
Backdoor found in Linksys, Netgear Routers - nilsjuenemann
https://github.com/elvanderb/TCP-32764
======
maxk42
About a year ago I left a cable modem and internet service (Time Warner) at an
apartment I was moving out of while my friend continued to stay there. I had
configured the thing in a manner I thought to be fairly secure -- strong
password, no broadcast, etc.. One day the internet goes down and my friend
doesn't know what to do. She calls the ISP and asks them what's wrong. They
say they can't release any information about the service to her without my
permission, so I suddenly get a three-way call explaining that my friend and
the ISP representative are on the line and I need to give my authorization to
access the account information. Being the person I am, I attempt to
troubleshoot things over the phone before giving out any sort of account
credentials. Eventually, I ask her to log into the router configuration page.
She doesn't know the password and the first one I gave her doesn't work. The
representative chimes in "That's fine -- I can just change it from here."

"...What?"

I was furious. Time Warner had left a backdoor in all their modems that gives
them administrative access to my private connection. And yes -- she did alter
the password remotely. She didn't seem to think there was anything wrong with
this. I tried googling for relevant information, but wasn't able to find
anything more than speculation at the time.

~~~
superuser2
>Time Warner had left a backdoor in all their modems that gives them
administrative access to my private connection

Yes, _their_ modems. On the connection that they provide for you.

A cable modem is considered CPE (customer premise equipment), meaning it is
part of the infrastructure a telco uses to provide you with connectivity.
Usually they own it, but in any case they have full control over it, as they
should - it's part of their network. They may choose to delegate some
configuration via a web GUI, but that's at their discretion -it's theirs to
administer.

Business telecom has a formalized notion of a demarc (demarcation point), the
place where the telco network ends and yours begins. AT&T owns and is
responsible for the fiber/T1/POTS lines as they come through the wall, as well
as the CPE (often a large rackmount Cisco router) to which it connects. Their
contract is to provide connectivity on specific ethernet ports/fibre
GBICs/whatever of that CPE. Whatever happens downstream of those ports is your
problem, and whatever happens upstream is their problem.

Both sides will treat this connection as hostile - you'll have your own NATing
router up and the telco's router, if it even has a configuration interface
listening on your NIC, won't let you in. It would be inappropriate for AT&T to
have any sort of access to the router you own and inappropriate for you to
attempt any sort of access to AT&T's CPE.

Time Warner has been shifting recently towards placing WiFi on their side of
the (logical) demarc. Which makes sense, since most people would rather not be
responsible for administering _any_ infrastructure - they just want Time
Warner to deliver them WiFi. It sounds like you have this kind of setup, in
which case Time Warner's access is not "backdoor" but "building owner" \-
you're renting a room.

If you'd prefer, you can (have them) turn off their WiFi, go buy a nice
wireless router, and connect it to the modem. In this case Time Warner is
providing you with a connection on an ethernet port; the device you've plugged
in is your own (your side of the demarc) and they have no right to touch its
configuration, nor are they responsible for it working correctly.

EDIT: The obvious analogy that would have simplified much of this is that a
cable modem is like an electrical meter.

~~~
keithnoizu
Yeah, this is why I just shell out for my own docsys 3 cable modem whenever
possible.

~~~
superuser2
Even when you "bring your own modem" ISPs tend to demand exclusive control
while it's in service. It really is intended to be part of the ISP's network
rather than yours, so while (unlike a rental unit) you could walk away with it
and take it to another provider, sell it, run your own copper infrastructure,
etc. you usually still can't modify the settings of existing connection.

One of my cable installers told me that rate limiting is done in the cable
modem, so people would run pirate firmware that eliminated the artifical
limits and run at the natural limit of the connection. People had fun with
this for a while until the network engineers figured it out, and now people
exceeding the speed limit get their connections shut down pretty quickly. But
anyway, it makes sense the the cable modem really isn't the customer's to
control.

I own and control my own wireless router because I want to play with things
like DD-WRT, use OpenDNS, etc., but I see the cable modem as no different from
the utility box down the street.

~~~
ryanhuff
Time Warner wants nothing to do with my (own purchased) cable modem beyond
allowing me to use it. The vendor will only provide firmware patches to cable
operators, and Time Warner won't touch my modem to help get the firmware
upgraded.

~~~
midas007
I've always had naked DSL because of not wanting to pay for cable TV or
another line. For DSL and similar services, BYOE tends to be hand-off.

With cable modems, does/can the provider push firmware?

