back to article Hacker backdoors Linksys, Netgear, Cisco and other routers

The new year begins as the old year ended: with yet more vulnerabilities turning up in consumer-grade DSL modems. A broad hint for any broadband user would be, it seems, to never, ever enable any kind of remote access to the device that connects you to the Internet. However, the hack published by Eloi Vanderbeken at github, here …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

"alert the victim that something had happened"

"the crash and resulting reset to default passwords would at least alert the victim that something had happened"

From a naive point of view, an interruption in service due to a factory reset is indistinguishable from any other brief interruption in service.

How many SoHo routers ever have anything (passwords or anything else) changed from factory default anyway?

Is it Sercomm's fault that the vendors selling this stuff don't check for problems like this?

9
4
Bronze badge

Re: "alert the victim that something had happened"

But surely a factory reset would also nuke the account name, password, VCI and other settings needed to reconnect? That alone is different since it will need actively fixing. It also makes it useless as an attack vector for anyone coming in from the outside.

14
1
Silver badge
Happy

Re: "alert the victim that something had happened"

I've seen several SOHO routers 'spontaneously reset' over the years. When asked about it by the user my explanations included crappy electronics and/or crappy electric supply. In the end it was just crappy electronics, he he. One out of two...

4
0
Silver badge

Re: "alert the victim that something had happened"

There's a few ISPs out there whose authentication procedure is "ah, you're coming from that wire. You must be genuine."

In that case, a router would not have a username or password (or copied MAC address) to reset.

2
4
Silver badge

Re: "alert the victim that something had happened"

". . . makes it useless as an attack vector for anyone coming in from the outside."

That's what I was thinking!

It's not even useful for breaking into a WLAN because you'd have to be on the network to access the device, in which case, why reset it?

Still, it's entirely possible this vulnerability might lead to other, more useful attacks.

3
0
Anonymous Coward

Re: "alert the victim that something had happened"

"It also makes it useless as an attack vector for anyone coming in from the outside."

Unless you flash it with modified firmware, such as one that captures the credentials of the IT guy that tries to fix it. When he sees that it's set to factory, he'll log in with the default password, upload the settings, set the admin password, log out and back in to make sure it's working. At which point your firmware sends the captured credentials to you.

0
2
Bronze badge

Re: "alert the victim that something had happened"

Unless you flash it with modified firmware, such as one that captures the credentials of the IT guy that tries to fix it. When he sees that it's set to factory, he'll log in with the default password, upload the settings, set the admin password, log out and back in to make sure it's working. At which point your firmware sends the captured credentials to you.

Yes, but to do that you've got to factory reset it first. After the reset it is unable to reconnect to the Internet. How do you install the new firmware from that very network it is no longer connected to?

Even on the LAN I'm struggling to see the point in 99% of networks this grade of device applies to: you already have free roam of the LAN, so what is the point of disconnecting yourself from other networks? The only rationale there that I could see would be to temporarily alter inter-VLAN routing. Provided, of course, you could hit on correct settings to make the network operate at all after the reset. In any case, how many home networks operate multiple VLANs? Bear in mind most home routers don't even offer the option.

5
0

Re: "alert the victim that something had happened"

There's a few ISPs out there whose authentication procedure is "ah, you're coming from that wire. You must be genuine."

Perhaps on cable, but nowhere for DSL modems. That's the wonder of local loop unbundling, DSLAMs and MPLS. Without the correct virtual circuit indicator (not set by default, except possibly for ISP own-brand - as opposed to ISP supplied - stuff) it has no idea where to go. VCI 0 is generally a BT Openworld default "Your router is misconfigured" thing.

2
0
Bronze badge

Re: "alert the victim that something had happened"

> But surely a factory reset ... also makes it useless as an attack vector for anyone coming in from the outside.

Factory reset is only what the researcher managed to work out from reverse engineering code. Presumably there could be other more flexible functions associated with traffic on the listened for port

4
0
Silver badge
Big Brother

Re: "alert the victim that something had happened"

"I've seen several SOHO routers 'spontaneously reset' over the years. When asked about it by the user my explanations included crappy electronics and/or crappy electric supply. In the end it was just crappy electronics the NSA exploiting this hole..."

FIFY!

