Forgot your password?
typodupeerror
Wireless Networking Security Hardware

NetGear Also Has Remote Access Wide Open 215

Posted by CowboyNeal
from the hotspot-back-doors dept.
Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."
This discussion has been archived. No new comments can be posted.

NetGear Also Has Remote Access Wide Open

Comments Filter:
  • huh? (Score:4, Insightful)

    by schroet (244506) on Saturday June 05, 2004 @10:30AM (#9344024)
    you can turn off the external web interface on those things right? I guess that doesn't help if you're worried about crackers on your LAN but still, it may not be as bad as it sounds.

    Undocumented = bad though,
    • Re:huh? (Score:4, Informative)

      by RidiculousPie (774439) on Saturday June 05, 2004 @10:36AM (#9344055)
      This vulnerability can be exploited by any person which is able to reach the webinterface of the device with a webbrowser.
      It would appear that if the webinterface is disabled, the device cannot be compromised.
    • >you can turn off the external web interface on those things right?

      Besides which, the network diagram on NETGEAR's support page tells you to put a firewall box between the WG602 and the Internet. (On the other hand the user manual shows a direct connection).
  • by Sadiq (103621) on Saturday June 05, 2004 @10:31AM (#9344027) Homepage
    "The backdoor seems to have been created by the vendor that used to package devices for NetGear"
  • by Anonymous Coward on Saturday June 05, 2004 @10:32AM (#9344034)
    http://kbserver.netgear.com/support_details.asp?dn ldID=735
  • by xmas2003 (739875) on Saturday June 05, 2004 @10:33AM (#9344035) Homepage
    I think everyone can agree that backdoor passwords are a BAD idea - makes one wonder what the internal policies are at these companies - and what happens when they do a source code audit after these are found and track down the programmers who put 'em in.
    • Not to mention this one appears to be hard-coded.
    • they are normally there for the company to protect them selfs.

      Stupid user messes up the router.

      They phone tech support "i can't get onto my routers access page, i changed and lost the password"...

      "two seconds sir, prove this is your ip"

      they run some tests to check its whos on the phone..

      "there you go sir, your new password is ******, you may now change the settings again"....

      You ever tried to talk to a noob thru flashing the firmware on their router over the phone?
      • by AntiOrganic (650691) on Saturday June 05, 2004 @10:39AM (#9344072) Homepage
        This is absolutely idiotic. All routers have a default username/password combination that is restored when using the firmware reset button typically hidden on the back of the router. There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.
        • by Fulcrum of Evil (560260) on Saturday June 05, 2004 @11:04AM (#9344204)

          There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.

          Sure there is. The reset button will nuke the configuration, the logs, and whatever else state is there, thus confounding debugging by the tech support. A single password is stupid, though. What's needed is something that requires the router s/n, the router's idea of the date, and a passcode generator from cisco. Give the aforementioned info to cisco TS and they can generate a 1 or 2 hour passcode for your router. You could also add a switch to enable this feature on the router itself, but that may not be practical.

          • Confounding debugging by tech support? First of all, we're talking about a consumer product here. Tech support is not going to be logging in to see why RADIUS authentication is not working or to troubleshoot some advanced routing issues. In fact, when users call in having forgot their password, I suspect tech support will just tell them to use the reset feature; it's far easier than trying to find out a consumer's IP address.

            No, you cannot justify this. Even if there was some kind of two-hour password,
          • IF you can lift it off the desk, you should have access to it. The router's password should be it's S/N, period. No fancy measures or bells and whistles.
          • by jtheory (626492) on Saturday June 05, 2004 @12:10PM (#9344488) Homepage Journal
            Sure there is. The reset button will nuke the configuration, the logs, and whatever else state is there, thus confounding debugging by the tech support. A single password is stupid, though. What's needed is something that requires the router s/n, the router's idea of the date, and a passcode generator from cisco. Give the aforementioned info to cisco TS and they can generate a 1 or 2 hour passcode for your router. You could also add a switch to enable this feature on the router itself, but that may not be practical.

