BACKDOOR found in ROUTERS from various vendors.... Ars Technica article

blankslate · Mar 26, 2014

Backdoor in wireless DSL routers lets attacker reset router, get admin

http://arstechnica.com/security/201...routers-lets-attacker-reset-router-get-admin/

the article contains a list to affected routers and now I want to find out details to try and break into my own router to see if I am affected.

I have found an article that gives easy to follow instructions to see if this backdoor is present in one's own router if it is not on the list of confirmed affected routers.

http://blogs.computerworld.com/network-security/23443/how-and-why-check-port-32764-your-router

.......

PokerGuy · Mar 27, 2014

That's interesting, I'm going to have to test my home routers. After the snowden revelations, it shouldn't surprise anyone if some of these "mistakes" in design are actually back doors specifically crafted to allow certain agencies access to the routers.

JEDIYoda · Mar 27, 2014

define a back door....
these are ports that are open that allow access.....
https://www.grc.com/

WhoBeDaPlaya · Mar 27, 2014

Don't care. Been running DD-WRT on all my routers now for the better part of a decade.

blankslate · Mar 28, 2014

JEDIYoda said:
define a back door....
these are ports that are open that allow access.....
https://www.grc.com/

From the Ars Technica link in the OP

Performing a scan, he found that the router responded to messages over an unusual TCP port number: 32764. A search of the web found other Linksys and Netgear router owers had found the same service, but there was no documentation for what it did.

So Vanderbeken downloaded a copy of the Linksys firmware and commenced reverse-engineering the binary MIPS code. What he found was a simple interface that allowed him to send commands to the router without being authenticated as the administrator. On his first attempt to brute-force the interface, the router flipped its configuration back to factory settings, causing his family members to all lose Internet access at the same time.

After some additional testing, Vanderbecken found that the interface allowed him to execute a number of commands directly against the router, including a command-line shell. Using the commands he discovered, he was able to write a script that allowed him to turn wireless access to administration on and reset the web password, and published the script (with his cartoon report on the backdoor) to Github.

In the router there was an active process listening for commands sent to it on the port. This allowed them to gain access even if they didn't know the admin password.
Bypassing authentication without having to know the password? Sounds like the main trait of a backdoor....

the most benign hypothesis I've seen in articles about this is that it was a debugging tool that wasn't turned off or removed before the hardware/firmware was sent off to be put in routers.

It's not inconceivable that there are commands in the "debugging tool" on affected routers to reveal the wireless settings and add mac addresses to allowed devices on the router if mac address filtering is used.

......

JEDIYoda · Mar 28, 2014

It`s basically a non - issue...

blankslate · Mar 29, 2014

JEDIYoda said:
It`s basically a non - issue...

Of course it is, as long as your router isn't one of the models affected.

If it is then you should be aware that it is just another weakness that is being looked for

http://threatpost.com/probes-against-linksys-backdoor-port-surging/103410

.....

JEDIYoda · Mar 29, 2014

blankslate said:
Of course it is, as long as your router isn't one of the models affected.

If it is then you should be aware that it is just another weakness that is being looked for

http://threatpost.com/probes-against...surging/103410

Look it is still a non - issue.....
Here is why...you never rely on just your router for protection again hackers or other things.

It is best to have a hard and a soft firewall working together....

Then you use those sites such as GRC....etc....to make sure that ports are in stealth mode or closed.

I am sorry but I take protection on my PC very seriously and always have.

Thus this is much ado about nothing. In fac t anything more than being informational to get people to wake up who might just be using their router as a firewall is fear mongering..

I am sorry that you appear to be so paranoid...

blankslate · Mar 29, 2014

JEDIYoda said:
Look it is still a non - issue..... Here is why...you never rely on just your router for protection again hackers or other things. It is best to have a hard and a soft firewall working together....

I don't rely just on a router but if you find out that there is a backdoor that was shipped with many router models then it's a reasonable step to find out if your router is affected.

JEDIYoda said:
I am sorry but I take protection on my PC very seriously and always have.

Good on you

JEDIYoda said:
I am sorry that you appear to be so paranoid...

The fact that soon after this weakness in some routers was discovered there was a noticeable increase in scans targeting port 32764.

It's not entirely paranoia if people have been or still are actively looking for this weakness.

So keep on taking your computer security seriously.

That's probably the one(only) thing in this thread that we will agree on.

....

Mushkins · Mar 30, 2014

The attack, confirmed to work on several Linksys and Netgear DSL modems, exploits an open port accessible over the wireless local network.

I'm going to have to agree that this is much ado about nothing. You need to already be on the local network for this exploit to even work, and it affects a specific subset of wireless DSL routers.

If an attacker already has local access to your network, you have a lot more to worry about than having them get into your router settings. Is he going to waste time resetting your router's admin password, or is he going to sit there sniffing all your sensitive traffic and dumping trojans on your network shares?

