Hacker News new | comments | ask | show | jobs | submit login
Router Firmware Backdoor (ensolnepal.com)
173 points by vangogh on Feb 28, 2015 | hide | past | web | favorite | 81 comments

> Every user need to know their devices and vendor before purchasing.

This completely ignores the reality of how the majority of people buy and use their computers. Sure, personally I (as: the HN user typing this comment) can portscan my router, solder in the serial port to get the system console... but that's not something that can reasonably be required from any average Joe.

Things on that level of negligence should be dealt with just like bare cables touchable from the outside: Have some entity go into stores, buy the box, check it for the worst vulnerabilities, declare it unsuitable for sale and place a ban on the vendor.

We do this for childrens' toys, electrical appliances, ... why not do it for IT equipment? Just to weed out the worst offenders in terms of security holes.

Be careful what you wish for... giving more control to the authorities is something that may have quite oppressive long-term effects.

You might solve this problem in the short term, but end up with only being able to buy approved devices containing more obscure, government-sponsored backdoors instead.

Yeah, I mean, who hasn't heard about the time the UL people snuck a backdoor into someone's lighting so the DEA could kill pot-farms. Or that time when Consumer Reports forced car manufacturers to give the highway patrol a backdoor to prevent speeding.

Ignoring the history of non-government regulation, there's a reason why the FCC isn't the agency which recorded everyone's phone calls. There are huge civil liberties issues right now but they're orthogonal to consumer protection; we'll need to rein in the NSA no matter how or if we decide to do anything about companies shipping shoddy devices.

I know you fear losing control and utility of your computing devices (I do too!) "because security", but I'm with GP on this one. This level of negligence is something public needs to be protected from. It's akin to a company manufacturing toys from toxic materials. Whether by accident or cost-cutting, the product is dangerous and should be taken off the shelves, and producer should be open for liability for any damages it caused. It's a matter of consumer protection.

Like all those Lemon laws. Used car dealers reputation might someday not be synonymous with fraudster that try to peddle broken machines to gullible people.

I must say you a taking quite a leap from "do not sell devices which is intended to harm consumers" to "sell only approved devices which has government-sponsored backdoors in them". Should consumers be scared that government try to do the same with food safety?

I have often, especially in the comment sections for regional newspapers, seen the claim that yes, the government should step away from food safety.

The food producer's freedom from inspection trumps the citizenry's ability to eat with minimal risk of food poisoning, so goes the thinking.

but end up with only being able to buy approved devices containing more obscure, government-sponsored backdoors instead.

We currently have these backdoors-due-to-incompetence in addition to the government backdoors.

Taking either out of the equation is a win.

That's a great idea, and would be a natural fit for both Consumer Reports and Underwriters Laboratories in the US.

I'm sure somebody will probably point out to me why this is a terrible idea, but I have thought that ISPs probably can detect traffic known to be coming to/from bot networks and then send a letter of warning to the customer. They can do it for supposedly illegal file sharing, so why not do something helpful and let customers know that fishy traffic is coming from their system?

I don't mean they should be able to shut you off or anything, but I personally wouldn't mind a notification letting me know that I may have been hacked.

They are allowed to look into the traffic only as much as they need to in order to maintain quality service. They notice stuff like botnets and piracy because both of these activities have the potential to generate abnormal amounts of traffic. Another reason they are likely to notice these things is because a third party will often notify them about the activity. They would have to monitor your connection/activity in a way that's highly unethical and possibly illegal in order to detect anything that isn't overly noisy.

That makes sense. I'd imagine though that it shows up on the ISP's radar when major DoS attacks happen. It seems like they could set up alarms for such things. Maybe it could be an opt-in thing.

DoS attacks also generate huge amounts of traffic, and so they are also detected through the normal, high-level monitoring activity that ISPs conduct.

It wouldn't even be that hard: Just require the vendors to publish the state machine diagram, and if an examiner discovers a hidden “weird machine”[1], they recommend a sanction that depends on how powerful the weird machine is. If it’s Turing equivalent, then it gets banned outright. If the weird machine was knowingly created and hidden, then we start talking about fines and other penalties.

