At that point it’s not even a back door it’s just stupid default root password kind of design which used to be standard in this kind of hardware. Backdoor would at least try to be subtle :)
Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)
I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"
> the admin password to be 'admin'. They'd often even print it on the device itself.
Yes but aren't you supposed to change that one? The problem with the rzadmin is that it will continue to work even after you change the regular admin one...
It is probably just a brand, like many others, and based on a reference design from the OEM.
I have a small Tenda 5-port gigabit dumb switch. It uses the same switch chip as this TP-Link, just with different branding; even the "SG105" model number is the same:
The consistency with which networking hardware companies produce such garbage is crazy.
And it’s always amateur hour backdoors somehow. If it was something sophisticated they might get a pass on „ok some security agency made them do it probably“
A quick search reveals several other serious vulnerabilities in Tenda routers that could grant administrator privileges. Therefore, I tend to believe this is due to the company's incompetence and lack of technical skill rather than malicious intent—but it's still a reason to avoid using Tenda products. There's a reason why Tenda's market share is far lower than TP-Link's.
From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".
Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd
Have used their travel wifi product back when hotel wifi was a strange beast. Wouldn't expect to need it now eSIM and ubiquitous internet travel pricing means the hotel wifi may be the LEAST valid path to access things.
I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.
I’m working on a hotel right now. And I’ve gone to great lengths to make the wifi more secure. Everyone on their own VLAN. Separate PPSK for each room. Credentials are randomly generated and not some ridiculous pattern of last name and room number or similar. We built our own custom access control system, with what at the time was the strongest keycards we could find (mifare desfire ev3), I’m really trying to make a hotel who’s security isn’t such a joke.
My Macbook is permanently locked out of Cox's hotspot system (used in some U.S. hotels) because the password was given to me on a tiny label which I couldn't read as a blind person except through OCR, and the OCR was wrong a few too many times.
As long as I can bind more than one device in my room, and as long as I can "see" the devices amongst themselves, I'd love this. I can imagine people who want inter-room access but they can live through proxies offsite. If I want to do in room sharing, I need in room wifi.
Gets hard when you bring "smart" TV's to the table. They're going to need to expose into this system somewhat 'credential-free' but if you do it off MAC address then a determined user could disconnect, find MAC, clone ...
I stayed at a clinic once, and all the smart TVs were on the same network.. I wonder what would've happened if I streamed a video from my phone to another room's TV.
There was a meme going round of a network diagram that layers a Chinese firewall behind a US firewall behind a Russian firewall so they can all block each other countries backdoors.
Not sure if you're joking, but both have already done so. And any US company is subject to secret orders forcing them to implement a backdoor if demanded.
Man, I remember doing this in the late 90s with ipchains as the only way to get a router that didn't cost an arm and a leg. Eventually consumer/prosumer routers came out.
Ryzen 5 with a dual 10Gbps NIC, running Debian. Overkill for a router/firewall, but I run other services on the same hardware including an email stack, Podman containers, and small AI model for use within Home Assistant.
I wouldn't buy new hardware. Any modest machine built in the last decade would do. If possible, get a machine with an internal ATX power supply rather than an external brick, they tend to be more reliable.
If all you need is 1Gpbs and WiFi, OpenWrt on consumer hardware is probably enough though.
I have a Lenovo thin client running Debian as internet gateway/firewall. With some minor modifications and a small low power blower fan you can add a dual sfp pcie card in it (not all versions can, though there are more manufacturers of thin clients with 4x pcie slots). The blower fan is because the main fan stops often and it needs some cooling.
Use openWrt (https://openwrt.org), and use their hardware list to pick a consumer router with the feature set you need that can be flashed to use openWrt.
So will this finally be treated as sabotage/criminal hacking, or is it just yet another example of letting manufacturers do whatever they want to their customers without any punishment? Meanwhile if I find and publish the emails of Tenda customers that they accidentally left unprotected, I get raided by the FBI.
I was deeply alarmed when I figured out ISPs had effortless remote access to the routers and consequently to my LAN. Now they just provide me an ONT which terminates their fiber and connects into my own hardened GL.iNet router running OpenWRT.
The fact that the password is "rzadmin" makes it a lot more likely that this is just run of the mill stupidity, and not something more nefarious: you'd want a backdoor that isn't blindingly obvious and usable by the CIA.
Almost all consumer electronics come with backdoors—especially given the prevalence of computational advertising. Before criticizing Tenda, we ought to clarify whether this is a consumer-facing (2C) or business-facing (2B) product.
https://boschko.ca/tenda_ac1200_router/
Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.
reply