            I'm not convinced. This is only a concern in cases where you're having technical problems, AND you somehow forgot your password. The danger of having a backdoor easily outweighs the potential benefits. Even with a special password generator from NetGear -- you're still talking security through obscurity. I want to set up my router, make sure it's secure, and forget about it! I don't want to keep checking online to see if you can download N3tg34r_PwG3n.exe yet... and you know it's going to show up eventually.

            Half the time you have any technical issues, the tech support is just going to tell you to do a hard reset anyway....

            Even if they gave you one of those paperclip-hole style buttons that would reset all your passwords to your device's serial number (or to enable some other backdoor), this would still be dangerous in a lot of situations. Suppose you're running an internet cafe -- you can't always trust the people sitting around your router!

            Either way, I don't think this backdoor was installed for tech support reasons -- it doesn't even seem to have been installed by NetGear themselves. Hopefully some more details will come out soon... and hopefully some heads will roll.

            It's funny; I just read that new story by the AdTI guy explaining how Linux wasn't safe to use because it depended on "trust". Hah! How nice for the corporate world to step forward and show that *they* can be trusted.
            • If your router is out in the open, you're still fucked.

              Personally, all of this makes it MORE COMPLEX than it has to be. Assume physical "control" of the device and ensure that only people with physical access can trigger the pinhole reset or whatever. Why? Because if someone has physical control of your router/box, you've got more serious problems at hand. The problem with the grandparent is that there's TOO MUCH FUCKING COMPLEXITY. You think tech support is hell now? Wait until you have to call supp
          • Why not just a physical (non toggle) button that enables a unit-specific password for two hours? You might have a big sticker next to the button with that machine's login info. Gain physical access to the device, and you gain access to the router. Have the machine send an e-mail out the the administrators whenever this happens. You would have to trust your employees, but if you can't trust them you are doing something very wrong.

            Physical access generally means security access. Why not build this into
            • Why not just a physical (non toggle) button that enables a unit-specific password for two hours? You might have a big sticker next to the button with that machine's login info. Gain physical access to the device, and you gain access to the router. Have the machine send an e-mail out the the administrators whenever this happens. You would have to trust your employees, but if you can't trust them you are doing something very wrong.

              You're making some big assumptions here, for one that "employees" are the onl
              • Do you want to require librarians to keep a constant watch over their routers, protecting them from teenagers with paperclips?

                Do they lock their fusebox?? Routers should be locked away to, if they're in a public area. As newer buildings are built that account for networking, this should be less of a problem. For now, just stick it in the ceiling is often an effective solution.

                But I do agree that a button that only resets the password is asking for trouble. Hell, any time I change ANY setting on my router
    • There's a backdoor in the software auditing software. The programmer is safe.
    • by BigHungryJoe (737554) on Saturday June 05, 2004 @10:37AM (#9344063) Homepage
      Everyone but the vendors knows it's a bad idea. Cisco recently made the same mistake [cisco.com].
    • They are actually not that bad an idea IF implemented properly. It is a fact of tech support that some hapless user will lock themselves out of their own box.

      I think the best solution [intel.com] I've seen is from Intel for their 530T/535T series switches, where you can download a software utility that will generate a default password for your switch when you enter in the MAC address of the switch's management module. This password ONLY works from the console (requiring physical access to the switch, or root acces

  • by Anonymous Coward
    why outsourcing(esp. when security should be a key component of your product) can be a bad idea. The article states that the password is the phone # of the place in Taiwan that develops and manufactures the device.
    They never thought to check this before distributing it, and now they suffer because of poor quality control. Is the outsourcer going to suffer? Maybe, or maybe they will just move on to the next contract. We shall see.
    • by kfg (145172) on Saturday June 05, 2004 @10:56AM (#9344165)
      This isn't outsourcing in the sense that IBM outsources its programing and support staff. It's oursourcing in the sense that your Raleigh bicycle is actually a Giant with a Raleigh sticker on.