[1] http://en.m.wikipedia.org/wiki/Weird_machine

Most IT equipment is not built in such a way that its behavior is formally-verifiable or even formally-describable as a state machine - for the most part, we're talking about a full Linux installation that comes with the vendor's preferred web server (for administration) and default routing configuration.

Sorry, I should have made it more explicit that I'm just talking about the stuff at the edges. For instance, we can do this with something like a TCP library just by evaluating it against the state machine published in the RFC. Similarly, custom protocols are ultimately just state machines, and it's easier to effect secureness when you limit the protocol to a regular or context-free grammar[1]. But, if the vendor insists that their protocol needs a more powerful grammar, then at least we can start talking about security/feature trade-offs in formal terms (i.e. vendors would have to justify their decisions with math and computer science instead of feature checkboxes and pricing psychology).

[1] http://www.cs.dartmouth.edu/~sergey/langsec/

Having documentation or source code is nice, but not going to help, because you have to verify the system in question actually conforms to the documentation. With the software - to a certain extent - this is possible with static analysis, but with hardware this is nearly damn impossible.

Nonetheless, having a solid formalizations for network protocols is a good idea. But this just won't happen.

Sure that works for a restricted set of vulnerabilities. But generally security vulnerabilities don't stem from bad protocol implementations, but from misconfigurations of generally-functioning software, and bad choice of policy. (For example, this vulnerability was just an extra hardcoded admin account in the router's web console.

If I know what the state machine/protocol looks like, I can have a better idea about how much stuff should be present.

For example, if the vendor claims that the product is limited to a regular grammar (a “plus” for security), but the implementation contains extra stuff in the data section, then an audit can flag it since a finite state machine should (theoretically) only need code.

How do you "limit the protocol to a regular or context-free grammar" in a consumer internet router?

Since IP4 and TCP each have a “length field”, they're stuck being context-sensitive I suppose. But, on the other hand, since the length fields are bounded, you could treat each value as a separate token (though it would create a huge state machine).

But, routers are not the only edge devices that worry me. Smart tvs|phones|toasters|… are also edge devices with respect to the topology of your “personal area network”.

Yes, exactly. In the US, this is the thing NSA should be going after ("pentesting for the people"), unleashing their wrath on vendors who sell this product (How many a politician uses a vulnerable router like that? How many a public service? It could endanger lives.) This is the thing EFF should be making easy money on.

Looks to me that these are all discount vendors. I didn't even know Realtek made their own consumer devices.

That they were all using the same or a variation of the same firmware shows that the problem isn't maliciousness but carelessness. Someone writes a reference implementation that happens to have a hard-coded username as a debugging option. It may even have come with a note warning you that this needed to be changed before being put in the final product. But in the rush to a product to market as fast and as cheap as possible, they forego any modification to the firmware beyond branding and push it out bugs, backdoors, and all.

I think it's a stretch to say these are "major" vendors. I've only seen TrendNet in the wild and usually because someone is complaining about their internet not working well and I say, "Yeah, that's not a good router. You should buy another one." You get what you pay for.

Of course if a truly malicious actor wanted to place a backdoor into a router on purpose, I expect it'd be someplace other than the flash firmware that can be easily overwritten.

>Realtek made their own consumer devices

they dont

ALL of those devices are based on the same RTL8196C Realtek SoC. This is one stupid/corrupted/incompetent Realtek employee/contractor putting a backdoor in SDK reference codebase (access under NDA, Realtek is famous for being hostile towards opensource just like Broadcom), and no one else bothering to even read sources before shipping devices.

Realtek is famous for being hostile towards opensource just like Broadcom

On the other hand, you can easily find datasheets for many of their SoCs. Whether or not this is due to their lax security policies is a question to consider too...

Realtek might not be agreeable to opensource, but I'd say they are still a far distance away from Broadcom. They are more of a "Gongkai"[1] sort of company.

