
Router Firmware Backdoor - vangogh
http://blog.ensolnepal.com/router_backdoor/
======
cnvogel
> Every user need to know their devices and vendor before purchasing.

This completely ignores the reality of how the majority of people buy and use
their computers. Sure, personally I (as: the HN user typing this comment) can
portscan my router, solder in the serial port to get the system console... but
that's not something that can reasonably be required from any average Joe.

Things on that level of negligence should be dealt with just like bare cables
touchable from the outside: Have some entity go into stores, buy the box,
check it for the worst vulnerabilities, declare it unsuitable for sale and
place a ban on the vendor.

We do this for childrens' toys, electrical appliances, ... why not do it for
IT equipment? Just to weed out the worst offenders in terms of security holes.

~~~
userbinator
Be careful what you wish for... giving more control to the authorities is
something that may have quite oppressive long-term effects.

You might solve this problem in the short term, but end up with only being
able to buy approved devices containing more obscure, government-sponsored
backdoors instead.

~~~
belorn
Like all those Lemon laws. Used car dealers reputation might someday not be
synonymous with fraudster that try to peddle broken machines to gullible
people.

I must say you a taking quite a leap from "do not sell devices which is
intended to harm consumers" to "sell only approved devices which has
government-sponsored backdoors in them". Should consumers be scared that
government try to do the same with food safety?

~~~
Frondo
I have often, especially in the comment sections for regional newspapers, seen
the claim that yes, the government should step away from food safety.

The food producer's freedom from inspection trumps the citizenry's ability to
eat with minimal risk of food poisoning, so goes the thinking.

------
whoopdedo
Looks to me that these are all discount vendors. I didn't even know Realtek
made their own consumer devices.

That they were all using the same or a variation of the same firmware shows
that the problem isn't maliciousness but carelessness. Someone writes a
reference implementation that happens to have a hard-coded username as a
debugging option. It may even have come with a note warning you that this
needed to be changed before being put in the final product. But in the rush to
a product to market as fast and as cheap as possible, they forego any
modification to the firmware beyond branding and push it out bugs, backdoors,
and all.

I think it's a stretch to say these are "major" vendors. I've only seen
TrendNet in the wild and usually because someone is complaining about their
internet not working well and I say, "Yeah, that's not a good router. You
should buy another one." You get what you pay for.

Of course if a truly malicious actor wanted to place a backdoor into a router
on purpose, I expect it'd be someplace other than the flash firmware that can
be easily overwritten.

~~~
rasz_pl
>Realtek made their own consumer devices

they dont

ALL of those devices are based on the same RTL8196C Realtek SoC. This is one
stupid/corrupted/incompetent Realtek employee/contractor putting a backdoor in
SDK reference codebase (access under NDA, Realtek is famous for being hostile
towards opensource just like Broadcom), and no one else bothering to even read
sources before shipping devices.

~~~
userbinator
_Realtek is famous for being hostile towards opensource just like Broadcom_

On the other hand, you can easily find datasheets for many of their SoCs.
Whether or not this is due to their lax security policies is a question to
consider too...

Realtek might not be agreeable to opensource, but I'd say they are still a far
distance away from Broadcom. They are more of a "Gongkai"[1] sort of company.

[1]
[http://www.bunniestudios.com/blog/?p=4297](http://www.bunniestudios.com/blog/?p=4297)

~~~
TeMPOraL
Doesn't gongkai imply that someone simply "stole" their datasheets and
circulated them? I.e. they are available, but not because the company itself
wanted it that way.

------
SixSigma
> And the last options is to use Open Source firmware if your device
> supports(eg. OpenWrt)

The first shall be last and the last shall be first.

------
Animats
Why aren't these vendors being prosecuted under the "exceeds authorized
access" provisions of the Computer Fraud and Abuse Act? There's no EULA to
protect the vendor.

~~~
jauer
AFAIK that would require the vendor to actually access/use these "backdoors"
(though they look like debug access mistakenly left enabled).

I don't see any proof of access in TFA. Seems like this would be negligence at
most.

Edit: Intentional backdoors left by vendors (that I've seen) set the password
to be derived from the serial number or mac address.