      It isn't even really outsourcing in the sense that Dell oursources its video cards to ATI, its cpus to Intel and its CD drives to LG, which is all perfectly legitimate. Would you really expect Dell to make its cpus and capacitors?

      You buy stuff and market it.

      z-com is the actual manufacturer and they sell their products to marketers. Netgear just buys the stuff and resells it.

      Just like you could go to z-com and have them slap some stickers on stuff for you to resell. Or Giant. Or whoever makes Levis and Calvin Klien jeans in China. Or. . .

      This isn't about "outsourcing." This about a marketing firm getting stuck with some bad product.

      KFG

      • You hve a point. But I still wouldn't take them off the hook so fast. This seems to indicate that NetGear should require a "no backdoors inside" guarantee on such contracts.
        • by kfg (145172)
          I still wouldn't take them off the hook so fast.

          Who said anything about taking them off the hook? As the marketer it is Netgear that is directly responsible to their customers.

          As the manufacturer it is z-com that is responsible to its customers, in this case, Netgear. There is a hierarchy of customers here in which Netgear in in the middle. The man in the middle is often the one to get squashed.

          This seems to indicate that NetGear should require a "no backdoors inside" guarantee on such contracts.

          Yes,
  • by luvirini (753157) on Saturday June 05, 2004 @10:36AM (#9344056)
    This is a general problem when you buy ready made solutions in the form of "boxes" , you cannot be fully sure of anything inside so it is basically a question of trust.

    For example firewalls:

    Question 1: how do you know the box firewall you bought is secure and no backdoors?

    Answer: normally you do not.

    Question 2: Why do majority ofpeople buy those instead of making their own?

    Answer: Because it is a lot more convinient

    So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.

    • by Temporal (96070) on Saturday June 05, 2004 @10:59AM (#9344177) Journal
      Question 1: How do you know the CPU you bought is secure and has no code-modifying backdoors?

      Answer: Normally you do not.

      Question 2: Why do the majority of people buy those instead of manufacturing their own?

      Answer: Because it is a lot more convenient.

      Any piece of hardware can have a backdoor in it, really. If anything, you're probably safer buying the system all in one piece, because:

      1) A packaged system built by a respected company is likely to be far better reviewed and tested than something you assemble/install yourself.

      2) If it has a hole, you know exactly whom to blame (and perhaps sue for damages, if exploited).
    • Question 2: Why do majority ofpeople buy those instead of making their own?

      Answer: Because it is a lot more convinient

      I have a better answer... Because 99.9% don't realize there could be a security problem with it. I don't worry about security when I buy a washing machine or a TV, and that's about how most people view "box" devices.

      Also, I would add that it's more than convience, since most people wouldn't be able to configure a computer to be a firewall if their life depended upon it. Maybe a custom

    • Question 1: how do you know the box firewall you bought is secure and no backdoors?

      Answer: normally you do not.

      Question 2: Why do majority ofpeople buy those instead of making their own?

      Answer: Because it is a lot more convinient

      So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.

      No one has the time to examine every line of every piece

  • taiwan, eh? (Score:5, Funny)

    by abscondment (672321) on Saturday June 05, 2004 @10:36AM (#9344057) Homepage

    A search on Google revealed that "5777364" is actually the phonenumber of z-com Taiwan which develops and offers WLAN equipment for its OEM customers.

    This number, surprisingly enough, is also the total amount of wooden furniture shipped from Malaysia [mtc.com.my] to Bahrain in 1998. Conpsiracy! Conspiracy!