[1] http://www.bunniestudios.com/blog/?p=4297

Doesn't gongkai imply that someone simply "stole" their datasheets and circulated them? I.e. they are available, but not because the company itself wanted it that way.


"Never attribute to malice that which is adequately explained by stupidity"

- Hanlon's Razor [1]

[1] https://en.wikipedia.org/wiki/Hanlon%27s_razor

As a corollary to Occam's Razor, this is always a good heuristic to remember. It is also important to keep in mind that heuristics can sometimes be misleading and should not be followed blindly.

Hanlon's Razor, like Occam's Razor, is most useful in cases where we there isn't any other evidence that points to a specific answer.

In the case of internet security, we do have a significant amount of evidence that several national spy agencies have been corrupting security of networking hardware and software. With projects like BULLRUN and the RSA/Dual_EC_DRBG scandal, we even know they went as far as pay businesses to do exactly this kind of weakening of their product's security features. This is especially true for this kind of low-end, discount product; a business with low profit margins is probably easier to bribe.

All else is not equal, so it is reasonable assign a high probability to spy agency involvement. This isn't proof, of course, but neither is Hanlon's Razor.

> All else is not equal, so it is reasonable assign a high probability to spy agency involvement.

This requires determined effort to ignore the level of sophistication on evidence in the same reports of nation-state level attacks which you cite. Everyone who's read them noted a consistently high level of attention paid to making sure that attacks were both targeted and concealed.

Using “super” as both a username/password for a million devices is the kind of thing you'd expect from incompetence; with the NSA I'd expect something like what they actually did with Dual_EC_DRBG, where the device would show every sign of appearing to be secure but someone with knowledge of a particular constant could save significant effort when cracking the crypto. The last thing they want is for you to notice & patch the hole because some random spammer started exploiting it.

The NSA is not the only spy agency in the world.

You might have missed that the examples cited in the post which I assigned were all NSA programs. That said, any serious program is unlikely to make a rookie mistake like this.

The one remotely plausible explanation would be something like this being a way for a mole to spin a backdoor as an innocent mistake. Even that's stretching it a bit because this is so easy to find that it'd have a pretty high risk of exposure – if you're going to invest that kind of time, a more subtle bug is only a minor increase in difficulty.

You can be also try that

But what that really says, is that between malice and stupidity, the odds are most often for stupidity. Garden variety stupidity is much more common than clever malice. There is no reason to rule out clever malice entirely, however.

If you're going to be Bayesian about it, use Hanlon's Razor as your prior, then update that. In other words, you should default to that, unless you have very good reasons.

Fair enough - this is too obvious, a lot more effort would be applied to obfuscate a deliberate backdoor

Like I said, if a truly malicious actor wanted to get a backdoor in I expect they'd be able to be a lot more subtle than a default password in an a web administration app. The cost of doing what you describe is too great for something that can easily be blocked by flashing Tomato... or just turn off remote web management.

> And the last options is to use Open Source firmware if your device supports(eg. OpenWrt)

The first shall be last and the last shall be first.

Why aren't these vendors being prosecuted under the "exceeds authorized access" provisions of the Computer Fraud and Abuse Act? There's no EULA to protect the vendor.

AFAIK that would require the vendor to actually access/use these "backdoors" (though they look like debug access mistakenly left enabled).

I don't see any proof of access in TFA. Seems like this would be negligence at most.

Edit: Intentional backdoors left by vendors (that I've seen) set the password to be derived from the serial number or mac address.

FWIW the equivalent in the UK the Computer Misuse Act 1990 has been amended (by the Police and Justice Act 2006, [1]) to include a Section 3A that in part says:

>"(2)A person is guilty of an offence if he supplies or offers to supply any article believing that it is likely to be used to commit, or to assist in the commission of, an offence under section 1 or 3." (UK Police Act 2006) //

Sections 1 and 3 [2] refer to unauthorised access and the same but with intent to cause damage ("impair").

