This completely ignores the reality of how the majority of people buy and use their computers. Sure, personally I (as: the HN user typing this comment) can portscan my router, solder in the serial port to get the system console... but that's not something that can reasonably be required from any average Joe.
Things on that level of negligence should be dealt with just like bare cables touchable from the outside: Have some entity go into stores, buy the box, check it for the worst vulnerabilities, declare it unsuitable for sale and place a ban on the vendor.
We do this for childrens' toys, electrical appliances, ... why not do it for IT equipment? Just to weed out the worst offenders in terms of security holes.
You might solve this problem in the short term, but end up with only being able to buy approved devices containing more obscure, government-sponsored backdoors instead.
Ignoring the history of non-government regulation, there's a reason why the FCC isn't the agency which recorded everyone's phone calls. There are huge civil liberties issues right now but they're orthogonal to consumer protection; we'll need to rein in the NSA no matter how or if we decide to do anything about companies shipping shoddy devices.
I must say you a taking quite a leap from "do not sell devices which is intended to harm consumers" to "sell only approved devices which has government-sponsored backdoors in them". Should consumers be scared that government try to do the same with food safety?
The food producer's freedom from inspection trumps the citizenry's ability to eat with minimal risk of food poisoning, so goes the thinking.
We currently have these backdoors-due-to-incompetence in addition to the government backdoors.
Taking either out of the equation is a win.
I don't mean they should be able to shut you off or anything, but I personally wouldn't mind a notification letting me know that I may have been hacked.
Nonetheless, having a solid formalizations for network protocols is a good idea. But this just won't happen.
For example, if the vendor claims that the product is limited to a regular grammar (a “plus” for security), but the implementation contains extra stuff in the data section, then an audit can flag it since a finite state machine should (theoretically) only need code.
But, routers are not the only edge devices that worry me. Smart tvs|phones|toasters|… are also edge devices with respect to the topology of your “personal area network”.
That they were all using the same or a variation of the same firmware shows that the problem isn't maliciousness but carelessness. Someone writes a reference implementation that happens to have a hard-coded username as a debugging option. It may even have come with a note warning you that this needed to be changed before being put in the final product. But in the rush to a product to market as fast and as cheap as possible, they forego any modification to the firmware beyond branding and push it out bugs, backdoors, and all.
I think it's a stretch to say these are "major" vendors. I've only seen TrendNet in the wild and usually because someone is complaining about their internet not working well and I say, "Yeah, that's not a good router. You should buy another one." You get what you pay for.
Of course if a truly malicious actor wanted to place a backdoor into a router on purpose, I expect it'd be someplace other than the flash firmware that can be easily overwritten.
ALL of those devices are based on the same RTL8196C Realtek SoC. This is one stupid/corrupted/incompetent Realtek employee/contractor putting a backdoor in SDK reference codebase (access under NDA, Realtek is famous for being hostile towards opensource just like Broadcom), and no one else bothering to even read sources before shipping devices.
On the other hand, you can easily find datasheets for many of their SoCs. Whether or not this is due to their lax security policies is a question to consider too...
Realtek might not be agreeable to opensource, but I'd say they are still a far distance away from Broadcom. They are more of a "Gongkai" sort of company.
- Hanlon's Razor 
Hanlon's Razor, like Occam's Razor, is most useful in cases where we there isn't any other evidence that points to a specific answer.
In the case of internet security, we do have a significant amount of evidence that several national spy agencies have been corrupting security of networking hardware and software. With projects like BULLRUN and the RSA/Dual_EC_DRBG scandal, we even know they went as far as pay businesses to do exactly this kind of weakening of their product's security features. This is especially true for this kind of low-end, discount product; a business with low profit margins is probably easier to bribe.
All else is not equal, so it is reasonable assign a high probability to spy agency involvement. This isn't proof, of course, but neither is Hanlon's Razor.
This requires determined effort to ignore the level of sophistication on evidence in the same reports of nation-state level attacks which you cite. Everyone who's read them noted a consistently high level of attention paid to making sure that attacks were both targeted and concealed.