  • Possibilities. (Score:5, Interesting)

    by alexatrit (689331) on Saturday June 05, 2004 @10:37AM (#9344058) Homepage
    It's possible that that this goes on a whole lot more than we'd like to admit. Just yesterday I was talking to a friend who called Dell technical support about her BIOS password on an Inspiron 5000. She had forgotten it, and couldn't access her settings. Unlike the old days where you'd crack open the box and to the BIOS jumper switch, Dell provided her with a 6 character BIOS password that magically unlocked her system.
    • Re:Possibilities. (Score:2, Informative)

      by Hangtime (19526)
      With the automation Dell has in terms of its manufacturing process, I would not be surprised if that password is unique to the Dell Tag number itself instead of just a wide open tag for anyone to use.
      • Re:Possibilities. (Score:5, Informative)

        by alexatrit (689331) on Saturday June 05, 2004 @10:47AM (#9344125) Homepage
        I stand corrected, here.

        "The only way to clear the BIOS password is with a Master Reset Password provided by Dell for that Model No. and they will not give you the master unless you can give them the name. address and telephone of the registered owner. However the password is universal for all laps with the same model no., so if you know someone who is a registered owner, you can call Dell and get the master."

        Reference [experts-exchange.com] here. That being said, the master for an Inspiron 5000 is BLVJCH. Booyah!
        • Re:Possibilities. (Score:3, Interesting)

          by evilviper (135110)
          That's not good, but it's far better than the other extreme. IBM claims there is no way to clear a BIO password on their laptops, so lots of people on ebay or other sites are buying expensive IBM paperweights. Now, I know for a fact that the password can be recovered and/or resetted easily with some basic equipment, but IBM continues to insist that only a motherboard replacement will due, and they charge you the full-price of a mobo just because of a stupid BIOS password. One has to wonder if they are ch
        • So what happens when you buy a used unit from the local 'Two Guys and a Roomful of Computers' place and it has a locked BIOS? Neither guy has a clue of the original owner. They bought a lot from some lease return outfit.

          (asking because I have a Latitude CPi in exactly that situation)

        • Ugh, the lame thing about experts-exchange.com is that Google has a lot of their pages highly ranked, and yet when you land on their page you have to "Sign up to see the solution!"

          So, in the spirit of making that site almost as useful as the open Google groups, here's some no-hassle username/passwords [bugmenot.com] to bypass it.

          --

  • by swb (14022) on Saturday June 05, 2004 @10:42AM (#9344094)
    I've used a couple of the Netgear FVS318 firewall/vpn boxes; they're cheap, sturdily constructed, easy to configure and pretty reliable, but I'm always a little hinky about the unconfigurable software options as much as I am about the backdoors.

    My FVS318 does NTP to a hard-coded destination, and there's no way to turn this off or change the NTP sync server that I've found. I've always kind of wondered what else it does or was capable of doing.
  • by the_rajah (749499) * on Saturday June 05, 2004 @10:42AM (#9344096) Homepage
    routers look better all the time. At least you have some control over it....if you're a geek anyway.

    Which ones of the consumer products are safe? I'm running a D-Link wireless right now.Yes the encryption is on.

    "Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
    • Well, except for the fact that configuring your own Linux router is a pain in the ass if you don't know exactly what you're doing. Plus, it'll probably come out being more expensive than your average consumer router since you have to buy multi port NICs and a wireless card.

      Personally, I think the Linksys WRT54G is the best value. It's cheap ($100) and it runs Linux on it AND you can get a shell on the box and install whatever software you want.
      • Well, except for the fact that configuring your own Linux router is a pain in the ass if you don't know exactly what you're doing. Plus, it'll probably come out being more expensive than your average consumer router since you have to buy multi port NICs and a wireless card.

        It's also a waste of electricity. For the geek, you're better off buying either a mini-ITX system or a hackable router (ie, WRT54G).

  • Netgear WG302 (Score:4, Informative)

    by the eric conspiracy (20178) on Saturday June 05, 2004 @10:42AM (#9344102)
    Well. at least this username/password doesn't work with a WG302 with firmware 1.5.