Arguably the inclusion of a backdoor without authorisation of a customer impairs the device and so it would already breach Section 3, but the new amendments mean that just making it where there's likelihood that it will be used nefariously is a crime. A backdoor is intended for unauthorised access and is certainly likely to be used that way IMO.

This amendment is a step too far IMO but it appears to apply here to router manufacturers (and anyone else including backdoors in consumer goods without notifying the user).

tl;dr actual commission of an actus reus isn't required in the UK just supplying to someone who has a "likelihood" of committing an act is enough.


[1] http://www.legislation.gov.uk/ukpga/2006/48/section/37

[2] http://www.legislation.gov.uk/ukpga/1990/18/section/1

Agreed. If we're going to have laws like the CFAA they should be applied equally, rather than assuming that "mere consumers" don't have any data to protect.

It's off topic but what's the best way to know whether your router has a backdoor if you're not very tech advance.

You can't know for sure, but the best way to avoid vendor software backdoors is to get hardware that supports OpenWRT and run that.

Not to mention that in addition to probably not having a backdoor, it is also way more stable than the junk firmware that a lot of routers have. I had a linksys that would need to be restarted every few days to clear out the cache of the router because it stopped working. Installing the the open source firmware made it rock solid and added a bunch of features that you'd only get in expensive routers.

Unless you're sure the NSA hasn't installed a backdoor in the firmware like with hard drives...

Wireless routers typically have just one NOR flash chip as the only nonvolatile storage device, and any firmware needed by the WiFi devices is uploaded when the devices are initialized by the OS. There just aren't many places to hide something like a rootkit, and that's part of why these backdoors are so easy to find by inspection.

What you would have to do is find out which routers have more "long term" support. Those are the ones that tend to have the better developed software and less security holes. Those also tend to be the more expensive ones for that exact reason. Once you bought that router, they are getting no more money from you, so if they want to keep it supported, they have to charge more to make up for the cost of software support.

I wonder how many of these attack have/can be run against ddwrt.

There's a lot written about attacks against default firmware but not much on ddwrt, openwrt or tomato.

If I understand correctly those credentials are only usable if you get access to the router, by cracking a WEP key for example.

And please correct me if I'm wrong. But if this is correct, I don't really see this as a vulnerability for most people, since most people don't even change the default logins on their routers.

For some other people it might be problem yup, but the attacker would have to enter the network first.

A lot of these routers might have their web console visible on the WAN side.

Other clever attacks are simple: most of the routers use default subnets of with a gw at

A malicious site can make a post to with user name/pw super super and say reconfigure your local dns settings so that they can man in the middle something like traffic that would normally go to an ad network. They can then serve up their own ads and make profit$.

recently, attacks against home routers were mounted via malicious iframes pushed to a PC in the LAN. That vector neither requires physical presence nor wifi password cracking, merely CSRF.

edit: known since 2008, http://www.techrepublic.com/blog/data-center/csrf-attacks-ho...

Most of the router do have WAN management service default on and can be accessed easily form the internet. If is not in internet then rebind attack is there for the backup https://code.google.com/p/rebind/

I have a feeling this could potentially be any router based on the Realtek RTL8181/8186 and using some default firmware.

Fortunately, open-source firmware is available:


Interesting. I would think that the authors of the open-source firmware have come across the backdoor at some point, assuming they did go through the reference firmware.

I wonder how many of the affected routers have their remote management interfaces turned on by default - if they are off (as they should be) then it probably isn't that big a deal... I mean, loads of routers have admin:admin set and left unchanged

That doesn't actually mitigate the problem much, if at all. Many of these devices are likely to be vulnerable to CSRF; a malicious web page may be able to trigger requests which log into a local router and perform management tasks.

I think modern browsers prevent cross-requests to local subnets so this may mitigate CSRF

In my experience this is not restricted to manufacturers. Routers supplied by ISP's and carriers often have custom firmwares with have backdoors as well, of course labelled as a "Maintenance & Remote Service" feature. After figuring out the password on mine, I had no issue going into my neighbours router with full access...

That this research was presented at "Hotel Yak and Yeti, Kathmandu Nepal" really takes this over the top for me.