3
3
Bronze badge

Re: "alert the victim that something had happened"

If you look at the linked slides, it seems the researcher inadvertently reset the factory defaults when brute forcing port 32764. However, it seem that prodding the port gently can dump router passwords, set wlan_mgr_enable=1 and other nasties that do not necessarily alert the victim to potential LULz.

5
0
Anonymous Coward

Re: "alert the victim that something had happened"

"There's a few ISPs out there whose authentication procedure is "ah, you're coming from that wire. You must be genuine."

Perhaps on cable, but nowhere for DSL modems."

Er, sorry, but BT Retail (probably UK's biggest ISP, regrettably) used to use nothing but the circuit ID for authentication, courtesy of BTWholesale's CentralPlus service. This was prior to the days of BT's 21CN, which may have changed matters somewhat.

Quite a few modem/routers claim to have a "smart" connect process which allegedly autodetects the appropriate VCI/VPI for common providers; whether it's invoked automagically after a reset is a different question.

" VCI 0 is generally a BT Openworld default "Your router is misconfigured" thing."

When did OpenWorld cease to exist?

0
0
Silver badge

Re: factory reset would also nuke

For the listed exploit yes, but there might be other exploits that aren't so In Your Face. Which is why neither chip vendors nor device manufacturers should ignore a thorough security review of their products.

1
0
Anonymous Coward

Re: "alert the victim that something had happened"

> Yes, but to do that you've got to factory reset it first. After the reset it is unable to reconnect to the Internet. How do you install the new firmware from that very network it is no longer connected to?

I could be wrong but I seem to remember that I merely had to connect my router to the modem and Ethernet connected devices were able to get an IP via DHCP. I would only notice this because the wifi settings would be gone. And then I'd probably also assume it's just an ordinary fault.

0
1

Re: "alert the victim that something had happened"

The factory reset is one of the options a user has. On most devices the port is not internet accessible thankfully, so an attacker would have to be on your local network.

However on *some* of those affected devices they don't need to be.

Test yours to be sure. It's easy to see if you can telnet (if you don't feel up to running the Python script that he's provided) to your public IP on that port from another Internet connection.

0
0

Re: "alert the victim that something had happened"

"Yes, but to do that you've got to factory reset it first"... not accurate. Most routers/access points I have updated do not factory reset after a firmware upgrade. The config is often stored in a different location to the firmware.

0
0
Holmes

Re: "alert the victim that something had happened"

As commented, the factory reset is one of the many options.

On some of the devices it is accessible from the outside.

I see many issues/options even from the inside:

#1 I may grant you access to my Wireless network but that doesn't mean I want you to recover the password to my devices?

#2 Same as above but you could on some routers obtain the username and password I use with my Internet provider / dynamic DNS.

#3 I may grant you access to my "guest" WiFi, you could use that as a launch pad to then get my main WiFi password and/or communicate with my other devices.

#4 You could just plug something into my router and obtain my WiFi password despite me not actually having given it to you.

#5 Say I am a business providing you with free WiFi, I don't exactly want you to login to my access point and screw around with any of the settings...

0
0
Megaphone

Re: "alert the victim that something had happened"

The article is slightly wrong, the backdoor allows several options of which factory resetting is one of them.

they're listed in the presentation and source code for the proof of concept but ...for the non-technical or those who struggled to read it:

#1. Output all of the settings, all of the usernames, all of the passwords for the device.

#2. Read just one specified setting/username/password.

#3. Set one specified setting/username/password just while it's running ("apply").

#4. Save all the settings that are currently set so they persist a reboot.

#5. Join the network as if you are not connected to the Internet but another router.

#6. Output how fast we currently think our Internet or network connection is.

#7. Allow me to run any Linux (busybox) command I want on this device.

#8. Store a file on the device.

#9. Write what version of the software we are running.

#10. Write out our IP address.

#11. Factory reset. Lose all settings.

#12. Read the memory contents of the device.

#13. Save the memory contents to disk.

The researcher tried all the options and accidentally hit on #11.

I wished this had been responsibly disclosed to the manufacturers before it was given to Github, Hacker News and Reddit but now it's out there I hope it helps people who have the same devices know that an update to their device is proably coming that they will need to apply.

0
0
Anonymous Coward

Re: "alert the victim that something had happened"

Indeed,

More interestingly, how about pulling out our critical VCI and configuration information through the same port and then re-instatîng the original desired settings over a re-initialized default configuration? The user would only know about it when their admin password stops working.