  • WGR614 (Score:4, Informative)

    by Rinisari (521266) on Saturday June 05, 2004 @10:44AM (#9344114) Homepage Journal
    NetGear WGR614 is not affected by this bug. I'm going to try to get its firmware and follow the same procedure listed in that Bugtraq report to see what I can find.
  • Too easy (Score:3, Funny)

    by SuperBanana (662181) on Saturday June 05, 2004 @10:45AM (#9344118)

    All your basestation are belong to us?

    Man, takes all the fun out of these jokes when it's so easy.

  • Take my advice (Score:4, Informative)

    by Q2Serpent (216415) on Saturday June 05, 2004 @10:52AM (#9344152)
    I know this is a huge problem for the general public, but for those of us with a linux machine, do what I do and save yourself some trouble: put two network cards in the linux machine. Connect one to the internet and the other to your wireless router's normal ethernet ports (don't use the port that is supposed to be for the internet). Then, just set up your linux firewall/NAT, and you get all the benefits of wireless and a wired hub on the inside, with a linux machine doing the routing/firewalling for security from the outside. Since the router isn't on the net, no one can even touch it.
  • Good grief... (Score:5, Interesting)

    by zoloto (586738) on Saturday June 05, 2004 @10:53AM (#9344155)
    I tried this recently on my own unit. Works like a charm. Now that I'm really pissed, it looks like I'll might have to really complain through the courts by filing a motion with the intent to sue. Not only that, but get that old 500mhz p3 out of the closet and turn it into a router/NFS/SAMBA server and sell the POS netgear router on eBay.

    That was the last straw. No more firmware based routers unless I make them myself, or use exsisting ones as wireless switch and really try to lock it down or use third party firmware. /end_rant

    learning how to make a linux router / NFS will be handy anyhow
    • Re:Good grief... (Score:2, Insightful)

      by Peyna (14792)
      What are you going to sue about? The maybe $50 you spent on the router? You haven't incurred any loss or harm yet, just the potential for it.
      • negligence, possibly willful.
        a motion with intent to file claim is just to let the defendant know, or for lack of a better term, Get their attention on the matter.

        I didn't realize there was an update at the time of my origional post. Either way, a /rant is a /rant
      • Well, I'm sure he could sue on some sort of false advertising, or some other of the billions of vague premises that corporations often like to use to get their way against individuals.

    • Re:Good grief... (Score:4, Informative)

      by Gojira Shipi-Taro (465802) on Saturday June 05, 2004 @11:34AM (#9344315) Homepage
      Look into Smoothwall. I'm using it on an old PPro 200 as a firewall/router. It supports 3 networks at the moment (red/external, Green/internal, Orange/restricted (wlan for instance). I have an older netgear router that I keep as a spare (the old PPro 200 has to die sometime...), but even with that, the Smoothwall config can be dumped to floppy and moved to a completely different machine easily.
      • Re:Good grief... (Score:3, Interesting)

        by AbbyNormal (216235)
        I second that! I've been using Smoothwall for about a year, what's nice about it, is that you can EASILY add addon's/plugins developed by others, to your system. Also, if you feel so inclined, its mostly a perl based system, so you can write your own custom scripts.

        The installation is a snap and the default installation is good enough for 99% of "normal" internet users.
    • 99.99999% of the "deadenders" who sputter and spew "I... I'm gonna SUE!!!!" will not, and really have no clue about what it would tak or even if they have any real legal basis to "SUE!!!!"

      It's cheap consumer electronics. Return it and get one that does not have this issue, then resume your life. No story here, move along.

  • by the eric conspiracy (20178) on Saturday June 05, 2004 @10:55AM (#9344162)
    These things usually sit behind a firewall, so you aren't in quite as bad shape as if it offering it's private parts to the general internet like the Linksys.

  • by pedantic bore (740196) on Saturday June 05, 2004 @11:09AM (#9344227)
    Gadzooks, could they have made it any easier for script kiddies to exploit this? Might as well just power down your netgear box until a new firmware patch comes out (assuming the firmware can be patched).