Ahhh, you mean you prefer other 5-Star hotels in Kathmandu such as Soaltee Crowne Plaza, Hyatt Regency, or Everest? ; )

Jokes aside, great to hear good work coming out of Kathmandu! We're behind the Southern part of the subcontinent, but there's definitely a nice niche to be carved in less glamorous side of the industry, such as security research and boring animation work. Pollution and craziness aside, if Kathmandu managed to leverage its moderate weather and infrastructure, I feel even things like 16-hour daily powercuts could be worked around.

In a somewhat related note: if someone in Kathmandu is interested in doing some relatively boring camera/filming work, I would love to talk. I have some funds that I would like to invest in the field.

@wpietri: You're not related to Joseph Pietri[1], are you? I am a BIG fan.

[1] http://www.amazon.com/The-King-Nepal-Life-Before/dp/09799886...

Turning off the remote-web-management interface by default at factory at least? This will mitigate the issue, still nobody should ever pre-program the fixed root password, or at least with BOLD FONTS asking customer to change it right away, or better, force people to set up a password during installation time.

Just assume everything you buy is backdoored by the manufacturer. Software, firmware, hardware... doesn't matter. How much you let this reality effect your life is up to you, just do what you can.

never thought this POC would be made this soon

is this POC for the backdoor

Yes, it is

It baffles me that any router manufacturer would have the nerve to hard-code login credentials into their routers.

But to be clear, for this to be pulled off remotely, the router must first either disable its firewall or a DNS rebind attack or some other vulnerability must be possible. In the case of a rebind, a victim must also first visit an attacker's server. What would be even more concerning is if any of the routers hard coded with these login credentials are also vulnerable to a rebind or something else by default. Many manufacturers patched the rebind vulnerability back in 2010.

It baffles me that any router manufacturer would have the nerve to hard-code login credentials into their routers.

I'm not advocating this practice at all, but consider that BIOS passwords could be easily bypassed with a hardcoded "default password". The one I still remember is "lkwpeter" and if you Google that one you'll find plenty more. That practice slowly faded away but many laptops' BIOS passwords are still overridable with a "manufacturer access" password that is derived from the serial number/asset tag.

The history of backdoors in hardware is a long one, so I'm not surprised to see them show up in routers. D-link had one a while back, and there have been several more discovered since then.

As you say, perhaps what keeps them from being exploited more is that they are not accessible from the Internet-facing side.

True, hardware backdoors have been around forever. The difference here is a BIOS backdoor password has a somewhat legitimate reason. You can't just hit a reset button on your PC if you forget the BIOS credentials the way you can on your router.

Also, a router being programmed like this exposes every device routed through it, whereas a BIOS backdoor only gives you access to the single device to which you have physical access. My surprise comes from the gall of the manufacturers as they should be fully aware of these implications.

It's often done to make support calls easier. You could spend a long time trying to explain to a frustrated customer how to use telnet (Type a slash... no, that's backslash. No don't type the word "slash"...) Or you could just say "let me log onto the router and fix it for you."

Telnet wouldn't help if they forgot the password and it wasn't hard-coded as a back door. Also, the support tech wouldn't be able to access it remotely unless some of the things I mentioned in the original comment were true.

Wouldn't it be easier to just say, "hold down the reset button on the back for 30 seconds"?

> Only TREDNET (sp) has replied till now.

...And they said?

That all their routers in that list are discontinued and out of active maintenance, probably.

Almost certainly nothing, in a very reassuring and adult-in-the-room manner.

here someone already had post the POC too, i was surprised how he find it this soon, too smart . https://www.youtube.com/watch?v=QBPh8oVuNdg&feature=youtu.be

they should list the ones that they tried that are safe too. i tried my cisco epc 3925 and super/super does not work.

That list would be way too long really.

nah, they can't have tried a really long list.

Depending upon the router they do have some bug but the things is the vendor don't give much damn about it.

one word ... MikroTik

really dude you will buy that for home use .

This is crazy...we are no more secure

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact