Hacker News new | past | comments | ask | show | jobs | submit login
Backdoor found in Linksys, Netgear Routers (github.com/elvanderb)
552 points by nilsjuenemann on Jan 1, 2014 | hide | past | favorite | 136 comments

About a year ago I left a cable modem and internet service (Time Warner) at an apartment I was moving out of while my friend continued to stay there. I had configured the thing in a manner I thought to be fairly secure -- strong password, no broadcast, etc.. One day the internet goes down and my friend doesn't know what to do. She calls the ISP and asks them what's wrong. They say they can't release any information about the service to her without my permission, so I suddenly get a three-way call explaining that my friend and the ISP representative are on the line and I need to give my authorization to access the account information. Being the person I am, I attempt to troubleshoot things over the phone before giving out any sort of account credentials. Eventually, I ask her to log into the router configuration page. She doesn't know the password and the first one I gave her doesn't work. The representative chimes in "That's fine -- I can just change it from here."


I was furious. Time Warner had left a backdoor in all their modems that gives them administrative access to my private connection. And yes -- she did alter the password remotely. She didn't seem to think there was anything wrong with this. I tried googling for relevant information, but wasn't able to find anything more than speculation at the time.

Of course they can. The way DOCSIS is designed, your cable company has full access to your modem; your modem receives configuration data via TFTP from them and in most cases the firmware can only be updated over the coax interface. In fact, it's very rare that there's any configuration you can change on the DOCSIS modem side of things at all, even on the most expensive modems.

Lately cable companies have been pushing these hybrid modem/router combinations with things like wifi support built in. From a consumer standpoint, this seems very convenient, but the cable companies do this because it makes it easier for then. If you call up with an issue with "your Internet," they can remotely diagnose it and reset your modem/router. Make no mistake; they have more control over these than you do.

If you want to stop your ISP from having administrative access to your "private connection" (I assume you mean your wifi), then don't put the modem and the router in the same box. There's no other way around this.

That wasn't my experience with Time Warner and my Motorola cable modem, at least as far as dealing with modem issues (firmware). They referred me to Motorola.

Were you able to get your firmware upgraded? My understanding is that firmware upgrades can only be done over coax (there's certainly nothing on the web interface), but Time Warner Cable will not upgrade your firmware; so if you need a firmware upgrade you're pretty much out of luck.

>Time Warner had left a backdoor in all their modems that gives them administrative access to my private connection

Yes, their modems. On the connection that they provide for you.

A cable modem is considered CPE (customer premise equipment), meaning it is part of the infrastructure a telco uses to provide you with connectivity. Usually they own it, but in any case they have full control over it, as they should - it's part of their network. They may choose to delegate some configuration via a web GUI, but that's at their discretion -it's theirs to administer.

Business telecom has a formalized notion of a demarc (demarcation point), the place where the telco network ends and yours begins. AT&T owns and is responsible for the fiber/T1/POTS lines as they come through the wall, as well as the CPE (often a large rackmount Cisco router) to which it connects. Their contract is to provide connectivity on specific ethernet ports/fibre GBICs/whatever of that CPE. Whatever happens downstream of those ports is your problem, and whatever happens upstream is their problem.

Both sides will treat this connection as hostile - you'll have your own NATing router up and the telco's router, if it even has a configuration interface listening on your NIC, won't let you in. It would be inappropriate for AT&T to have any sort of access to the router you own and inappropriate for you to attempt any sort of access to AT&T's CPE.

Time Warner has been shifting recently towards placing WiFi on their side of the (logical) demarc. Which makes sense, since most people would rather not be responsible for administering any infrastructure - they just want Time Warner to deliver them WiFi. It sounds like you have this kind of setup, in which case Time Warner's access is not "backdoor" but "building owner" - you're renting a room.

If you'd prefer, you can (have them) turn off their WiFi, go buy a nice wireless router, and connect it to the modem. In this case Time Warner is providing you with a connection on an ethernet port; the device you've plugged in is your own (your side of the demarc) and they have no right to touch its configuration, nor are they responsible for it working correctly.

EDIT: The obvious analogy that would have simplified much of this is that a cable modem is like an electrical meter.

Yeah, this is why I just shell out for my own docsys 3 cable modem whenever possible.

Even when you "bring your own modem" ISPs tend to demand exclusive control while it's in service. It really is intended to be part of the ISP's network rather than yours, so while (unlike a rental unit) you could walk away with it and take it to another provider, sell it, run your own copper infrastructure, etc. you usually still can't modify the settings of existing connection.