I guess it all depends on what other router features are accessible hrough this backdoor. More research please, or links....

Or imagine it, if you will.....

1) Remotely penetrate router through the backdoor.

2) Remotely pipe out the router configuration, perhaps using the default config backup utllity

3) Install the dump on the same model and / or crack the current admin password offline, If I recall correctly, the admin password stays inside the config dump on most models and can be restored but not easily read,

4) But I also suspect a good brute force dictionary attack would make mince meat out of most SOHO wifi passwords.

5) And don't forget to enable the remote maintenance feature before you leave.

6) Whoo hooo!, now we don't even need no stinking backdoor. And all a whole lot steathier.

Why we might even be able to get some government funding for this project, if we can talk to the right people at Fort Meade.

Anon, because I really do worry about these things more than I used to.

0
0
Anonymous Coward

Re: "alert the victim that something had happened"

FTA

"In particular, the backdoor allowed him to brute-force a factory reset without providing a password – meaning that on his next login, he had access to everything."

"Yes, but to do that you've got to factory reset it first. After the reset it is unable to reconnect to the Internet. How do you install the new firmware from that very network it is no longer connected to?"

If you only mean "outside" to be the wired side coming in from the internet through the DSL modem, then no, the wireless device might not be connected to the internet.

However, since we're talking wireless devices, "outside" can be the public facing wireless. Once you do a factory reset, you can then connect, via wireless, to configure the access point. You might still not be able to connect to the wired LAN on the "inside", though it might be easy to guess the IP/gateway info and connect.

So yes, you could upload firmware, and target admin credentials.

0
0
Bronze badge
Linux

Re: "alert the victim that something had happened"

"Is it Sercomm's fault that the vendors selling this stuff don't check for problems like this?"

You seem to forget that the reason they outsourced this in the first place was so they wouldn't have to hire programmers for the project...

0
0
Anonymous Coward

Hmmmmm

I wonder if Sercomm is funded by the NSA?

4
1
Silver badge

Re: Hmmmmm

"I wonder if Sercomm is funded by the NSA?"

And if so, did they supply parts for UAE intelligence satellites as well? :)

0
0
Bronze badge

Re: Hmmmmm

At least you spotted the common denominator, the vendor making the hardware, rather than the various companies who contracted that hardware from that vendor.

As it's a company rooted in Taiwan and Taiwan is still sore with the US over the "one China policy", I strongly suspect not.

I actually wonder if there may be a PRC root in there.

Still, Hanlon's razor must apply.

A dumb fuck engineer left the back door in on production units is the most likely.

Besides, what benefit would the NSA have in trashing your router configuration? Especially since between them, the PRC, RBN, various other state run organizations all own the network routing points, your traffic is already theirs to begin with.

Or do you honestly thing that it's *only* the UK and US doing that?

I know as a fact it most certainly is not.

1
0

Re: Hmmmmm

Doubt it. It's more than likely just a diagnostic mode left into shipped products. A lot of the modes offered are useful for diagnostic purposes when you are developing a device and don't really serve any other purpose.

0
0
Silver badge
Pirate

My router hack is cheaper and foolproof

Beat the owner of the router within an inch of his life with a lead pipe, and force the password out of him.

Only about $3 dollars for a new piece of pipe (free if used). Or a $5 wrench will do (http://xkcd.com/538/).

100% effective (unless he has a bigger pipe, handgun, guard dog, etc).

3
1
Anonymous Coward

Re: My router hack is cheaper and foolproof

Doubt it would be 100%. Might kill the guy, or the guy fights you back, forcing you to KO or kill him. Either way, you leave empty-handed and at risk of elevated charges.

0
0
Bronze badge

Re: My router hack is cheaper and foolproof

Lead pipes tend to have lethal effects.

Now, a fine old fashioned telephone ring generator can make even the dumb sing like a canary.

Or a dissected photo strobe unit.

Or, the old US standby, waterboarding, which is not a torture per those who never experienced it.

3
0

Re: My router hack is cheaper and foolproof

This is known as a 'rubber hose' attack..

http://en.wikipedia.org/wiki/Rubber-hose_cryptanalysis

0
0
Silver badge

Re: risk of elevated charges.

