About a year ago I left a cable modem and internet service (Time Warner) at an apartment I was moving out of while my friend continued to stay there. I had configured the thing in a manner I thought to be fairly secure -- strong password, no broadcast, etc.. One day the internet goes down and my friend doesn't know what to do. She calls the ISP and asks them what's wrong. They say they can't release any information about the service to her without my permission, so I suddenly get a three-way call explaining that my friend and the ISP representative are on the line and I need to give my authorization to access the account information. Being the person I am, I attempt to troubleshoot things over the phone before giving out any sort of account credentials. Eventually, I ask her to log into the router configuration page. She doesn't know the password and the first one I gave her doesn't work. The representative chimes in "That's fine -- I can just change it from here."<p>"...What?"<p>I was furious. Time Warner had left a backdoor in all their modems that gives them administrative access to my private connection. And yes -- she did alter the password remotely. She didn't seem to think there was anything wrong with this. I tried googling for relevant information, but wasn't able to find anything more than speculation at the time.
Interesting. Reminds me of the hack I did on a (mandatory) modem/router forced on AT&T users. They had a bunch of problems with it, so one day I got fed up after the millionth disconnect and cracked it open. Got a serial root shell by using the "magic !" command (completely randomly discovered) and dumped the source to the web UI(in Lua/haserl). From there found the equivalent of a SQL injection vulnerability and used it to gain a remote root exploit.<p>Most annoyingly, AT&T put out a firmware update some months later that closed the exploit, but didn't fix any other problems. So, I found another more intrusive/permanent exploit. Still waiting on them to patch it next heh. But now they are actually putting out some updates that actually fix problems too at least. Hopefully user uproar will continue to drive them to fix more problems
I hacked my Fritz!Box (yeah, a bad name for a german router) and I'm entirely sure that it has a backdoor integrated too. That's why I wiped and flashed it with an alternative image. That and the Telecom's Speedport router are the most popular routers by far in Germany. And both have backdoors, I know that other router manufacturers also integrate backdoors from a source who works at such a company. A friend can also verify the fact, because a different employee told him the same. Also it's public that the ISP can upgrade, modify, flash and disable features remotely. My friend's router has wifi, but their provider disabled it remotely within the firmware (it even has an antenna) and his ISP wants him to pay 5€/m to re-enable wifi.<p>I really wonder why nobody complained about that earlier. Also the interesting thing here is that for a very long time, you weren't allowed to use a different router than the one provided by your ISP. Which enforced their surveillance monopoly.<p>Here's an article about reverse engineering the backdoor in D-Link routers using IDA:<p><a href="http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/" rel="nofollow">http://www.devttys0.com/2013/10/reverse-engineering-a-d-link...</a><p>PoC Available: <a href="http://pastebin.com/vbiG42VD" rel="nofollow">http://pastebin.com/vbiG42VD</a>
"And the Chinese have probably known about this back door since 2008." <a href="http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=http%3A%2F%2Fhi.baidu.com%2Fcygnusnow%2Fitem%2F3fd853ade9f08f9e151073a1" rel="nofollow">http://www.microsofttranslator.com/bv.aspx?from=&to=en&a=htt...</a><p>That's a pretty scary prospect. If its been 'known' and exploited since at least 2008. Poor form Netgear/Linksys.
This is not surprising. It's a calculated risk to make a product just good enough. Development resources invested in retail wireless gear is minimal. I've worked on firmware for high-confidence industrial wireless gear used in mines. Most of them fall over under load, run obsolete+unpatched code and/or reboot randomly. Retail customers will tend to just put up with it and not return the product before the merchant's return grace period.<p>It's a totally different attitude when the intended market is enterprise: it's assumed that if a product causes a failure, the vendor is going to receive escalating, unpleasant phone calls until it's resolved.
Has anyone ever tried submitting a GPL request to <a href="http://support.linksys.com/en-us/gplcodecenter" rel="nofollow">http://support.linksys.com/en-us/gplcodecenter</a><p>I wonder if there is anyone still working in the GPL compliance department.