One of my cable installers told me that rate limiting is done in the cable modem, so people would run pirate firmware that eliminated the artifical limits and run at the natural limit of the connection. People had fun with this for a while until the network engineers figured it out, and now people exceeding the speed limit get their connections shut down pretty quickly. But anyway, it makes sense the the cable modem really isn't the customer's to control.

I own and control my own wireless router because I want to play with things like DD-WRT, use OpenDNS, etc., but I see the cable modem as no different from the utility box down the street.

Time Warner wants nothing to do with my (own purchased) cable modem beyond allowing me to use it. The vendor will only provide firmware patches to cable operators, and Time Warner won't touch my modem to help get the firmware upgraded.

I've always had naked DSL because of not wanting to pay for cable TV or another line. For DSL and similar services, BYOE tends to be hand-off.

With cable modems, does/can the provider push firmware?

All the cable modems I've used (UK) have always downloaded a an image over TFTP on boot. As I understand it they can come up with a very minimal loader and reach out for their config to the local "node" for configuration, and this can include new firmware. On the support line they're adamant that you reboot the things before proceeding past the IVR. Which makes sense.

The last I heard about it the different levels of service (bronze/silver/gold they were at the time, 5/10/20Mbit/s) are just based on the MAC the modem sends on this initial config/handshake. When I moved from 20 to 50 I was told to reboot the modem and it came up will an all new shiny more craptastic than ever web interface as well as setting it's WAN port to 50Mbit/s

With DOCSIS cable modems only the provider can update the firmware. And end user doesn't have the ability to update the firmware, even if they own the modem. That is part of the DOCSIS standard.

This doesn't help you at all.

The provider is able to change the settings through two primary methods.

1. DOCSIS configuration file - this is the file your modem downloads when it comes online and includes settings like your speeds (Upstream/Downstream service flows) and it also includes the SNMP settings (used for #2).

2. SNMP - The MSO can also remotely monitor and change your modem via SNMP. There is a large number of DOCSIS MIBs that every cable modem must support in order to get certified and there are also vendor specific MIBs that a modems manufacture will add to support specific features of that modem.

Without SNMP it would be very difficult to maintain a cable network. Other types of access networks have similar features.

Not sure I got that - why is cable different in this regard from DSL? I'm pretty sure there is such thing built into adsl/vdsl routers or modems, at least not in Germany.

DSL is provided over a POTS ("plain old telephone service") line. The demarc for POTS, at least in my neighborhood, is a grey box on the side of your house, well upstream of your DSL modem.

I don't know why exactly it worked out that way, but the telephone system is designed to deal with consumer electronics and the coax cable system is not.

It didn't used to be - until the federal government busted AT&T's monopoly, it was illegal to connect non-AT&T equipment to the AT&T network, at least electrically. This is why in old movies you see people dialing ISPs by hand with a phone and then setting the handset down on a cradle - the cradle was the modem, and it interfaced with the telephone network acoustically. The demarc (at least as we know it today) was presumably introduced after the government told AT&T they had to let people have their own networks, rather than considering everything up through the phones to be part of the telco network.

These are called VRADs http://en.wikipedia.org/wiki/VRAD.

The demarc for your DSL is the modem. If you provide your own modem you still are subject to AT&T's rules. You cannot legally connect to sensitive national infrastructure (like the phone network) without the provider being responsible for your access.

As far as connecting equipment, that significantly predates divestiture. Most people point to Carterfone as the salient decision that changed this: http://en.wikipedia.org/wiki/Carterfone

In reality, there was actually a prior decision which I can't seem to find right now where AT&T refused to allow people to put plastic privacy guards over the mouth piece on the grounds that it would damage the phone network. Ludicrous, but sensible from an economic standpoint.

EDIT: Found it, 1956 Hush-a-phone: http://en.wikipedia.org/wiki/Hush-A-Phone_v._United_States

In short, Telecom is complicated, the demarc is important and you don't own any part of the network from the modem on up.

Source: I am a telecom junkie and I work at 2600hz, the open source telecom company.

Many (most?) large providers use TR-069 in the CPE that they provide. This is how they push out firmware & config updates and provide some managed services to SoHo customers.

You might be surprised at how much a provider support rep can see with this. Here's two screenshots from Cisco's product to give you a idea: http://images.newsfactor.com/images/super/larger-12-ClearAcc... http://cdn-static.zdnet.com/i/story/60/01/072589/clearaccess...

