back to article D-Link hole-prober finds 'backdoor' in Chinese wireless routers

Security researchers say they have discovered a hidden backdoor in wireless routers from Chinese hardware manufacturer Tenda. Craig Heffner, the same researcher who uncovered a backdoor in routers from D-link, found the latest problem. He uncovered the functionality, which ships with Tenda's products, after unpacking firmware …

COMMENTS

This topic is closed for new posts.
  1. Anonymous Coward
    Anonymous Coward

    Shoddy work

    Were it an American manufacturer the backdoor would be better concealed

    1. Anonymous Coward
      Anonymous Coward

      Re: Shoddy work

      Except some politicians would announce it on television (Bush, Reagan) ..

      1. BillG
        Megaphone

        Re: Shoddy work

        Other politicians would keep silent while exploiting it (Obama, Pelosi)

        1. Heathroi

          Re: Shoddy work

          still other politicians would exploit it but would leave evidence on a blue dress.

          1. Anonymous Coward
            Anonymous Coward

            Re: Shoddy work

            While claiming that he used the exploit but didn't look.

          2. Scorchio!!
            Thumb Up

            Re: Shoddy work

            "still other politicians would exploit it but would leave evidence on a blue dress."

            I can just hear him at his White house desk singing "Shake for me Monica, I wanna be your back door man".

    2. DropBear
      Boffin

      Re: Shoddy work

      What makes you think so? Anybody remember the good old "AWARD_SW" universal backdoor password for Award BIOSes back in the day...? That was a American manufacturer, FYI...

  2. ElReg!comments!Pierre
    Meh

    Backdoor?

    More like a relatively minor vuln, compared to the D-link one. WPS is quite the pile of shit anyway, of course you're going to find vulns if you poke there.

    1. codeusirae
      Facepalm

      Re: Backdoor?

      @ElReg!comments!Pierre: "More like a relatively minor vuln"

      How do you accidentally insert the string 'w302r_mfg' into the source code

      "Attackers could take over the router and execute commands by sending a UDP packet with a special string .. They all use the same 'w302r_mfg' magic packet string,"

      1. ElReg!comments!Pierre

        Re: Backdoor? @codeusirae

        > How do you accidentally insert the string 'w302r_mfg' into the source code

        Oh, you don't.

        Occam's shaving implement suggests "you" codes a workaround for internal dev work and "you" forgets to remove it from the dev branch before it's rolled out by "you" 's marketing dept.

        The facts (only accessible from the local network, requires WPS with unmitigated access) make it a blunder rather than a backdoor.

        Little known fact: "WPS" actually stands for "hassle-free connection for those who don't care too much about security". True story.

        1. Faye Kane, homeless brain

          Re: Backdoor? @codeusirae

          Nope, it was on purpose, to implement an attack on the west in the future.

          Would a programmer use the string "w302r_mfg" or something that didn't involve using the Shift key to type, like his dog's name.

          Also, "manufacturing" is an English word. They used that string for plausible deniability. I think that's why the backdoor only works from inside the LAN. Outside would be way suspicious and my guess is that they can already break into millions of home LANs through the user PCs. Another column said that the red chinee have stacked up dozens of vulnerabilities.

          Faye Kane ♀ girl brain

          Sexiest astrophysicist you'll ever see naked

    2. Scorchio!!

      Re: Backdoor?

      "More like a relatively minor vuln, compared to the D-link one."

      It merits noting that there was a Cisco vulnerability not long back ( http://www.pcworld.com/article/2053880/cisco-patches-vulnerabilities-in-some-security-appliances-switches-and-routers.html )

      1. ElReg!comments!Pierre

        Re: Backdoor? @Scorchio!!

        > It merits noting that there was a Cisco vulnerability not long back

        Sure. to be honest I don't care much about specific vendors, and especially not about Cisco (one of their router models I had to deploy gave me no end of trouble a few years back). This particular story still strikes me as the typical firmware dev blunder, as happens all the time with closed-source, rushed projects. There is simply not enough peer validation in the closed-source system. See asdf's very apt comments in this very thread.

        To this regard, this is a relatively minor vuln, certainly nothing worth getting paranoid "government-mandated backdoor"-style.

  3. Anonymous Coward
    Anonymous Coward

    wps is far better these days

    Most router manufactures (eventually) in the wake of reaver wps brute force attacks have actually implemented rate limiting of some form (some implementations are better than others).

    The best option in any router that has WPS is the option to turn it off.. assuming it does, if i remember correctly dlinks at one point (since fixed) didnt actually turn it off.

    Thankfully ive only ever had one tenda router and it still sits in a box (as it was never used thankfully).

    Sadly most people install direct purchase routers and forget about it and many routers dont auto update firmware's, in a way its good that isp supplied routers do get pushed updates in most cases (that being normally the only good thing about having an isp supplied router).