YMMV, but in these parts so long as you didn't cop to wanting his password it would probably be lesser charges, at least in terms of actual time served.

0
0

Not likely

Most users of this gear will not have any idea why their system has gone snafu, and a knowlegeable hacker will restore the system to a functional state pdq, so the user will likely be oblivious as to why their internet was down for awhile - likely that it was an ISP issue! Still, if the attack was done at an appropriate time (really late at night / early in the morning), then the target may NEVER realize that they were hacked, and only know there was a problem when they try to access the management web interface of the device at some future time. FWIW, I am a senior systems engineer at a major corporation, and have been working with many such devices over many years. I probably access my personal router's management interface once every 3-6 months...

2
1
Silver badge

Re: Not likely

"... a knowlegeable hacker will restore the system to a functional state pdq..."

That would be fine for the average wired user but it is unlikely that the hacker would be able to replicate the wireless key assuming it was changed from the default and the user doesn't rely on the 'magic button' to join the network in the event of problems. Still, any wired devices such as a NAS box will be copied off rather swiftly, even more swiftly if the target is known and mimo is employed to its fullest.

1
0
Bronze badge

Re: Not likely

Annoying:

My router incessantly reboots, up to five times per day.

Second unit, which rebooted twice as often.

Compromised hardware? Not likely.

More likely, it's a POS design, whose engineering team should be horsewhipped over, but more likely got bonuses for saving money in their shitty design.

I say, shoot the lot of them! Right out of the biggest circus cannon one can find and straight into the composting pond of the nearest sewage treatment plant.

OK, not really. I'd suggest sacking them, but even money, they were long ago downsized and outsourced.

0
0

Re: Not likely

"Most users of this gear will not have any idea why their system has gone snafu, and a knowlegeable hacker will restore the system to a functional state pdq..."

Most users would probably notice that their router had lost the settings required to login to their ISP and the hacker would not be able to replace them because they would have been disconnected as soon as the router rebooted with default settings and because the hacker would not have the necessary ISP account details in the first place.

0
0
Silver badge

Re: Not likely

I'd notice as soon as neither my laptop or tablet would connect. Not sure about the roomie's iPad and Mac which are also on the wireless. They might auto-find and open network. But I very much doubt that after you've done a factory reset you'll be able to reset the original WPA2 key I set.

0
0

Re: Not likely

There's one well known manufacturer which had "802.11 pre-n" devices that when they got a little too warm (which was caused by themselves) they'd reboot. Having had to play with one I vowed to never buy one of their products again and haven't.

You get a feel after a while for which manufacturers are trustworthy or not. Vote with your wallet and make sensible recommendations to your friends/colleagues.

I was quite surprised that SerComm actually were outsourced by some of the big names to make some of their products.. would of thought the big names had their own expertise.

0
0

Weird not one word of how the the company ....

... that left a back door in their firmware is to be held responsible. These were not low end kit by the sounds of it so it would be reasonable to a expect a payout of some kind from the hardware manufacturer, the onus was on them to do minimal validation checks, clearly they didn't so whats to stop them leaving holes next time

0
0

Re: Weird not one word of how the the company ....

The vendors have been told AFTER this was posted online. They're having to play catchup. Feel rather sorry for them. They just outsourced the manufacture of some devices, now they're getting told there was a backdoor in them...

Also a lot of Linksys products. Linksys was bought out ages ago. Belkin have now inherited this backdoor mess through no fault of their own.

0
0
Silver badge

easy peasy

At least for the consumer (yes I understand Enterprise is a different beast) the easy way to avoid all this is before you buy a router or dsl modem always verify OpenWRT (or Gargoyle, or dd-wrt, etc) runs on it without issue and then the first thing you do after buying said electronics is get the factory firmware the fuck off the device. Not only will you greatly improve security but usually performance as well. Yes the NSA might have hacked that code base as well but at least being open to the public it can be audited.

2
0
Silver badge

Re: easy peasy

I know ignorance is not really an excuse, but a great many consumers don't know the difference between wireless networking and a wireless Internet connection - let alone understand the concept of firmware.

Given that the concept, procedure and indeed the benefit of flashing the firmware is foreign to many people, your suggestion, while sound, amounts to Joe Consumer going from trusting a big name company to secure a device he doesn't understand to trusting some chaps on the Internet to secure a device he doesn't understand. While voiding his warranty in the process.