Moral of the story: Use the most basic cable/dsl modem that they'll give you, make it as close to bridge mode as you can, and use your own router.

This is one of many reasons why routers should be purchased separately from modems, and modems should be configured to be as dumb as possible.

I had a problem of DNS poisoning on my router + modem for a long time even though remote access was disabled and my computers were clean. The DNS entries kept changing to bad ones (even after a factory reset). I ended up switching the modem to bridge mode and using a router of my own to resolve the problem.

That is very common with provider issued equipment. Anything you get from your ISP should be considered their equipment rather than yours and your's should assume therefore that they maintain some sort of control over it. For serving very non-technical home users this is actually an advantage.

Over here when you are BT's FTTC setup through any ISP the vDSL modem that hangs off your master socket (which can do more but is used in this arrangement to simple pick up the connection from the phone line and provide PPPoE on the ethernet port) is very definitely BT/OR's: they tell you not to mess with it, people who want to mess with it have to use hacks to get access to the UI (which is otherwise locked off), and if you plug something else in at that point you are officially not supported. If the router that you plug in to that came from your ISP then that is their's (usually you have to return it when you leave).

If you buy your own router (or "make" your own, people who have a small Linux machine on 24/7 for various things just set that up to talk PPPoE directly and skip the router altogether, neatly avoiding the limits of many "consumer grade" units (shoddy IPv6 support for instance) without shelling out for a much better device) only then do you truly have control of security at that point in the topology. But some ISPs won't support you if you don't use the provided router (though if you know enough to purchase your own router you might not find such an ISP's tech support much help anyway).

I had to call Comcast in order to disable the Wifi radio on my modem.

Not really a backdoor, just remote administration.

Proprietary software, firmware and hardware ultimately means you don't own the stuff you use. Goes on at all levels and people interiorise it to the point that they will take it as a given and justify uses that are not truly justifiable. ISPs do not need this kind of policy to operate, regardless what you'll read in this thread.

You and others that are curious about what end user equipment management controls are possible might enjoy reading about specs like TR-069, etc.


I've heard from others that the passwords are stored in plaintext and viewable by support too, at least at some ISPs.

Now combine that with the typical user's tendency towards password reuse...

Interesting. Reminds me of the hack I did on a (mandatory) modem/router forced on AT&T users. They had a bunch of problems with it, so one day I got fed up after the millionth disconnect and cracked it open. Got a serial root shell by using the "magic !" command (completely randomly discovered) and dumped the source to the web UI(in Lua/haserl). From there found the equivalent of a SQL injection vulnerability and used it to gain a remote root exploit.

Most annoyingly, AT&T put out a firmware update some months later that closed the exploit, but didn't fix any other problems. So, I found another more intrusive/permanent exploit. Still waiting on them to patch it next heh. But now they are actually putting out some updates that actually fix problems too at least. Hopefully user uproar will continue to drive them to fix more problems

AT&T have not forced me to use a specific modem with their DSL service.

This is with their u-verse service. Basically it's like DSL but using some different technologies and no easy way of bridging like PPPoE

do you have a write up with more details about those exploits?

Yea I wrote it up on my blog here. Just didn't want to risk spamming heh.http://earlz.net/view/2012/06/07/0026/rooting-the-nvg510-fro...

U-Verse High Speed Internet service uses this type of modem (this is the "U-Verse" service that is a traditional ADSL type service, not their IPTV VDSL stuff -- it used to not carry the U-Verse name). I'm stuck with it at my extended family's summer home since there's no other service available. It's been incredibly flaky. Since the default configuration won't allow me to set the modem to respond to ICMP and we physically unplug electronics other than the modem when we're not there, I've run out of ways to monitor it remotely from my home two hours away (thereby eliminating the possibility of getting a monthly credit for every month this thing has been flaky).

I've had service techs out for the last two years trying to make it more reliable, but the biggest problem has been "proving" that the service has been down, and very frequently. Now I can get my local nagios instance graphing the terribly reliability. That should get ammunition to request monthly statement credits, hopefully increasing their motivation to fix the wiring in the area (everyone in this small town that has U-Verse complains about the reliability of the connection).

Very neat trick. what does "errrr" do?