ScMM = SerComm, perhaps?<p>Many of Linksys' old DSL modems were manufactured by them, AFAIK.. and it seems many of the noted 'probably affected' models have a SerComm manuf'ed device for at least one revision of that model line<p>More probable SerComm manuf'ed devices are visible at the WD query link below..<p><a href="http://wikidevi.com/w/index.php?title=Special%3AAsk&q=[[Manuf%3A%3ASerComm]]+[[Global+type%3A%3A~embedded*]]&po=%3FFCC+ID%0D%0A%3FFCC+approval+date%3DFCC+date%0D%0A%3FEstimated+date+of+release%3DEst.+release+date%0D%0A%3FEmbedded+system+type%0D%0A%3FCPU1+brand%0D%0A%3FCPU1+model%3DCPU1+mdl.%0D%0A&eq=yes&p[format]=broadtable&sort_num=&order_num=ASC&p[limit]=500&p[offset]=&p[link]=all&p[sort]=&p[headers]=show&p[mainlabel]=&p[intro]=&p[outro]=&p[searchlabel]=%E2%80%A6+further+results&p[default]=&p[class]=sortable+wikitable+smwtable&eq=yes" rel="nofollow">http://wikidevi.com/w/index.php?title=Special%3AAsk&q=[[Manu...</a>
I live in Czech Republic and my Zyxel from O2 has port 7547 open (Allegro RomPager 4.07) and you can't do anything about it. There is no editor on the installed linux version (cropped down linux, probably openWRT or something similar), no package manager no nothing.<p>If I flash the firmware warranty is void and I have no user/pass to re-enable the ADSL. So basically, my router is a <i>hostile</i> AP.<p>Given the fact that, it's a common pattern among ISPs in order to offer quick service - I firmly believe that ISPs do it for practical reasons - and end up killing your security, the best thing is to put the router in bridged mode and get a cheap custom-made router like carambola2[1] and install FreeBSD[2] on it.<p>Disclosure: I donated one of these devices to Adrian Chadd[3] in order for him to port FreeBSD on this device, which enabled me to use PF[4] - my favorite firewall - but I have no affiliation otherwise with 8devices or FreeBSD.<p>[1] <a href="http://8devices.com/carambola-2" rel="nofollow">http://8devices.com/carambola-2</a><p>[2] <a href="https://wiki.freebsd.org/FreeBSD/mips/Carambola2" rel="nofollow">https://wiki.freebsd.org/FreeBSD/mips/Carambola2</a><p>[3] <a href="https://wiki.freebsd.org/AdrianChadd" rel="nofollow">https://wiki.freebsd.org/AdrianChadd</a><p>[4] <a href="http://pf4freebsd.love2party.net" rel="nofollow">http://pf4freebsd.love2party.net</a>
I've used GRC's "Shields Up" and asked for a user-specified probe for port 32764 and it came back "Stealth".<p>Assuming GRC isn't out to decive me, can I assume that my router is fine?<p>Bill, using a Netgear router.
If you want more fun with the saved nvram config files, check out <a href="http://www.nirsoft.net/utils/router_password_recovery.html" rel="nofollow">http://www.nirsoft.net/utils/router_password_recovery.html</a><p>He's figured out many of their "encryption" methods. I've independently "cracked" most of the major ones as well, (including checksums/headers required to write back to the router).<p>They're all pretty broken. PRNG key streams, simple bit swaps, XOR, encryption against a static key, etc.<p>Fun stuff.
Thankfully I have an older WNDR3700 and I remain unaffected.<p>However seeing mention of (and an implementation of) Dual_ECC_DRBG in the slides immediately gives me a lot of pause regarding the security of my router. I love memes more than the next guy but this guy really went out of his way to make this confusing to understand.
I have a WGR614v6: it shows no response from port 32764 both from internet and local.<p>At first I thought it was this, which has been known for a long time now:
<a href="http://wiki.openwrt.org/toh/netgear/telnet.console" rel="nofollow">http://wiki.openwrt.org/toh/netgear/telnet.console</a>
Netgear routers come with a well published back door (<a href="http://wiki.openwrt.org/toh/netgear/telnet.console" rel="nofollow">http://wiki.openwrt.org/toh/netgear/telnet.console</a>) that gives you telnet access from the LAN.
Does anyone have a recommendation for nice, configurable, reliable wireless router now a days? My Linksys E2000 is on the fritz and didn't last near as long as my old WRT54G.
From the sounds of it, these are purposely made backdoors? or something ignored ?<p>My expression:
<a href="http://i.imgur.com/pYJMKC6.jpg" rel="nofollow">http://i.imgur.com/pYJMKC6.jpg</a>
More information here:<p><a href="http://superuser.com/questions/166627/netgear-router-listening-on-port-32764" rel="nofollow">http://superuser.com/questions/166627/netgear-router-listeni...</a>