I held onto my old WRT54G with DD-WRT for ages but it's not a solution for everyone - especially when you're not IT-savvy and your ISP refuses to help you (beyond suggesting you turn it off and back on) because you're using a non-standard device.

It's quite easy to overestimate the IT abilities of the average person.

3
0
Bronze badge

Re: easy peasy

Also:- It's quite easy to overestimate the IT interest of the average person.

3
0
Gav

Not easy peasy at all

You have a bizarre idea of what "easy peasy" is.

99% of consumers don't know or care what OpenWRT is. Or why they should trust the people who wrote it. Nor do they know/care what the advantages of OpenWRT are. Or how to put it on their router.

And why should they?

5
0
Anonymous Coward

Re: Not easy peasy at all

Indeed, and even the 'easy peasy' router firmware install can't happen until you're sure that your particular revision of your particular router/modem supports it. There's no chance of the average consumer even getting that far.

0
0
Silver badge

Re: Not easy peasy at all

Sorry poor choice of words. Consumer was not the word I meant to use as has been pointed out clearly. Please substitute with IT nerd or a consumer with an IT nerd friend. I do agree that this is not something your average Joe Schmuck should be dealing with. More proof why its beyond retarded to have the same agency both tasked with securing and weakening IT infrastructure. Especially when its often military folks who tend to glorify the offensive a lot more.

0
0
Gav

Re: Not easy peasy at all

I'm an IT nerd.

I'm also a person who doesn't want to waste a day determining how to flash unsupported firmware onto my router, without bricking it, and then spend another frustrating day combing through online forums (supposing I can still connect to the internet) trying to fix the inevitable compatibility issues. Life is too short for than kind of nonsense.

I really want my router to come equipped with minimal setup requirements and security built in.

1
0
Silver badge

Re: Not easy peasy at all

>I'm also a person who doesn't want to waste a day

If you can't figure out which router to buy and flash it in 15 minutes then are no IT nerd. You may be too lazy to care but the technical aspect to it, is trivial for any decent developer or even hack MCSE. With most commercial consumer firmware you can simply use the built in GUI to do the flash itself. Rarely do you need to do 30-30-30 tftp flash anymore and even if you do that is trivial on most routers as well. Now I can agree with you once you get into J-TAG land but that is more in firmware developer land itself than flashing common routers.

> trying to fix the inevitable compatibility issues.

The only compatibility issues I have ever seen have been with factory firmware itself like on my DSL modem. I have yet to see any wireless problems or instability but then again I did some research and made sure I bought a common good well supported by the community router.

>I really want my router to come equipped with minimal setup requirements and security built in

Which as this article shows largely requires you to do yourself if you want that. I don't think you know just how atrocious virtually all factory firmware is on these low end routers. But I can understand wanting it to just work without pissing about with it. I am like that with my car.

0
0
Anonymous Coward

Re: Not easy peasy at all

"But I can understand wanting it to just work without pissing about with it."

And therein is the industry's security/functionality argument summed up in one sentence.

0
0
Mushroom

Well...

...where I'm from I can certainly see this attack working extremely well.

The vast majority of ISP's here simply authenticate users by checking against the MAC address of their router/modem. To the ISP it's one less thing for the user to screw up and hence one less issue for the user to create and subsequently call the ISP to complain about.

It also makes it easier for everyone when a given user chooses to change their router/modem. Simply call the ISP up, give them the new MAC address (which more often than not is printed somewhere very obvious on the appliance), and let DHCP take care of the rest.

And as already mentioned, just about everyone isn't interested beyond getting their router up and running and as such most users will not notice much of a difference pre/post factory reset. Sure, WiFi might stop working... but they'll probably just try to log into their router with the default credentials which they never bothered change in the first place to set WiFi up again and all's well in this world again. In their view at least.

0
0
Silver badge

Re: Well...

This won't work for any recent D-LINK wireless router. The firmware requires that a new admin password be set on first use, and the default is the one on the card that came with it.

0
1
Anonymous Coward

Re: Well...

This assumes the password is unique for each individual router sold. Otherwise, a hacker could just build a table of known factory passwords and run through them if the list isn't too long.

0
1

Page:

This topic is closed for new posts.

Forums