    These days i dont install anything thats not wrt based between the main network and the outside world, manufactures orphan devices, are slow in releasing firmware fixes (if they do at all) and as this shows many hide a way back in.

    Just search for a manufacture:

    https://exploits.shodan.io/welcome

    http://www.exploit-db.com/search/

  4. lglethal Silver badge

    Did I understand correctly?

    My understanding of the article was that the router is entirely safe from attack from the Web, but if something is installed on the local area network then it can be backdoored?

    So someone would have to hack into your computer through any firewalls etc, before they can turn around and attack your router. Am I missing the threat here? If they can already hack into your computer, getting access to the router seems trivial...

    1. Anonymous Coward
      Anonymous Coward

      Re: Did I understand correctly?

      Not quite, it's open to the WLAN as well, which means someone, in theory, can brute force your Wireless and redirect stuff, for example, changing you DNS settings.

      I'd rate it a low to medium risk as you need to actually be somewhere near the kit and have time to do it, without attracting attention to yourself.

    2. Alan Brown Silver badge

      Re: Did I understand correctly?

      "So someone would have to hack into your computer through any firewalls etc, before they can turn around and attack your router. Am I missing the threat here?"

      The Zombie army. Most of them are behind NAT routers after all.

  5. Justin Stringfellow
    FAIL

    you missed the opportunity

    for a headline along the lines of "tenda backdoor probed"

  6. Craig Foster

    We've asked Tenda for its reaction but have yet to hear back from the firm.

    Maybe they run their company off a D-Link?

  7. John Smith 19 Gold badge
    Thumb Up

    Mfg don't seem to get it. The search for vulnerabilities *will* take place.

    Wheather they want it to or not.

    The word will get round if you kit is s**t.

    And while I'll not it's on the internal side rather than the external side it is wireless, so not quite as "internal" as I'd like for a start.

    I like my privacy so I disable wireless access to the router by default. But that's not always an option.

    Thumbs up for finding it. The mfg can have a thumbs down for putting it there in the first place.

    1. Steve Evans

      Re: Mfg don't seem to get it. The search for vulnerabilities *will* take place.

      "The word will get round if you kit is s**t."

      Unfortunately it'll only get round tech circles.

      The cheap kit will still be available, and bought by the most vulnerable (shoppers at PC world).

      The more tech savvy would have rendered themselves immediately immune by turning off WPS as a matter of course.

      1. Anonymous Coward
        Anonymous Coward

        Re: Mfg don't seem to get it. The search for vulnerabilities *will* take place.

        Unfortunately it'll only get round tech circles.

        It does provide a wonderful set of opportunities where a minimum of technical skill, a penchant for shady activities and a bit of legal nous all come together.

        Oh noes officer, my router has been backdoored. Literally anyone could have downloaded all this kiddy porn, unlicensed media, bomb making instructions, list of stolen credit card numbers or whatever else it was you were going to prosecute me for.

  8. GBE

    What's GoAhead got to do with it?

    > Source code for the GoAhead web server used in Tenda products has been made available on GitHub.

    I'm not claiming that statement isn't true (a lot of embedded products use GoAhead web server code). What I don't see is what it has to do with the rest of the story. Was the backdoor inserted in the GoAhead code? Was that back door present in the source code on GitHub?

  9. sorrygonesurfing

    Resistance is futile

    Is everyone really this naive? it's a software vulnerability, better known as a cock up. Are you so conditioned by the media? MS used to have more holes than swiss cheese... Was that a conspiracy? NO! Not until the US are eventually caught red handed anyway. Try to stop watching the news and reading news papers then you can form your own opinions and begin to leave the collective. GEEZ!

    1. Anonymous Coward
      Anonymous Coward

      Re: Resistance is futile

      "Try to stop watching the news and reading news papers then you can form your own opinions and begin to leave the collective. GEEZ!"

      Get your info from the web instead,which is so full of shite that it should be called the sewer instead

    2. Anonymous Coward
      Anonymous Coward

      Re: Resistance is futile

      while it's admirable that you seek out news from sources outside the mainstream, you may also find it valuable to include sources that include different points of view (the internet makes it far too easy to ignore opposition viewpoints since it's trivial to find a community that mirrors your own opinions).

  10. asdf
    Mushroom

    Stock firmware is for grandma

    Yet more reason to ditch the stock firmware at least for home routers (and if a router doesn't have open source alternative firmware support don't buy it). OpenWrt, Gargoyle, Tomato, DD-Wrt are all better %95 of the time anyway. The only exception is due to some closed source drivers in some cases the stock firmware may have longer wireless range and better wireless throughput but then again the internet is usually your bottleneck.

    1. asdf

      Re: Stock firmware is for grandma

      Open source is not immune to backdoors of course but a lot more people look at the OpenWrt source code that any proprietary firmware code base. In addition if a back door is found it will be fixed in hours not weeks.

This topic is closed for new posts.