Using “super” as both a username/password for a million devices is the kind of thing you'd expect from incompetence; with the NSA I'd expect something like what they actually did with Dual_EC_DRBG, where the device would show every sign of appearing to be secure but someone with knowledge of a particular constant could save significant effort when cracking the crypto. The last thing they want is for you to notice & patch the hole because some random spammer started exploiting it.
The one remotely plausible explanation would be something like this being a way for a mole to spin a backdoor as an innocent mistake. Even that's stretching it a bit because this is so easy to find that it'd have a pretty high risk of exposure – if you're going to invest that kind of time, a more subtle bug is only a minor increase in difficulty.
If you're going to be Bayesian about it, use Hanlon's Razor as your prior, then update that. In other words, you should default to that, unless you have very good reasons.
The first shall be last and the last shall be first.
I don't see any proof of access in TFA. Seems like this would be negligence at most.
Edit: Intentional backdoors left by vendors (that I've seen) set the password to be derived from the serial number or mac address.
>"(2)A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3." (UK Police Act 2006) //
Sections 1 and 3  refer to unauthorised access and the same but with intent to cause damage ("impair").
Arguably the inclusion of a backdoor without authorisation of a customer impairs the device and so it would already breach Section 3, but the new amendments mean that just making it where there's likelihood that it will be used nefariously is a crime. A backdoor is intended for unauthorised access and is certainly likely to be used that way IMO.
This amendment is a step too far IMO but it appears to apply here to router manufacturers (and anyone else including backdoors in consumer goods without notifying the user).
tl;dr actual commission of an actus reus isn't required in the UK just supplying to someone who has a "likelihood" of committing an act is enough.
There's a lot written about attacks against default firmware but not much on ddwrt, openwrt or tomato.
And please correct me if I'm wrong. But if this is correct, I don't really see this as a vulnerability for most people, since most people don't even change the default logins on their routers.
For some other people it might be problem yup, but the attacker would have to enter the network first.
Other clever attacks are simple: most of the routers use default subnets of 192.168.0.0/24 with a gw at 192.168.0.1.
A malicious site can make a post to 192.168.0.1 with user name/pw super super and say reconfigure your local dns settings so that they can man in the middle something like traffic that would normally go to an ad network. They can then serve up their own ads and make profit$.
edit: known since 2008, http://www.techrepublic.com/blog/data-center/csrf-attacks-ho...
Fortunately, open-source firmware is available:
Jokes aside, great to hear good work coming out of Kathmandu! We're behind the Southern part of the subcontinent, but there's definitely a nice niche to be carved in less glamorous side of the industry, such as security research and boring animation work. Pollution and craziness aside, if Kathmandu managed to leverage its moderate weather and infrastructure, I feel even things like 16-hour daily powercuts could be worked around.
In a somewhat related note: if someone in Kathmandu is interested in doing some relatively boring camera/filming work, I would love to talk. I have some funds that I would like to invest in the field.
@wpietri: You're not related to Joseph Pietri, are you? I am a BIG fan.
But to be clear, for this to be pulled off remotely, the router must first either disable its firewall or a DNS rebind attack or some other vulnerability must be possible. In the case of a rebind, a victim must also first visit an attacker's server. What would be even more concerning is if any of the routers hard coded with these login credentials are also vulnerable to a rebind or something else by default. Many manufacturers patched the rebind vulnerability back in 2010.
I'm not advocating this practice at all, but consider that BIOS passwords could be easily bypassed with a hardcoded "default password". The one I still remember is "lkwpeter" and if you Google that one you'll find plenty more. That practice slowly faded away but many laptops' BIOS passwords are still overridable with a "manufacturer access" password that is derived from the serial number/asset tag.
The history of backdoors in hardware is a long one, so I'm not surprised to see them show up in routers. D-link had one a while back, and there have been several more discovered since then.
As you say, perhaps what keeps them from being exploited more is that they are not accessible from the Internet-facing side.
Also, a router being programmed like this exposes every device routed through it, whereas a BIOS backdoor only gives you access to the single device to which you have physical access. My surprise comes from the gall of the manufacturers as they should be fully aware of these implications.
Wouldn't it be easier to just say, "hold down the reset button on the back for 30 seconds"?
...And they said?