~~~
pbhjpbhj
FWIW the equivalent in the UK the Computer Misuse Act 1990 has been amended
(by the Police and Justice Act 2006, [1]) to include a Section 3A that in part
says:

>"(2)A person is guilty of an offence if he supplies or offers to supply any
article believing that it is likely to be used to commit, or to assist in the
commission of, an offence under section 1 or 3." (UK Police Act 2006) //

Sections 1 and 3 [2] refer to unauthorised access and the same but with intent
to cause damage ("impair").

Arguably the inclusion of a backdoor without authorisation of a customer
impairs the device and so it would already breach Section 3, but the new
amendments mean that just making it where there's likelihood that it will be
used nefariously is a crime. A backdoor is intended for unauthorised access
and is certainly likely to be used that way IMO.

This amendment is a step too far IMO but it appears to apply here to router
manufacturers (and anyone else including backdoors in consumer goods without
notifying the user).

tl;dr actual commission of an _actus reus_ isn't required in the UK just
supplying to someone who has a "likelihood" of committing an act is enough.

\---

[1]
[http://www.legislation.gov.uk/ukpga/2006/48/section/37](http://www.legislation.gov.uk/ukpga/2006/48/section/37)

[2]
[http://www.legislation.gov.uk/ukpga/1990/18/section/1](http://www.legislation.gov.uk/ukpga/1990/18/section/1)

------
pskittle
It's off topic but what's the best way to know whether your router has a
backdoor if you're not very tech advance.

~~~
harshreality
You can't know for sure, but the best way to avoid vendor software backdoors
is to get hardware that supports OpenWRT and run that.

~~~
bluedino
Unless you're sure the NSA hasn't installed a backdoor in the firmware like
with hard drives...

~~~
wtallis
Wireless routers typically have just one NOR flash chip as the only
nonvolatile storage device, and any firmware needed by the WiFi devices is
uploaded when the devices are initialized by the OS. There just aren't many
places to hide something like a rootkit, and that's part of why these
backdoors are so easy to find by inspection.

------
newman314
I wonder how many of these attack have/can be run against ddwrt.

There's a lot written about attacks against default firmware but not much on
ddwrt, openwrt or tomato.

------
baby
If I understand correctly those credentials are only usable if you get access
to the router, by cracking a WEP key for example.

And please correct me if I'm wrong. But if this is correct, I don't really see
this as a vulnerability for most people, since most people don't even change
the default logins on their routers.

For some other people it might be problem yup, but the attacker would have to
enter the network first.

~~~
blobbers
A lot of these routers might have their web console visible on the WAN side.

Other clever attacks are simple: most of the routers use default subnets of
192.168.0.0/24 with a gw at 192.168.0.1.

A malicious site can make a post to 192.168.0.1 with user name/pw super super
and say reconfigure your local dns settings so that they can man in the middle
something like traffic that would normally go to an ad network. They can then
serve up their own ads and make profit$.

------
userbinator
I have a feeling this could potentially be any router based on the Realtek
RTL8181/8186 and using some default firmware.

Fortunately, open-source firmware is available:

[http://sourceforge.net/projects/rtl8186/](http://sourceforge.net/projects/rtl8186/)

~~~
gemexe
Interesting. I would think that the authors of the open-source firmware have
come across the backdoor at some point, assuming they did go through the
reference firmware.

------
gemexe
I wonder how many of the affected routers have their remote management
interfaces turned on by default - if they are off (as they should be) then it
probably isn't that big a deal... I mean, loads of routers have admin:admin
set and left unchanged

~~~
duskwuff
That doesn't actually mitigate the problem much, if at all. Many of these
devices are likely to be vulnerable to CSRF; a malicious web page may be able
to trigger requests which log into a local router and perform management
tasks.

~~~
d4n3
I think modern browsers prevent cross-requests to local subnets so this may
mitigate CSRF

------
kkmickos
In my experience this is not restricted to manufacturers. Routers supplied by
ISP's and carriers often have custom firmwares with have backdoors as well, of
course labelled as a "Maintenance & Remote Service" feature. After figuring
out the password on mine, I had no issue going into my neighbours router with
full access...

------
wpietri
That this research was presented at "Hotel Yak and Yeti, Kathmandu Nepal"
really takes this over the top for me.