Thanks man, that hack saved me so much pain when I had a 510 and needed a router with uPnP. I've got a 5801 now which has a "DMZ+" mode, but AT&T makes me pay 6 bucks a month for it :/

I hacked my Fritz!Box (yeah, a bad name for a german router) and I'm entirely sure that it has a backdoor integrated too. That's why I wiped and flashed it with an alternative image. That and the Telecom's Speedport router are the most popular routers by far in Germany. And both have backdoors, I know that other router manufacturers also integrate backdoors from a source who works at such a company. A friend can also verify the fact, because a different employee told him the same. Also it's public that the ISP can upgrade, modify, flash and disable features remotely. My friend's router has wifi, but their provider disabled it remotely within the firmware (it even has an antenna) and his ISP wants him to pay 5€/m to re-enable wifi.

I really wonder why nobody complained about that earlier. Also the interesting thing here is that for a very long time, you weren't allowed to use a different router than the one provided by your ISP. Which enforced their surveillance monopoly.

Here's an article about reverse engineering the backdoor in D-Link routers using IDA:


PoC Available: http://pastebin.com/vbiG42VD

This is probably NOT a backdoor.

Most likely your ISP is using a technique like TR-069. This enables them to push settings for voip/TV, and in your friends case wifi. A lot of DSL providers are starting to use this for less intrusive (?) goals like measuring noise and attenuation at the clients end once a day, so they can adjust the speed accordingly.

AVM is a very nice company and you should not accuse them without proof. They actually provide an option to disable TR-069 in the page "Provider Services" ("Allow automatic configuration by the service provider" and "Allow automatic updates"). If you don't have this option you could try installing the original firmware from avm.de. Maybe you are still able to flash the modem with the original firmware from , and configure it yourself?

> AVM is a very nice company and you should not accuse them without proof.

You shouldn't accuse anybody without proof. But since this is Hacker News I'll disagree with the first part of that sentence. AVM is probably the least hacker-friendly company I've ever come across. For example, they're so hell-bent on violating the GPL that they've taken it to court (and lost) [1].

1. http://fsfe.org/activities/ftf/avm-gpl-violation.en.html

> A lot of DSL providers are starting to use this for less intrusive (?) goals like measuring noise and attenuation at the clients end once a day, so they can adjust the speed accordingly.

Why can't this be done on the DSLAM?

Please provide evidence for the alleged backdoor in AVM Fritz!Box routers. Being sure is not convincing … I don't see why you had to hack an AVM router either – you can easily install other firmware and Fritz!Box routers can be directly bought anyway.

>> "you can easily install other firmware"

That's what I did, I flashed it with a custom firmware (that was after I got aware of the backdoor). I've not "reverse-engineered" the base image of my own router like in the article above, because that's a lot of work. I've worked on an awful lot of routers, hubs, switches of all sorts, enterprise and consumer. Have been network administrator for a large global company and I think that I can trust my sources.

What the new user "blablablaat " mentioned is obvious, I'm not stupid to make something like this up. Of course I have no "Provider Services" or anything remotely similar enabled, but it's still possible to connect to the router and take control over it according to my source and I've seen it back then, when I asked for him/her to show it. Now why, do you expect me to prove that? A security researcher, is more qualified than me to create the convincing report you're asking for, sorry. You can feel free to do it yourself too, if you want. It's not my intention to spread rumors or FUD, but to make you at least aware of that your router ain't secure.

i think it's kinda convenient for companies that they can now blame the nsa for everything. i really think a lot more companies put backdoors into their software without external pressure(sometimes not intentional, just because of laziness or stupidity)

I agree, there are also some laws that force ISPs to do things they don't feel comfortable with. I know it's not entirely their fault.

I've heard of some cases that ISPs tried to stop by going to court, like permanent-storage of all data, but lost the case. It's not just the NSA btw. in Germany there is the Bundesnachrichtendienst (BND), which translates to "Federal Intelligence Service"

"And the Chinese have probably known about this back door since 2008." http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=htt...

That's a pretty scary prospect. If its been 'known' and exploited since at least 2008. Poor form Netgear/Linksys.

Probably not Netgear or Linksys' choice. The Treasonous Act, aka, the Patriot Act has a black version that forces such companies to do as they're told and shut up about it.

If you have any citations for that, they'd be interesting reading.

This is not surprising. It's a calculated risk to make a product just good enough. Development resources invested in retail wireless gear is minimal. I've worked on firmware for high-confidence industrial wireless gear used in mines. Most of them fall over under load, run obsolete+unpatched code and/or reboot randomly. Retail customers will tend to just put up with it and not return the product before the merchant's return grace period.

It's a totally different attitude when the intended market is enterprise: it's assumed that if a product causes a failure, the vendor is going to receive escalating, unpleasant phone calls until it's resolved.

Mining is a dangerous industry with its own specialist regulators and standards bodies.

