Feeds

back to article D-Link hole-prober finds 'backdoor' in Chinese wireless routers

Security researchers say they have discovered a hidden backdoor in wireless routers from Chinese hardware manufacturer Tenda. Craig Heffner, the same researcher who uncovered a backdoor in routers from D-link, found the latest problem. He uncovered the functionality, which ships with Tenda's products, after unpacking firmware …

COMMENTS

This topic is closed for new posts.

Shoddy work

Were it an American manufacturer the backdoor would be better concealed

7
0
Anonymous Coward

Re: Shoddy work

Except some politicians would announce it on television (Bush, Reagan) ..

0
1
Bronze badge
Megaphone

Re: Shoddy work

Other politicians would keep silent while exploiting it (Obama, Pelosi)

2
1

Re: Shoddy work

still other politicians would exploit it but would leave evidence on a blue dress.

2
0
Anonymous Coward

Re: Shoddy work

While claiming that he used the exploit but didn't look.

0
0
Bronze badge
Boffin

Re: Shoddy work

What makes you think so? Anybody remember the good old "AWARD_SW" universal backdoor password for Award BIOSes back in the day...? That was a American manufacturer, FYI...

1
0
Bronze badge
Thumb Up

Re: Shoddy work

"still other politicians would exploit it but would leave evidence on a blue dress."

I can just hear him at his White house desk singing "Shake for me Monica, I wanna be your back door man".

0
0
Silver badge
Meh

Backdoor?

More like a relatively minor vuln, compared to the D-link one. WPS is quite the pile of shit anyway, of course you're going to find vulns if you poke there.

0
2
Facepalm

Re: Backdoor?

@ElReg!comments!Pierre: "More like a relatively minor vuln"

How do you accidentally insert the string 'w302r_mfg' into the source code

"Attackers could take over the router and execute commands by sending a UDP packet with a special string .. They all use the same 'w302r_mfg' magic packet string,"

0
1
Bronze badge

Re: Backdoor?

"More like a relatively minor vuln, compared to the D-link one."

It merits noting that there was a Cisco vulnerability not long back ( http://www.pcworld.com/article/2053880/cisco-patches-vulnerabilities-in-some-security-appliances-switches-and-routers.html )

0
1
Silver badge

Re: Backdoor? @codeusirae

> How do you accidentally insert the string 'w302r_mfg' into the source code

Oh, you don't.

Occam's shaving implement suggests "you" codes a workaround for internal dev work and "you" forgets to remove it from the dev branch before it's rolled out by "you" 's marketing dept.

The facts (only accessible from the local network, requires WPS with unmitigated access) make it a blunder rather than a backdoor.

Little known fact: "WPS" actually stands for "hassle-free connection for those who don't care too much about security". True story.

0
0
Silver badge

Re: Backdoor? @Scorchio!!

> It merits noting that there was a Cisco vulnerability not long back

Sure. to be honest I don't care much about specific vendors, and especially not about Cisco (one of their router models I had to deploy gave me no end of trouble a few years back). This particular story still strikes me as the typical firmware dev blunder, as happens all the time with closed-source, rushed projects. There is simply not enough peer validation in the closed-source system. See asdf's very apt comments in this very thread.

To this regard, this is a relatively minor vuln, certainly nothing worth getting paranoid "government-mandated backdoor"-style.

0
0

Re: Backdoor? @codeusirae

Nope, it was on purpose, to implement an attack on the west in the future.

Would a programmer use the string "w302r_mfg" or something that didn't involve using the Shift key to type, like his dog's name.

Also, "manufacturing" is an English word. They used that string for plausible deniability. I think that's why the backdoor only works from inside the LAN. Outside would be way suspicious and my guess is that they can already break into millions of home LANs through the user PCs. Another column said that the red chinee have stacked up dozens of vulnerabilities.

Faye Kane ♀ girl brain

Sexiest astrophysicist you'll ever see naked

0
0
Anonymous Coward

wps is far better these days

Most router manufactures (eventually) in the wake of reaver wps brute force attacks have actually implemented rate limiting of some form (some implementations are better than others).

The best option in any router that has WPS is the option to turn it off.. assuming it does, if i remember correctly dlinks at one point (since fixed) didnt actually turn it off.

Thankfully ive only ever had one tenda router and it still sits in a box (as it was never used thankfully).

Sadly most people install direct purchase routers and forget about it and many routers dont auto update firmware's, in a way its good that isp supplied routers do get pushed updates in most cases (that being normally the only good thing about having an isp supplied router).

These days i dont install anything thats not wrt based between the main network and the outside world, manufactures orphan devices, are slow in releasing firmware fixes (if they do at all) and as this shows many hide a way back in.

Just search for a manufacture:

https://exploits.shodan.io/welcome

http://www.exploit-db.com/search/

2
1
Silver badge

Did I understand correctly?

My understanding of the article was that the router is entirely safe from attack from the Web, but if something is installed on the local area network then it can be backdoored?

So someone would have to hack into your computer through any firewalls etc, before they can turn around and attack your router. Am I missing the threat here? If they can already hack into your computer, getting access to the router seems trivial...

1
6
Silver badge

Re: Did I understand correctly?

Not quite, it's open to the WLAN as well, which means someone, in theory, can brute force your Wireless and redirect stuff, for example, changing you DNS settings.

I'd rate it a low to medium risk as you need to actually be somewhere near the kit and have time to do it, without attracting attention to yourself.

4
0
Silver badge

Re: Did I understand correctly?

"So someone would have to hack into your computer through any firewalls etc, before they can turn around and attack your router. Am I missing the threat here?"

The Zombie army. Most of them are behind NAT routers after all.

1
0
FAIL

you missed the opportunity

for a headline along the lines of "tenda backdoor probed"

17
1

We've asked Tenda for its reaction but have yet to hear back from the firm.

Maybe they run their company off a D-Link?

2
0
Gold badge
Thumb Up

Mfg don't seem to get it. The search for vulnerabilities *will* take place.

Wheather they want it to or not.

The word will get round if you kit is s**t.

And while I'll not it's on the internal side rather than the external side it is wireless, so not quite as "internal" as I'd like for a start.

I like my privacy so I disable wireless access to the router by default. But that's not always an option.

Thumbs up for finding it. The mfg can have a thumbs down for putting it there in the first place.

0
0
Silver badge

Re: Mfg don't seem to get it. The search for vulnerabilities *will* take place.

"The word will get round if you kit is s**t."

Unfortunately it'll only get round tech circles.

The cheap kit will still be available, and bought by the most vulnerable (shoppers at PC world).

The more tech savvy would have rendered themselves immediately immune by turning off WPS as a matter of course.

1
0
Anonymous Coward

Re: Mfg don't seem to get it. The search for vulnerabilities *will* take place.

Unfortunately it'll only get round tech circles.

It does provide a wonderful set of opportunities where a minimum of technical skill, a penchant for shady activities and a bit of legal nous all come together.

Oh noes officer, my router has been backdoored. Literally anyone could have downloaded all this kiddy porn, unlicensed media, bomb making instructions, list of stolen credit card numbers or whatever else it was you were going to prosecute me for.

2
0
GBE

What's GoAhead got to do with it?

> Source code for the GoAhead web server used in Tenda products has been made available on GitHub.

I'm not claiming that statement isn't true (a lot of embedded products use GoAhead web server code). What I don't see is what it has to do with the rest of the story. Was the backdoor inserted in the GoAhead code? Was that back door present in the source code on GitHub?

2
0

Resistance is futile

Is everyone really this naive? it's a software vulnerability, better known as a cock up. Are you so conditioned by the media? MS used to have more holes than swiss cheese... Was that a conspiracy? NO! Not until the US are eventually caught red handed anyway. Try to stop watching the news and reading news papers then you can form your own opinions and begin to leave the collective. GEEZ!

0
2
Anonymous Coward

Re: Resistance is futile

"Try to stop watching the news and reading news papers then you can form your own opinions and begin to leave the collective. GEEZ!"

Get your info from the web instead,which is so full of shite that it should be called the sewer instead

0
0
Anonymous Coward

Re: Resistance is futile

while it's admirable that you seek out news from sources outside the mainstream, you may also find it valuable to include sources that include different points of view (the internet makes it far too easy to ignore opposition viewpoints since it's trivial to find a community that mirrors your own opinions).

0
0
Silver badge
Mushroom

Stock firmware is for grandma

Yet more reason to ditch the stock firmware at least for home routers (and if a router doesn't have open source alternative firmware support don't buy it). OpenWrt, Gargoyle, Tomato, DD-Wrt are all better %95 of the time anyway. The only exception is due to some closed source drivers in some cases the stock firmware may have longer wireless range and better wireless throughput but then again the internet is usually your bottleneck.

2
0
Silver badge

Re: Stock firmware is for grandma

Open source is not immune to backdoors of course but a lot more people look at the OpenWrt source code that any proprietary firmware code base. In addition if a back door is found it will be fixed in hours not weeks.

0
0
This topic is closed for new posts.