~~~
benten10
Ahhh, you mean you prefer other 5-Star hotels in Kathmandu such as Soaltee
Crowne Plaza, Hyatt Regency, or Everest? ; )

Jokes aside, great to hear good work coming out of Kathmandu! We're behind the
Southern part of the subcontinent, but there's definitely a nice niche to be
carved in less glamorous side of the industry, such as security research and
boring animation work. Pollution and craziness aside, if Kathmandu managed to
leverage its moderate weather and infrastructure, I feel even things like
16-hour daily powercuts could be worked around.

In a somewhat related note: if someone in Kathmandu is interested in doing
some relatively boring camera/filming work, I would love to talk. I have some
funds that I would like to invest in the field.

@wpietri: You're not related to Joseph Pietri[1], are you? I am a BIG fan.

[1] [http://www.amazon.com/The-King-Nepal-Life-
Before/dp/09799886...](http://www.amazon.com/The-King-Nepal-Life-
Before/dp/0979988667)

------
ausjke
Turning off the remote-web-management interface by default at factory at
least? This will mitigate the issue, still nobody should ever pre-program the
fixed root password, or at least with BOLD FONTS asking customer to change it
right away, or better, force people to set up a password during installation
time.

------
blackm
A hot talk going on [https://www.meneame.net/m/tecnolog%C3%ADa/200-mil-
routers-in...](https://www.meneame.net/m/tecnolog%C3%ADa/200-mil-routers-
infectados-backdoor-serie)

------
nly
Just assume _everything_ you buy is backdoored by the manufacturer. Software,
firmware, hardware... doesn't matter. How much you let this reality effect
your life is up to you, just do what you can.

------
vangogh
[https://www.youtube.com/watch?v=QBPh8oVuNdg&feature=youtu.be](https://www.youtube.com/watch?v=QBPh8oVuNdg&feature=youtu.be)
POC have been published....

~~~
blackm
is this POC for the backdoor

~~~
vangogh
Yes, it is

------
decisiveness
It baffles me that any router manufacturer would have the nerve to hard-code
login credentials into their routers.

But to be clear, for this to be pulled off remotely, the router must first
either disable its firewall or a DNS rebind attack or some other vulnerability
must be possible. In the case of a rebind, a victim must also first visit an
attacker's server. What would be even more concerning is if any of the routers
hard coded with these login credentials are also vulnerable to a rebind or
something else by default. Many manufacturers patched the rebind vulnerability
back in 2010.

~~~
userbinator
_It baffles me that any router manufacturer would have the nerve to hard-code
login credentials into their routers._

I'm not advocating this practice at all, but consider that BIOS passwords
could be easily bypassed with a hardcoded "default password". The one I still
remember is "lkwpeter" and if you Google that one you'll find plenty more.
That practice slowly faded away but many laptops' BIOS passwords are still
overridable with a "manufacturer access" password that is derived from the
serial number/asset tag.

The history of backdoors in hardware is a long one, so I'm not surprised to
see them show up in routers. D-link had one a while back, and there have been
several more discovered since then.

As you say, perhaps what keeps them from being exploited more is that they are
not accessible from the Internet-facing side.

~~~
whoopdedo
It's often done to make support calls easier. You could spend a long time
trying to explain to a frustrated customer how to use telnet (Type a slash...
no, that's backslash. No don't type the word "slash"...) Or you could just say
"let me log onto the router and fix it for you."

~~~
decisiveness
Telnet wouldn't help if they forgot the password and it wasn't hard-coded as a
back door. Also, the support tech wouldn't be able to access it remotely
unless some of the things I mentioned in the original comment were true.

Wouldn't it be easier to just say, "hold down the reset button on the back for
30 seconds"?

------
jwcrux
> Only TREDNET (sp) has replied till now.

...And they said?

~~~
miahi
That all their routers in that list are discontinued and out of active
maintenance, probably.

------
neoo
here someone already had post the POC too, i was surprised how he find it this
soon, too smart .
[https://www.youtube.com/watch?v=QBPh8oVuNdg&feature=youtu.be](https://www.youtube.com/watch?v=QBPh8oVuNdg&feature=youtu.be)

------
throwawayaway
they should list the ones that they tried that are safe too. i tried my cisco
epc 3925 and super/super does not work.

~~~
weaksauce
That list would be way too long really.

~~~
throwawayaway
nah, they can't have tried a really long list.

------
pcunite
one word ... MikroTik

~~~
mt88fo8
really dude you will buy that for home use .

------
bhutabe
This is crazy...we are no more secure