Equipment failure that can kill people should be taken more seriously than equipment failure that leads to less serious consequences.

The thought of wireless gear in mines is pretty scary! I used to build / test equipment for a sub-contractor of Joy Mining and communication between the devices was carried by inch thick cables with nikel-plated machined steel connector shells. Pit props at the cutting face can be active devices that walk forward as the face is cut, and the coordinate that forward movement. Designing user interfaces is tricky, and designing a UI that should prevent death or huge financial costs if misused is probably hard.

There is. Mostly 460 and 900 MHz packet modems that only speak UDP. It's for telemetry data and data between trucks. As of 2000, there were working prototypes of both an anti-collision system and fully autonomous driving / grading.

s/Most of them/Most of the retail ones/

Not the industrial ones. They're unit tested ad-nauseum, subjected to crush and environmental testing. You can run over the units with fully-loaded haul truck, the cases are cast steel. They also retail for $10k USD a piece.

Can this be fixed by changing the firmware to OpenWRT or DD-WRT?

Yes, this isn't a hardware backdoor, it's all in the software.

This backdoor is a software backdoor - there may be hardware backdoors too. Hardware backdoors are much, much harder to find as there is no real way to track one down without trying to reverse the actual hardware itself, and that is close to impossible. So while we can confirm there is a software backdoor in this router, we can't confirm if any other router does or doesn't have a hardware one.

If supported, I like Tomato (prefer the shibby variant) is my fav, a large number of routers are supported... I've been using and recommending a couple asus models.. RT-N12, RT-N16 and RT-N66(U/R) ... Been pretty good hardware (stock firmware sucks though).

Note: Tomato is imho a bit nicer than DD-WRT, but not as good for tweaking as OpenWRT (which I use on my office routerstation pro).

I don't know about the others, but I'm pretty sure that the WAG200G isn't supported by the free firmware projects because it's not powerful enough.

Has anyone ever tried submitting a GPL request to http://support.linksys.com/en-us/gplcodecenter

I wonder if there is anyone still working in the GPL compliance department.

They don't have to provide the sources forever... Seemingly the model in question (WAG200G) is originally from 2007.

Excerpt from the GPL [1] (paragraph 6b):

"You may [...] Convey the object code in, or embodied in, a physical product [...], accompanied by a written offer, valid for at least three years and valid for as long as you offer spare parts or customer support for that product model, to give anyone who possesses the object code either (1) a copy of the Corresponding Source for all the software in the product that is covered by this License [...]."

[1]: http://www.gnu.org/licenses/gpl.html

TIL: Some people know a lot more than me about hacking. That PDF was interesting, but I only understood a small fraction of it.

Can you tell me which parts you couldn't get? I want to test my understanding - I'll see if I can explain it to you.

My main problems were with the memes.

Seriously, nothing against a little humor in your slides. But making every seconds slide a meme reference gets annoying pretty fast :)

It almost felt like the memes were for obfuscation, because they certainly had that effect on me. I'd say if this was a presentation, it would be neither informative nor professional.

A well-placed meme for humour can be good, I agree.

Agreed, the slides were unreadable. A simple text document would have sufficed...

Not only that, but it's the original "open" format.

Slides, in general, aren't very useful without the accompanying talk.

And this didn't even have a talk.

Could you describe the whole reversing process in a bit more detail? Binary goes in, understanding comes out, you can't explain that (well I hope someone can).

I'm going to rush this, sorry.

* Guy sees service running on 32764 and thinks that's quite odd

* Gets very frustrated at useless forum posts from people with no clue

* Downloads a copy of the firmware from the (horrible) modem-help.co.uk

This is where it gets interesting:

Binwalk ------

First off, a program called Binwalk is used. This is a combo of a really cool python script, the libmagic database (if you've used the file utility in 'nix you've used it) and some C to deal with some compression types.

When binwalk works, it's pure brilliance. As you can see in the screenshot on slide 12, binwalk is able to detect strings and filesystems inside the firmware.

References to Texas Instruments and Telogy Networks would be a good starting point if you wanted to google for datasheets or some more background information

I haven't ever seen a reference to Igor Pavlov in a firmware binary before but his name popping up is a good indication that you might be hitting 7zip or LZMA compressed data - http://en.wikipedia.org/wiki/Igor_Pavlov_%28programmer%29

The filesystem -----

Squashfs is commonly used (and horribly broken) by manufacturers of modems and routers.

Luckily the author is able to extract the filesystem out by looking at the offsets printed out by binwalk - this doesn't always work!

