NetGear Also Has Remote Access Wide Open 215
Glenn Fleishman writes "On the heels of Linksys's WRT54G problem of not allowing remote access to be disabled in certain cases and firmware, BugTraq published this report that NetGear's WG602 access point has a hidden password that provides remote and local administrative control. Unlike Linksys's, where turning the firewall on (which is on by default, but a researcher found new units in which it was off when taken out of the box), the NetGear hole cannot be disabled. The backdoor seems to have been created by the vendor that packaged the device for NetGear."
Possibilities. (Score:5, Interesting)
Re:Fixed in new firmware, available here: (Score:3, Interesting)
That's all nice and well, but the average user isn't going to upgrade at all. A good deal of them never even set the admin password in the first place.
Take the guy in my apartment, for instance. I'm using his wireless. His AP is totally open--default SSID and all. I know he doesn't care, but what if he were a business? There's no way he's going to upgrade firmware if he can't even set a simple password.
Packaged network boxes (Score:3, Interesting)
My FVS318 does NTP to a hard-coded destination, and there's no way to turn this off or change the NTP sync server that I've found. I've always kind of wondered what else it does or was capable of doing.
Good grief... (Score:5, Interesting)
That was the last straw. No more firmware based routers unless I make them myself, or use exsisting ones as wireless switch and really try to lock it down or use third party firmware.
learning how to make a linux router / NFS will be handy anyhow
Re:One wonders what the internal policies are ... (Score:5, Interesting)
There is no reason to create an administrative backdoor for this purpose when there's a readily-accessible password reset feature built into the device.
Sure there is. The reset button will nuke the configuration, the logs, and whatever else state is there, thus confounding debugging by the tech support. A single password is stupid, though. What's needed is something that requires the router s/n, the router's idea of the date, and a passcode generator from cisco. Give the aforementioned info to cisco TS and they can generate a 1 or 2 hour passcode for your router. You could also add a switch to enable this feature on the router itself, but that may not be practical.
they published the password? (Score:4, Interesting)
I don't believe in security through obscurity, but I also don't believe in publishing backdoor passwords. It's not like it has any educational value (unlike looking at some exploits, which helps programmers learn how to write code that's not vulnerable).
Re:remove space in URL (Score:3, Interesting)
Its surprising that slashdot hasnt already added this basic feature.
Man... (Score:4, Interesting)
i've even seen this happen on a thinkpad, and i would have thought ibm of all people to know better. i've seen this on a few venders before but i cant remember exactly which ones, has anyone else seem this happen before?
Re:Possibilities. (Score:3, Interesting)
Re:One wonders what the internal policies are ... (Score:3, Interesting)
No, you cannot justify this. Even if there was some kind of two-hour password, it would be a huge security problem. For example, if I'm using one of these to protect my network, and you have a couple thousand bucks lying around, I'm sure you could convince someone at Netgear to give you a two-hour password without a problem. A single password is even more heinous.
Yes, I will no longer be buying Netgear products.
Re:Vendor will soon have legal problems. (Score:2, Interesting)
If I were a cynical bastard I might add that Netgear benefits twice from outsourcing its production...
Re:Just another reason (Score:2, Interesting)
Who said anything about taking them off the hook? As the marketer it is Netgear that is directly responsible to their customers.
As the manufacturer it is z-com that is responsible to its customers, in this case, Netgear. There is a hierarchy of customers here in which Netgear in in the middle. The man in the middle is often the one to get squashed.
This seems to indicate that NetGear should require a "no backdoors inside" guarantee on such contracts.
Yes, it would, wouldn't it? And I'm sure in future it will, at least in essence, but is it not always the case that you find out what your contract should have said after it goes bad on you somehow?
But look at it this way. What if you were going into the white box business about the time of release for the Pentium II chip, would your "contract" with Intel have a "no floating point calculation errors" clause, or would it more likely be a simple receipt for the deliver of and payment for 1000 cpus?
And when the bug hit the public and people demanded a fix from you wouldn't you have considered it Intel's error and Intel's problem?
And what would you put into your "contract" with Intel on your next cpu purchase to protect you from the next, and currently unknown, issue?
When you buy your next car will you demand a "won't blow up on me" clause to your contract, or do you simply consider that issue part of the already extant express and implied guaruntee that attaches to the car? The latter is certainly the way the courts view it.
You buy stuff. You get a receipt.That stuff has certain express and implied guaruntees attached to it just like anything else. You resell it with express and implied guaruntees. If the stuff turns out to be bad in some way your customers bitch to you and you have to make good. You are also a customer, of your supplier, so you bitch to them and they have to make good.
That's just the way the buying and selling business works.
KFG
Re:Good grief... (Score:3, Interesting)
The installation is a snap and the default installation is good enough for 99% of "normal" internet users.
Re:It's a feature, not a bug. (Score:3, Interesting)
Instead of " " why don't they put in a "<wbr>"???
This way, it would still wrap long text but wouldn't put those ugly spaces in when it doesn't need to wrap!
(Grabs patent application...)