~~~
alexwright
All the cable modems I've used (UK) have always downloaded a an image over
TFTP on boot. As I understand it they can come up with a very minimal loader
and reach out for their config to the local "node" for configuration, and this
can include new firmware. On the support line they're adamant that you reboot
the things before proceeding past the IVR. Which makes sense.

The last I heard about it the different levels of service (bronze/silver/gold
they were at the time, 5/10/20Mbit/s) are just based on the MAC the modem
sends on this initial config/handshake. When I moved from 20 to 50 I was told
to reboot the modem and it came up will an all new shiny more craptastic than
ever web interface as well as setting it's WAN port to 50Mbit/s

------
earlz
Interesting. Reminds me of the hack I did on a (mandatory) modem/router forced
on AT&T users. They had a bunch of problems with it, so one day I got fed up
after the millionth disconnect and cracked it open. Got a serial root shell by
using the "magic !" command (completely randomly discovered) and dumped the
source to the web UI(in Lua/haserl). From there found the equivalent of a SQL
injection vulnerability and used it to gain a remote root exploit.

Most annoyingly, AT&T put out a firmware update some months later that closed
the exploit, but didn't fix any other problems. So, I found another more
intrusive/permanent exploit. Still waiting on them to patch it next heh. But
now they are actually putting out some updates that actually fix problems too
at least. Hopefully user uproar will continue to drive them to fix more
problems

~~~
Istof
AT&T have not forced me to use a specific modem with their DSL service.

~~~
earlz
This is with their u-verse service. Basically it's like DSL but using some
different technologies and no easy way of bridging like PPPoE

------
X4
I hacked my Fritz!Box (yeah, a bad name for a german router) and I'm entirely
sure that it has a backdoor integrated too. That's why I wiped and flashed it
with an alternative image. That and the Telecom's Speedport router are the
most popular routers by far in Germany. And both have backdoors, I know that
other router manufacturers also integrate backdoors from a source who works at
such a company. A friend can also verify the fact, because a different
employee told him the same. Also it's public that the ISP can upgrade, modify,
flash and disable features remotely. My friend's router has wifi, but their
provider disabled it remotely within the firmware (it even has an antenna) and
his ISP wants him to pay 5€/m to re-enable wifi.

I really wonder why nobody complained about that earlier. Also the interesting
thing here is that for a very long time, you weren't allowed to use a
different router than the one provided by your ISP. Which enforced their
surveillance monopoly.

Here's an article about reverse engineering the backdoor in D-Link routers
using IDA:

[http://www.devttys0.com/2013/10/reverse-engineering-a-d-
link...](http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-
backdoor/)

PoC Available: [http://pastebin.com/vbiG42VD](http://pastebin.com/vbiG42VD)

~~~
blablablaat
This is probably _NOT_ a backdoor.

Most likely your ISP is using a technique like TR-069. This enables them to
push settings for voip/TV, and in your friends case wifi. A lot of DSL
providers are starting to use this for less intrusive (?) goals like measuring
noise and attenuation at the clients end once a day, so they can adjust the
speed accordingly.

AVM is a very nice company and you should not accuse them without proof. They
actually provide an option to disable TR-069 in the page "Provider Services"
("Allow automatic configuration by the service provider" and "Allow automatic
updates"). If you don't have this option you could try installing the original
firmware from avm.de. Maybe you are still able to flash the modem with the
original firmware from , and configure it yourself?

~~~
bjornsing
> _AVM is a very nice company and you should not accuse them without proof._

You shouldn't accuse anybody without proof. But since this is _Hacker_ News
I'll disagree with the first part of that sentence. AVM is probably the least
hacker-friendly company I've ever come across. For example, they're so hell-
bent on violating the GPL that they've taken it to court (and lost) [1].

1\. [http://fsfe.org/activities/ftf/avm-gpl-
violation.en.html](http://fsfe.org/activities/ftf/avm-gpl-violation.en.html)

------
nlvd
"And the Chinese have probably known about this back door since 2008."
[http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=htt...](http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http%3A%2F%2Fhi.baidu.com%2Fcygnusnow%2Fitem%2F3fd853ade9f08f9e151073a1)

That's a pretty scary prospect. If its been 'known' and exploited since at
least 2008. Poor form Netgear/Linksys.

~~~
wahsd
Probably not Netgear or Linksys' choice. The Treasonous Act, aka, the Patriot
Act has a black version that forces such companies to do as they're told and
shut up about it.

~~~
Estragon
If you have any citations for that, they'd be interesting reading.

------
midas007
This is not surprising. It's a calculated risk to make a product just good
enough. Development resources invested in retail wireless gear is minimal.
I've worked on firmware for high-confidence industrial wireless gear used in
mines. Most of them fall over under load, run obsolete+unpatched code and/or
reboot randomly. Retail customers will tend to just put up with it and not
return the product before the merchant's return grace period.

It's a totally different attitude when the intended market is enterprise: it's
assumed that if a product causes a failure, the vendor is going to receive
escalating, unpleasant phone calls until it's resolved.

~~~
DanBC
Mining is a dangerous industry with its own specialist regulators and
standards bodies.

Equipment failure that can kill people should be taken more seriously than
equipment failure that leads to less serious consequences.

The thought of wireless gear in mines is pretty scary! I used to build / test
equipment for a sub-contractor of Joy Mining and communication between the
devices was carried by inch thick cables with nikel-plated machined steel
connector shells. Pit props at the cutting face can be active devices that
walk forward as the face is cut, and the coordinate that forward movement.
Designing user interfaces is tricky, and designing a UI that should prevent
death or huge financial costs if misused is probably hard.

~~~
midas007
There is. Mostly 460 and 900 MHz packet modems that only speak UDP. It's for
telemetry data and data between trucks. As of 2000, there were working
prototypes of both an anti-collision system and fully autonomous driving /
grading.

------
salient
Can this be fixed by changing the firmware to OpenWRT or DD-WRT?

~~~
joenathan
Yes, this isn't a hardware backdoor, it's all in the software.

~~~
RyanZAG
This backdoor is a software backdoor - there may be hardware backdoors too.
Hardware backdoors are much, much harder to find as there is no real way to
track one down without trying to reverse the actual hardware itself, and that
is close to impossible. So while we can confirm there is a software backdoor
in this router, we can't confirm if any other router does or doesn't have a
hardware one.

------
redx00
Has anyone ever tried submitting a GPL request to
[http://support.linksys.com/en-
us/gplcodecenter](http://support.linksys.com/en-us/gplcodecenter)

I wonder if there is anyone still working in the GPL compliance department.

~~~
ce4
They don't have to provide the sources forever... Seemingly the model in
question (WAG200G) is originally from 2007.

Excerpt from the GPL [1] (paragraph 6b):

"You may [...] Convey the object code in, or embodied in, a physical product
[...], accompanied by a written offer, valid for at least three years and
valid for as long as you offer spare parts or customer support for that
product model, to give anyone who possesses the object code either (1) a copy
of the Corresponding Source for all the software in the product that is
covered by this License [...]."

[1]:
[http://www.gnu.org/licenses/gpl.html](http://www.gnu.org/licenses/gpl.html)

------
elwell
TIL: Some people know a lot more than me about hacking. That PDF was
interesting, but I only understood a small fraction of it.

~~~
voltagex_
Can you tell me which parts you couldn't get? I want to test my understanding
- I'll see if I can explain it to you.

~~~
kybernetyk
My main problems were with the memes.

Seriously, nothing against a little humor in your slides. But making every
seconds slide a meme reference gets annoying pretty fast :)

~~~
oakwhiz
Agreed, the slides were unreadable. A simple text document would have
sufficed...

~~~
fuckpig
Not only that, but it's the original "open" format.

------
dbbolton
Has there been a technical write-up on this yet? I honestly tried to read the
presentation and had to quit after the third superfluous meme slide.

~~~
n00bhere
TLDR of the presentation: found a service that returns all the configurations
on the router (including admin username, admin password, wifi password, etc.).
Also, found a bunch of buffer overflows.

------
comic404
More information:
[https://github.com/elvanderb/TCP-32764/blob/master/backdoor_...](https://github.com/elvanderb/TCP-32764/blob/master/backdoor_description.pptx)

"Mr. Guessing 2010" doesn't know shit about backdoor (superuser.com).

~~~
sprobertson
Raw link to PDF version:
[https://github.com/elvanderb/TCP-32764/raw/master/backdoor_d...](https://github.com/elvanderb/TCP-32764/raw/master/backdoor_description_for_those_who_don-
t_like_pptx.pdf)

------
nwh
I have confirmed this (or something similar) is present in the Netgear DG834N
as well.

~~~
cs02rm0
Netgear DGND3300 too.

------
m86
ScMM = SerComm, perhaps?

Many of Linksys' old DSL modems were manufactured by them, AFAIK.. and it
seems many of the noted 'probably affected' models have a SerComm manuf'ed
device for at least one revision of that model line

More probable SerComm manuf'ed devices are visible at the WD query link
below..

[http://wikidevi.com/w/index.php?title=Special%3AAsk&q=[[Manu...](http://wikidevi.com/w/index.php?title=Special%3AAsk&q=\[\[Manuf%3A%3ASerComm\]\]+\[\[Global+type%3A%3A~embedded*\]\]&po=%3FFCC+ID%0D%0A%3FFCC+approval+date%3DFCC+date%0D%0A%3FEstimated+date+of+release%3DEst.+release+date%0D%0A%3FEmbedded+system+type%0D%0A%3FCPU1+brand%0D%0A%3FCPU1+model%3DCPU1+mdl.%0D%0A&eq=yes&p\[format\]=broadtable&sort_num=&order_num=ASC&p\[limit\]=500&p\[offset\]=&p\[link\]=all&p\[sort\]=&p\[headers\]=show&p\[mainlabel\]=&p\[intro\]=&p\[outro\]=&p\[searchlabel\]=%E2%80%A6+further+results&p\[default\]=&p\[class\]=sortable+wikitable+smwtable&eq=yes)

~~~
SKULI
No nothing about code ... I like research and the constitutional issues
interest me. ScMM is also the NASDAQ symbol for Identive Group - working in
secure ID for government and other institutions.

------
dobbsbob
Buy a $200 soekris box and install openbsd or m0n0wall on it, or on any old pc
you have lying around with 2 network cards.

~~~
yuvadam
Or, you know, any $30 OpenWRT-supported router.

~~~
gry
Tell me, either way a Soekris box or an OpenWRT compatible router, how this
brings a solution to the masses.

~~~
wtallis
There is no purely technological solution for the masses. Actually solving the
problem requires either a political revolution to make shipping backdoors like
this criminal rather than a favor to the government, or educating users enough
that they can protect themselves with the existing technological methods that
are easy to deploy given basic computer literacy. It's not really clear which
one is less impossible.

~~~
VMG
this kind of stuff is far beyond basic computer literacy

~~~
wtallis
No its not. Installing Tomato or DD-WRT is only very slightly more complicated
than configuring your router with non-default passwords, and you really
shouldn't be considered at all computer literate if you don't know how to take
even the first step to secure your network.

------
atmosx
I live in Czech Republic and my Zyxel from O2 has port 7547 open (Allegro
RomPager 4.07) and you can't do anything about it. There is no editor on the
installed linux version (cropped down linux, probably openWRT or something
similar), no package manager no nothing.

If I flash the firmware warranty is void and I have no user/pass to re-enable
the ADSL. So basically, my router is a _hostile_ AP.

Given the fact that, it's a common pattern among ISPs in order to offer quick
service - I firmly believe that ISPs do it for practical reasons - and end up
killing your security, the best thing is to put the router in bridged mode and
get a cheap custom-made router like carambola2[1] and install FreeBSD[2] on
it.

Disclosure: I donated one of these devices to Adrian Chadd[3] in order for him
to port FreeBSD on this device, which enabled me to use PF[4] - my favorite
firewall - but I have no affiliation otherwise with 8devices or FreeBSD.

[1] [http://8devices.com/carambola-2](http://8devices.com/carambola-2)

[2]
[https://wiki.freebsd.org/FreeBSD/mips/Carambola2](https://wiki.freebsd.org/FreeBSD/mips/Carambola2)

[3]
[https://wiki.freebsd.org/AdrianChadd](https://wiki.freebsd.org/AdrianChadd)

[4] [http://pf4freebsd.love2party.net](http://pf4freebsd.love2party.net)

------
chenster
Why backdoor?? That's what I want to know.

~~~
voltagex_
Why what?

It's a backdoor in the sense that it allows you to change settings on the
modem with no credentials.

It's plausible that on a badly configured network this port could be exposed
to the Internet. Anyone want to check Shodan?