    I don't believe in security through obscurity, but I also don't believe in publishing backdoor passwords. It's not like it has any educational value (unlike looking at some exploits, which helps programmers learn how to write code that's not vulnerable).

  • I am amazed.... I just wonder how many DOS or DDOS attacks were made based on this wonderful backdoor... and btw: shall all the NetGear Users now dump their devices ?!? no way... if this thing is really un-patchable, then I suspect this leak to be open for many years from now, as the device is one of the most current ones... wow - just before I bought it :-)
  • by thewiz (24994) * on Saturday June 05, 2004 @11:10AM (#9344234)
    Just checked my WG602v2 and the factory firmware upgrade 2.0rc5 and they do not have the backdoor.

    Whew!
  • Man... (Score:4, Interesting)

    by 222 (551054) <stormseeker@gmail . c om> on Saturday June 05, 2004 @11:15AM (#9344250) Homepage
    ok, this is bad... but what i see as a far worse problem is that most oems dont bother setting passwords on windows xp installs.
    i've even seen this happen on a thinkpad, and i would have thought ibm of all people to know better. i've seen this on a few venders before but i cant remember exactly which ones, has anyone else seem this happen before?
  • by noidentity (188756) on Saturday June 05, 2004 @11:32AM (#9344309)
    Come on! These backdoors provide a convenient excuse when you're charged with breaking the law by accessing illegal content over your connection. If the vendor told you of their presence, you wouldn't be able to use them as a defense. Er wait, if you didn't know of them... hmmm...
  • On a similar note, many developers leave easter eggs in software they write for fun or for whatever reason...Imagine Windows Server 2003 easter eggs allowing admin level login!
    I was shocked when I heard of easter eggs in my Handspring/PalmOne Treo 600 phone! Characters suddenly start appearing on the phone display by pressing a combination of keys...
    • No, it wasn't... (Score:3, Informative)

      by Otto (17870)
      The problem still exists. If you disable the firewall and disable remote admin, you can still get the remote admin page over the WAN. That, to me, is a bug. Okay, it may be a weird config as they stated, but it's a bug nevertheless.

      They also have beta firmware up on that link you posted to fix the problem.
  • Lets think for a minute here people, this Linksys firewall turned off by default stuff is more then likely a customer return or someones idea of a joke. I haven't seen anyone but this "researcher" report this issue.
  • I was able to change NVRAM parameters using snmpset regardless of the community strings as long as SNMP was enabled on the WAP54G.

    dma@laureate:~$ snmpwalk 192.168.1.254 -O n -v 1 -c froqegftoeqgteqg
    enterprise
    .1.3.6.1.4.1.3955.1. 1.0 = STRING: "v1.08, Aug 05, 2003"
    ...
    .1.3.6.1.4.1.3955.2.1.8.0 = IpAddress: 192.168.1.254
    .1.3.6.1.4.1.3955.2.1.9.0 = IpAddress: 255.255.255.0
    ...

    dma@laureate:~$ snmpset -c wghwgqgqerc -v 2c 192.168.1.254
    .1.3.6.1.4.1.3955.2.1.8.0 a "10.0.0.1"
    SNMPv2-SMI::enterprises.3955.2.1.8.0 =

  • at least the linksys one can be patched with a non-official firmware to improve functionality as well as fill in some of those "holes"
  • I know the password, and I'd tell you what it is, but I can't describe it [slashdot.org]. Ooooooooh well.
  • NOT A PROBLEM (Score:3, Informative)

    by $ASANY (705279) on Saturday June 05, 2004 @11:21PM (#9348154) Homepage
    I just ran this against my WG602 running firmware 1.5.7, and the account doesn't exist. So if you perform the absolute minimal step of checking for software upgrades before you put this into service, you won't run into any problem.

    If you don't immediately check for upgrades when you open a box and haven't with this hardware, though, perhaps you deserve to get 0wn3d?

You know that feeling when you're leaning back on a stool and it starts to tip over? Well, that's how I feel all the time. -- Steven Wright

Working...