Slide 13 is pretty typical when reversing modem firmware - someone thought they were being smart and broke the squashfs format. It looks like no one else will be able to replicate this as the source code for the modified format has been taken down (?) It's possible the author is using the name of the folder in the last screenshot of slide 13 as a hint of what to do next, slide 14 and 15 are magic to me.

I think the author has changed the LZMA sourcecode to look for LZMA compressed data with a gzip header but this seems really strange to me

Slide 15 just shows the unsquashfs tool with what seems like sensible output (if you'd done something wrong at this point you might see huge numbers of inodes or a silly number of files and you'd have to go back to the compression and keep looking)

Now the author has a filesystem to look through - I would have used strings and grep instead of just grep at this point. He's grepping for the name of the service he found in the forum posts, I think.

From here he's used a very expensive program called IDA Pro (https://www.hex-rays.com/products/ida/support/orderforms/nam...) to help. You may also be able to use the objdump command or The Online Disassembler.

I have no knowledge of MIPS assembly so I'm unable to help you there - IDA provides some flow diagrams like you can see in slide 19. I'm not sure if the author annotated the fucntion names or if IDA was able to find them.

He identifies a buffer overflow and writes a small script to exploit it in slide 20 (I'd love some extra explanation of this if anyone can give it)

When the script is run it seems to dump the current configuration of the modem, but then it crashes or resets (slide 21)

The comments on slide 23 suggest that the code has jumped to the "restore_default" function - sorry, I don't understand this part. References to nvram would suggest it's going something to the config though, which would explain slide 21.

Slide 26 shows an (hopefully LAN-side only) exploit that's able to enable the HTTP management interface of the modem and reset the password at the same time.

Final edit: I'm sorry for the formatting of this post. I'd love to collaborate with someone on a blog post about this exploit. I'm really just getting started with firmware reversing (and most of the time I don't get past the binwalk stage). My contact details are in my profile.

He doesn't actually exploit the heap overflow. He just sends messages as a normal backdoor user would, theres no authentication.

(He also greps for the string the server sent upon connection, but it's nowhere to be found. He then just greps for bind and filters for binary files only, to find all binaries that call bind (remember dynamic linking in the end comes down to strings..))


I walk through a similar process here [1], using binwalk to extract the source-code from a firmware image, then running the insecure router software in a QEMU VM. Although the purpose in the linked instructions is to repair a different Netgear exploit from October 2013 by modifying the insecure binary executable (see [2] for information on the technique).

[1] http://eschulte.github.io/netgear-repair/INSTRUCTIONS.html

[2] http://eschulte.github.io/netgear-repair/

It sounds like binwalk is a member of a family of programs referred to as file rippers. These used to be easy to find, but the "rip" keyword has been taken over by CD and DVD ripping software. They were commonly used to extract embedded files from demo scene demos, including .mod/.s3m/.xm/.it music and .flc videos.

I'd forgotten about these rippers!

Another good one to look at is QuickBMS - allows you to define a "script" and then feed it to the ripper. I guess it saves you time writing boilerplate code when trying to get at new/unknown file formats. The Xentax Game Research forum loves it - http://aluigi.altervista.org/quickbms.htm (blocked as Hacking/Internet by the corporate proxy here, so it's good)

Thank you for explaining my slides ;) They were designed to be read by people who understand reverse engineering.

There is some errors in your comments, I didn't exploit anything, I just highlighted a vulnerability in the backdoor :D

People, if you are confused by memes, don't do RE :D And for those who say I could have just written a simple text, well, text is not that simple to write especially when you're not a native english speaker :) and I had a lot of fun doing my draws

Hey, I hope I did okay explaining this - thanks for putting up a proof of concept!

This is one of the most useful comments I've seen on HN. Thanks!

I don't think I get the whole thing either, but my impression is:

- Download image for modem firmware.

- Extract the filesystem from the image by hacking up an open source tool. This represents all the files on-disk on the modem.

- Search the file system for references to the suspicious port. Locate binary that listens on said port.

- Disassemble binary, figure out the protocol/format of messages it's expecting to hear on suspicious port.

- Brute force the effect of sending messages by sending messages to said port with the header it's expecting, and different permutations of payloads? (I'm not sure about this part, I might be making shit up)

- Using this brute forcing figure out what payloads do what and map out what this backdoor listener can do.

Reversing is fairly well explained here, if you're looking for that: http://en.wikipedia.org/wiki/Decompiler

What is the tool being shown on slide 18? It looks like it breaks the assembly into basic blocks and shows a control flow graph based on that. Very cool tool, is it open-source?

No, it's IDA Pro, and it's very, very expensive.

The evaluation version is rather usable and there's a free version of an older release.

Hopper Disassembler is my go-to alternative until my income lets me justify IDA Pro (or Hopper catches up)

$800/$1600 isn't it?

I am also curious if anybody knows?

*update I Didn't see yalls response until I refreshed the page

Can you just do an "Explain like I'm five" please.

Well, it is like a game that you can play with your eyes closed. Imagine that you close your eyes and then somebody gives you a large toy made out of LEGOs. And you figure out what this toy is, with your eyes closed! That's what he did.

HEY LOOK! We have an ass over here!!!

That may be because it was smothered in dumb memes and jokes.

I actually appreciate the humor, but I'm in the same boat where there's a good portion I'm just not wrapping my head around clearly. I'd love if someone made an annotated version with technical descriptions.

A little to few memes for my taste.

Has there been a technical write-up on this yet? I honestly tried to read the presentation and had to quit after the third superfluous meme slide.

TLDR of the presentation: found a service that returns all the configurations on the router (including admin username, admin password, wifi password, etc.). Also, found a bunch of buffer overflows.

Agreed, I don't mind a little humor with my technical presentations but this was unbearable.

The presentation is almost completely illegible

The code is commented well enough to give a good idea of what is going on.

More information: https://github.com/elvanderb/TCP-32764/blob/master/backdoor_...

"Mr. Guessing 2010" doesn't know shit about backdoor (superuser.com).

I have confirmed this (or something similar) is present in the Netgear DG834N as well.

Netgear DGND3300 too.

ScMM = SerComm, perhaps?

Many of Linksys' old DSL modems were manufactured by them, AFAIK.. and it seems many of the noted 'probably affected' models have a SerComm manuf'ed device for at least one revision of that model line

More probable SerComm manuf'ed devices are visible at the WD query link below..


No nothing about code ... I like research and the constitutional issues interest me. ScMM is also the NASDAQ symbol for Identive Group - working in secure ID for government and other institutions.

confirmed as working on an old (2005/2006) Diamond DSL642WLG / SerComm IP806Gx v2 TI based modem router, btw

Buy a $200 soekris box and install openbsd or m0n0wall on it, or on any old pc you have lying around with 2 network cards.

Because that totally solves this problem for my mom...

(No, not my mom specifically; I gave her a router with Tomato installed for, among other things, exactly this reason. But not everyone has a technologist for a son, let alone one who knows what he's doing well enough to install m0n0wall on a Soekris box, or even Tomato on an old WRT54G*.)

Or, you know, any $30 OpenWRT-supported router.

Tell me, either way a Soekris box or an OpenWRT compatible router, how this brings a solution to the masses.

There is no purely technological solution for the masses. Actually solving the problem requires either a political revolution to make shipping backdoors like this criminal rather than a favor to the government, or educating users enough that they can protect themselves with the existing technological methods that are easy to deploy given basic computer literacy. It's not really clear which one is less impossible.

Even making it criminal won't work - don't you know the NSA and the government are above the law. They have government endorsed hackers who are known to be actively exploiting these systems... but if you, Joe Public, are caught doing this, you're thrown in jail under the Computer Fraud and Abuse Act. So even if it is made criminal, it'll only be criminal for you... if it's government mandated, however, it's fine.

this kind of stuff is far beyond basic computer literacy

No its not. Installing Tomato or DD-WRT is only very slightly more complicated than configuring your router with non-default passwords, and you really shouldn't be considered at all computer literate if you don't know how to take even the first step to secure your network.

Take orders on Kickstarter for "open source router".

You order the Soekris boxes on behalf of the crowdfunders. You image your chosen open source OS on blank CF cards, bundle the CF cards together with the Soekris boxes and ship these to the crowdfunders as the "open source router".

If you want to bring a solution to the masses out of the goodness of your heart and you are motivated, then nothing is stopping you.

I live in Czech Republic and my Zyxel from O2 has port 7547 open (Allegro RomPager 4.07) and you can't do anything about it. There is no editor on the installed linux version (cropped down linux, probably openWRT or something similar), no package manager no nothing.

If I flash the firmware warranty is void and I have no user/pass to re-enable the ADSL. So basically, my router is a hostile AP.

Given the fact that, it's a common pattern among ISPs in order to offer quick service - I firmly believe that ISPs do it for practical reasons - and end up killing your security, the best thing is to put the router in bridged mode and get a cheap custom-made router like carambola2[1] and install FreeBSD[2] on it.

Disclosure: I donated one of these devices to Adrian Chadd[3] in order for him to port FreeBSD on this device, which enabled me to use PF[4] - my favorite firewall - but I have no affiliation otherwise with 8devices or FreeBSD.

[1] http://8devices.com/carambola-2

[2] https://wiki.freebsd.org/FreeBSD/mips/Carambola2

[3] https://wiki.freebsd.org/AdrianChadd

[4] http://pf4freebsd.love2party.net

Why backdoor?? That's what I want to know.

Why what?

It's a backdoor in the sense that it allows you to change settings on the modem with no credentials.

It's plausible that on a badly configured network this port could be exposed to the Internet. Anyone want to check Shodan?

> It's plausible that on a badly configured network this port could be exposed to the Internet.

It's also plausible that an attacker could find one of these in the local coffee house or any other place that offers public wifi and get at it from the internal side that way, or war driving for access points using weak passwords or WEP, or small office corporate networks with mischievous employees, or an attacker compromising a single PC on the LAN and then using this to change the DNS handed out by the router's DHCP and compromising the others, ...

Me too. Up this!

Am I the only one who gets really annoyed by the memes in the exploit description?

No, it's annoying as fuck.

is this backdoor only served up on the wlan or is it also exposed to the internet?

fortunately, on my wag160n it doesn't seem exposed to the internet

That's not to say somebody can't embed something on a web page (E.G. flash) that connects to and enables configuration from WAN :)

Flash won't let you open connections to other hosts (unless there's a crossdomain.xml file that allows it).

With html/javascript you can send http requests to other hosts, but you can't read the response. It seems like the backdoor isn't accessed over http, so that wouldn't help you either.

I've used GRC's "Shields Up" and asked for a user-specified probe for port 32764 and it came back "Stealth".

Assuming GRC isn't out to decive me, can I assume that my router is fine?

Bill, using a Netgear router.

It seems it is only open to the local network.

If you want more fun with the saved nvram config files, check out http://www.nirsoft.net/utils/router_password_recovery.html

He's figured out many of their "encryption" methods. I've independently "cracked" most of the major ones as well, (including checksums/headers required to write back to the router).

They're all pretty broken. PRNG key streams, simple bit swaps, XOR, encryption against a static key, etc.

Fun stuff.

Thankfully I have an older WNDR3700 and I remain unaffected.

However seeing mention of (and an implementation of) Dual_ECC_DRBG in the slides immediately gives me a lot of pause regarding the security of my router. I love memes more than the next guy but this guy really went out of his way to make this confusing to understand.

Hah! A Dual_EC_DRBG implementation would be an infinite improvement over the highlighted random number generator (which just calls libc functions srand(3) and rand(3)).

I have a WGR614v6: it shows no response from port 32764 both from internet and local.

At first I thought it was this, which has been known for a long time now: http://wiki.openwrt.org/toh/netgear/telnet.console

Netgear routers come with a well published back door (http://wiki.openwrt.org/toh/netgear/telnet.console) that gives you telnet access from the LAN.

While interesting, I wouldn't say this is news. It has been known for quite a while.

Does anyone have a recommendation for nice, configurable, reliable wireless router now a days? My Linksys E2000 is on the fritz and didn't last near as long as my old WRT54G.

I bought a buffalo router pre-loaded with dd-wrt on it that I like and gives you most of the options that the stock dd-wrt build does. Otherwise I just buy anything that is dd-wrt compatible and flash it.



IDA Pro is awesomesauce, Wireshark for binaries. So much better than Turbo Debugger and ICEs in the olden days.

Just FYI it's no surprise that the IDA Pro wine torrent for OSX (magnet ...116a37) floating around out there has malware in it. Best to get it directly from a friend at a large shop. If you're a pentester or researcher, buy it obviously.

Don't worry, no one will ever find out.


There's probably an exploit in there somewhere too

Isn't this necessary to roll out IPV6 anyway?

From the sounds of it, these are purposely made backdoors? or something ignored ?

My expression: http://i.imgur.com/pYJMKC6.jpg

NSA/Government/Military mindset.... secrecy by obscurity. It's now "We'll just hide our backdoor, really, super well. No one will every find it. And we'll use our deep black VPN no one knows about....and hope no one notices."

Great discovery. Surprised no tinfoil had been mentioned about being a possible NSA "diode."

That's not more information. That answer is just making false assumptions (as also pointed out by the OP).

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact