely sound like something that one would want to do when manufacturing as part of a functional tester. That doesn't mean that the way they are doing it is good, but I bet it is so that they can just plug in a router and connect up to their functional tester to test the system to ensure things are working correctly, such as the LEDs. Seems like if they want a feature like this to support manufacturing that it should be something that is only accessible on one *internal* (non-ISP facing) Ethernet port and only within a certain amount of time since bootup.

Pace/2wire all listen on 3479/tcp (3, Insightful)

CrAlt (3208) | about 6 months ago | (#46811861)

The 2wire/pace (3600,3800,etc) all have TCP port 3479 open to the internet.This is what you are forced to use if you have AT&T U-verse. There is no way to block it and AT&T says its for "updates and trouble shooting".
http://forums.att.com/t5/forum... [att.com]

I wonder what great backdoors are in these gateways?

Snowden effect (3, Informative)

OFnow (1098151) | about 6 months ago | (#46811897)

What Snowden was turn a suspicion into knowledge. That is a big deal. (Hal Berghel pointed this out first).

Old News (-1)

Anonymous Coward | about 6 months ago | (#46812009)

fucking noobdot

sue? (0)

Anonymous Coward | about 6 months ago | (#46812013)

I wonder if it would be possible to sue a company that put a backdoor in a IT product. Like if a hacker used it on you, could you sue the company responsible for it being there, like for financial damages it caused you?

IANAL, but it seems to me product liability laws would apply.

at least d-link is safe... (0)

Anonymous Coward | about 6 months ago | (#46812217)

n/t

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?