NetGear Also Has Remote Access Wide Open 215
Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."
huh? (Score:4, Insightful)
Undocumented = bad though,
One wonders what the internal policies are ... (Score:5, Insightful)
Just another reason (Score:2, Insightful)
They never thought to check this before distributing it, and now they suffer because of poor quality control. Is the outsourcer going to suffer? Maybe, or maybe they will just move on to the next contract. We shall see.
Re:One wonders what the internal policies are ... (Score:2, Insightful)
Stupid user messes up the router.
They phone tech support "i can't get onto my routers access page, i changed and lost the password"...
"two seconds sir, prove this is your ip"
they run some tests to check its whos on the phone..
"there you go sir, your new password is ******, you may now change the settings again"....
You ever tried to talk to a noob thru flashing the firmware on their router over the phone?
The problem of convinience (Score:5, Insightful)
For example firewalls:
Question 1: how do you know the box firewall you bought is secure and no backdoors?
Answer: normally you do not.
Question 2: Why do majority ofpeople buy those instead of making their own?
Answer: Because it is a lot more convinient
So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.
Re:One wonders what the internal policies are ... (Score:5, Insightful)
Makes those old 486 machines running Linux.. (Score:3, Insightful)
Which ones of the consumer products are safe? I'm running a D-Link wireless right now.Yes the encryption is on.
"Do the Right Thing. It will gratify some people and astound the rest." - Mark Twain
Well, at least it's only an access point (Score:5, Insightful)
Re:Just another reason (Score:4, Insightful)
It isn't even really outsourcing in the sense that Dell oursources its video cards to ATI, its cpus to Intel and its CD drives to LG, which is all perfectly legitimate. Would you really expect Dell to make its cpus and capacitors?
You buy stuff and market it.
z-com is the actual manufacturer and they sell their products to marketers. Netgear just buys the stuff and resells it.
Just like you could go to z-com and have them slap some stickers on stuff for you to resell. Or Giant. Or whoever makes Levis and Calvin Klien jeans in China. Or. .
This isn't about "outsourcing." This about a marketing firm getting stuck with some bad product.
KFG
Re:Good grief... (Score:2, Insightful)
Re:The problem of convinience (Score:5, Insightful)
Answer: Normally you do not.
Question 2: Why do the majority of people buy those instead of manufacturing their own?
Answer: Because it is a lot more convenient.
Any piece of hardware can have a backdoor in it, really. If anything, you're probably safer buying the system all in one piece, because:
1) A packaged system built by a respected company is likely to be far better reviewed and tested than something you assemble/install yourself.
2) If it has a hole, you know exactly whom to blame (and perhaps sue for damages, if exploited).
Re:Just another reason (Score:2, Insightful)
Re:The problem of convinience (Score:3, Insightful)
I have a better answer... Because 99.9% don't realize there could be a security problem with it. I don't worry about security when I buy a washing machine or a TV, and that's about how most people view "box" devices.
Also, I would add that it's more than convience, since most people wouldn't be able to configure a computer to be a firewall if their life depended upon it. Maybe a custom OpenBSD distro is in order... One that will configure a firewall on it's own, and use good defaults for everything, so it needs no configuration for most people. But then again, you don't really know that software isn't back-doored either... You've got to trust somebody...
Re:The problem of convinience (Score:2, Insightful)
Answer: normally you do not.
Question 2: Why do majority ofpeople buy those instead of making their own?
Answer: Because it is a lot more convinient
So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.
No one has the time to examine every line of every piece of software (or hardware/firmware) they use that could potentially contain a vulnerability. It is impossible. That is why you only use software that has been in the community (open-source or closed) long enough to where it is generally trusted by experts and laymen alike. That is no guarantee, but that is the best one possible. Shit happens.
Re:remove space in URL (Score:1, Insightful)
With all of the dumb motherfuckers that can't type a proper href--that alone weeds about half of the links that go to tub girl, goatse, penis bird, or worse.
I, for one, am glad that this feature exists.
We're all supposed to be geeks here. 10 extra fucking keystrokes. Big Fucking Deal
Good grief... INDEED! (Score:3, Insightful)
It's cheap consumer electronics. Return it and get one that does not have this issue, then resume your life. No story here, move along.
Re:One wonders what the internal policies are ... (Score:5, Insightful)
I'm not convinced. This is only a concern in cases where you're having technical problems, AND you somehow forgot your password. The danger of having a backdoor easily outweighs the potential benefits. Even with a special password generator from NetGear -- you're still talking security through obscurity. I want to set up my router, make sure it's secure, and forget about it! I don't want to keep checking online to see if you can download N3tg34r_PwG3n.exe yet... and you know it's going to show up eventually.