~~~
AnthonyMouse
> It's plausible that on a badly configured network this port could be exposed
> to the Internet.

It's also plausible that an attacker could find one of these in the local
coffee house or any other place that offers public wifi and get at it from the
internal side that way, or war driving for access points using weak passwords
or WEP, or small office corporate networks with mischievous employees, or an
attacker compromising a single PC on the LAN and then using this to change the
DNS handed out by the router's DHCP and compromising the others, ...

------
DROP_TABLE
Am I the only one who gets really annoyed by the memes in the exploit
description?

~~~
krazydad
No, it's annoying as fuck.

------
jacob019
is this backdoor only served up on the wlan or is it also exposed to the
internet?

~~~
tagliala
fortunately, on my wag160n it doesn't seem exposed to the internet

~~~
Cakez0r
That's not to say somebody can't embed something on a web page (E.G. flash)
that connects to 192.168.1.1 and enables configuration from WAN :)

~~~
nadaviv
Flash won't let you open connections to other hosts (unless there's a
crossdomain.xml file that allows it).

With html/javascript you can send http requests to other hosts, but you can't
read the response. It seems like the backdoor isn't accessed over http, so
that wouldn't help you either.

------
billpg
I've used GRC's "Shields Up" and asked for a user-specified probe for port
32764 and it came back "Stealth".

Assuming GRC isn't out to decive me, can I assume that my router is fine?

Bill, using a Netgear router.

~~~
brasky
It seems it is only open to the local network.

------
eggshell
If you want more fun with the saved nvram config files, check out
[http://www.nirsoft.net/utils/router_password_recovery.html](http://www.nirsoft.net/utils/router_password_recovery.html)

He's figured out many of their "encryption" methods. I've independently
"cracked" most of the major ones as well, (including checksums/headers
required to write back to the router).

They're all pretty broken. PRNG key streams, simple bit swaps, XOR, encryption
against a static key, etc.

Fun stuff.

------
thrillgore
Thankfully I have an older WNDR3700 and I remain unaffected.

However seeing mention of (and an implementation of) Dual_ECC_DRBG in the
slides immediately gives me a lot of pause regarding the security of my
router. I love memes more than the next guy but this guy really went out of
his way to make this confusing to understand.

~~~
oshepherd
Hah! A Dual_EC_DRBG implementation would be an infinite improvement over the
highlighted random number generator (which just calls libc functions srand(3)
and rand(3)).

------
userbinator
I have a WGR614v6: it shows no response from port 32764 both from internet and
local.

At first I thought it was this, which has been known for a long time now:
[http://wiki.openwrt.org/toh/netgear/telnet.console](http://wiki.openwrt.org/toh/netgear/telnet.console)

------
spditner
Netgear routers come with a well published back door
([http://wiki.openwrt.org/toh/netgear/telnet.console](http://wiki.openwrt.org/toh/netgear/telnet.console))
that gives you telnet access from the LAN.

------
toxik
While interesting, I wouldn't say this is news. It has been known for quite a
while.

------
jason_slack
Does anyone have a recommendation for nice, configurable, reliable wireless
router now a days? My Linksys E2000 is on the fritz and didn't last near as
long as my old WRT54G.

~~~
maxmem
I bought a buffalo router pre-loaded with dd-wrt on it that I like and gives
you most of the options that the stock dd-wrt build does. Otherwise I just buy
anything that is dd-wrt compatible and flash it.

------
undoware
Don't worry, no one will ever find out.

------
sly010
Isn't this necessary to roll out IPV6 anyway?

------
rikacomet
From the sounds of it, these are purposely made backdoors? or something
ignored ?

My expression:
[http://i.imgur.com/pYJMKC6.jpg](http://i.imgur.com/pYJMKC6.jpg)

~~~
wahsd
NSA/Government/Military mindset.... secrecy by obscurity. It's now "We'll just
hide our backdoor, really, super well. No one will every find it. And we'll
use our deep black VPN no one knows about....and hope no one notices."

------
ballard
Great discovery. Surprised no tinfoil had been mentioned about being a
possible NSA "diode."

------
hengheng
More information here:

[http://superuser.com/questions/166627/netgear-router-
listeni...](http://superuser.com/questions/166627/netgear-router-listening-on-
port-32764)

~~~
kalmi10
That's not more information. That answer is just making false assumptions (as
also pointed out by the OP).