Half the time you have any technical issues, the tech support is just going to tell you to do a hard reset anyway....
Even if they gave you one of those paperclip-hole style buttons that would reset all your passwords to your device's serial number (or to enable some other backdoor), this would still be dangerous in a lot of situations. Suppose you're running an internet cafe -- you can't always trust the people sitting around your router!
Either way, I don't think this backdoor was installed for tech support reasons -- it doesn't even seem to have been installed by NetGear themselves. Hopefully some more details will come out soon... and hopefully some heads will roll.
It's funny; I just read that new story by the AdTI guy explaining how Linux wasn't safe to use because it depended on "trust". Hah! How nice for the corporate world to step forward and show that *they* can be trusted.
Re:One wonders what the internal policies are ... (Score:4, Insightful)
I believe that's "give them a bonus and a company car."
These back doors are not trojans installed by disgruntled employees, but there by company policy.
I'm always astounded when others are astounded by the existence of back doors in things. Pretty much anything that takes a password has a backdoor in it. Phone systems, voicemail systems, even those telephone entry systems on apartment buildings; all got back doors. Tech support is hard enough already without having to deal with unknown passwords. Some are better than others, though. Sentex telephone entry systems have back door passwords that are a hash of the unit's serial number, and only Sentex tech support has access to the program that generates them. Not that one usually needs the backdoor; most Sentex units I see still use the factory password "000000"...
Re:The problem of convinience (Score:1, Insightful)
Answer: normally you do not.
That is true. You have no absolute assurances of anything. But, with the well known, reputable firewall products, there is a lot of independant review done. These include customer's test labs, where some people go to surprising lengths to test security and performance. There are researchers that specialize in finding flaws and holes in security systems. They beat on them with all kinds of odd scenarios. And, even the government performs analyses for security approvals.
This is all on top of the hundreds of developers, QA testers, support staff, and SE's banging on it day to day. While this doesn't mean it's flawless, it does mean that bugs get found, and backdoors and gaping holes like in the original story would be found immediately.
As we've seen from previous stories here about the various open source VPN options, people often assume to much about the security and review of these products.
Question 2: Why do majority ofpeople buy those instead of making their own?
Answer: Because it is a lot more convinient
So instead of spending time to build something, most people want to just get something that works and thus have to just trust the vendors, as they do not have the skill/time/inclanation/will etc to do it themselves.
Convenvience is a big factor. Not just for setting up, but also administration and ongoing security analyses. Commercial firewalls have management, logging, and analysis features that blow away the free options. They are also way ahead in terms of features, the depth of the security analysis is much greater, and integration among firewall/VPN/IDS/URL filtering/Anti Virus is tighter.
I used to work for a commercial firewall vendor. At home, I use a Linux firewall for my realtively simple needs. For consulting gigs, I always recommend commercial firewalls - you can't assume that they have someone capable of managing and understanding a unix firewall. If they do have someone, you can't assume that he/she will be there for long. With a commercial firewall, they have training classes widely available to bring new people up to speed.
Re:One wonders what the internal policies are ... (Score:2, Insightful)
They are actually not that bad an idea IF implemented properly. It is a fact of tech support that some hapless user will lock themselves out of their own box.
I think the best solution [intel.com] I've seen is from Intel for their 530T/535T series switches, where you can download a software utility that will generate a default password for your switch when you enter in the MAC address of the switch's management module. This password ONLY works from the console (requiring physical access to the switch, or root access to a console sharing device attatched to it).
I was thinking that if they upped this to also be time dependant, it would increase the security even more, but this is wrong for two reasons - a) if the switch is hosed, there's no telling what time it thinks it is, and b) anyone capable of generating a password the first time would be able to generate it again a second time for another x minute "safety window".
Of course, this begs the question - what is the difference between using a tool like this and just not requiring a password when logging in from the console?
Re:One wonders what the internal policies are ... (Score:3, Insightful)
Personally, all of this makes it MORE COMPLEX than it has to be. Assume physical "control" of the device and ensure that only people with physical access can trigger the pinhole reset or whatever. Why? Because if someone has physical control of your router/box, you've got more serious problems at hand. The problem with the grandparent is that there's TOO MUCH FUCKING COMPLEXITY. You think tech support is hell now? Wait until you have to call support to get your temporary passcode, after being on hold for a couple hours and then explaining your problem to some outsourced tech whose accent is so strong you can't even understand them, having to call back when you fuck something else up unintentionally in the process, etc etc.
Again, if you're a coffee house, keep your damn routers in the back, out of customer's (and your) way. Maybe someone could do brisk business selling router "safes" that only have a couple holes for cabling in the back, but require a key to open up to access.
confirmation, I (was) affected by this (Score:2, Insightful)