We can put our tinfoil hats on and bang pots about the NSA until we pass out from exhaustion, but considering these are budget oriented DSL routers, the real odds here are that this was simply a debug feature that the manufacturer neglected to disable and the limited QA process neglected to catch before they were shipped and sold. We're not talking $150+ SOHO broadband routers here, we're talking the cheapos that ISPs give out for free.

JEDIYoda · Mar 30, 2014

blankslate said:
The fact that soon after this weakness in some routers was discovered there was a noticeable increase in scans targeting port 32764.

people scanning for open ports is nothing unusual....shame on you though if somebody exploits an open port on your computer...peace!!

John Connor · Mar 31, 2014

DShell...

blankslate · Mar 31, 2014

Mushkins said:
You need to already be on the local network for this exploit to even work

From the article

Vanderbeken reports some routers have the backdoor open to the Internet side as well, leaving them vulnerable to remote attack.

Given the above, it never hurts to double check.

JEDIYoda said:
people scanning for open ports is nothing unusual....

Random scans are not unusual, but a specific port seeing an increase in scans soon after a reported previously unknown vulnerability even if only on specific models of routers... is interesting....

JEDIYoda said:
shame on you though if somebody exploits an open port on your computer...peace!!

which is why there's nothing wrong in double checking your router in less than a minute if even 30 seconds on a laggy day.

Tschüss

.....

Dude111 · Apr 1, 2014

blankslate said:
I have found an article that gives easy to follow instructions to see if this backdoor is present in one's own router if it is not on the list of confirmed affected routers.

Thanx for the test link!!

IndyColtsFan · Apr 1, 2014

JEDIYoda said:
Look it is still a non - issue.....
Here is why...you never rely on just your router for protection again hackers or other things.

It is best to have a hard and a soft firewall working together....

Then you use those sites such as GRC....etc....to make sure that ports are in stealth mode or closed.

I am sorry but I take protection on my PC very seriously and always have.

Thus this is much ado about nothing. In fac t anything more than being informational to get people to wake up who might just be using their router as a firewall is fear mongering..

I am sorry that you appear to be so paranoid...

Sorry, but bragging about having 2 layers of defense (a hardware and software firewall) and then playing down and dismissing a known vulnerability which could affect one of those two layers isn't "taking protection seriously."

To mitigate threats as much as possible, it is imperative to patch every layer of your perimeter security as quickly as possible.

JEDIYoda · Apr 1, 2014

IndyColtsFan said:
Sorry, but bragging about having 2 layers of defense (a hardware and software firewall) and then playing down and dismissing a known vulnerability which could affect one of those two layers isn't "taking protection seriously."

To mitigate threats as much as possible, it is imperative to patch every layer of your perimeter security as quickly as possible.

sorry that you fail to comprehend...that every aspect of what was posted above has already been taken care of even before he posted this article about a supposed backdoor!
YES!! I can brag that I am fully protected!! It`s just common sense to be fully protected with several layers of protection!

Wouldn`t you agree or are you too busy with the comprehension aspect of the post??

IndyColtsFan · Apr 1, 2014

JEDIYoda said:
sorry that you fail to comprehend...that every aspect of what was posted above has already been taken care of even before he posted this article about a supposed backdoor!
YES!! I can brag that I am fully protected!! It`s just common sense to be fully protected with several layers of protection!

Wouldn`t you agree or are you too busy with the comprehension aspect of the post??

You talking about comprehension is rich. You're the one calling it a "non-issue." Did you ever take three seconds to consider that Anandtech is a forum read by tens of thousands of people throughout the world and some relative newcomer may come in, see your first post:

JEDIYoda said:
It`s basically a non - issue...

and think "Ah, this guy said it is a non-issue so I won't do anything about it."

You don't have two layers of security if one layer has been compromised. You have one. That's the point. Nowhere has "every aspect of what was posted above has already been taken care"; the vulnerability still exists if a user hasn't patched it. If by "every aspect of what was posted above has already been taken care " you mean that you have patched your own router, good for you; however, in the context of this thread, that is meaningless and is dangerous to portray it as a "non-issue" without several qualifications. Blankslate is 100% correct.

JEDIYoda · Apr 1, 2014

IndyColtsFan said:
You don't have two layers of security if one layer has been compromised. You have one. <--- no I am sorry....you are correct that 2 - 1 = 1...but that still does not negate the fact that since I have 2 layers and if one is exploited than I still have another layer that they need to also exploit....unless your math is funny..

That's the point. Nowhere has "every aspect of what was posted above has already been taken care"; the vulnerability still exists if a user hasn't patched it. <-- I am sorry you have not read what has been posted! You have jumped into the fire and are getting burned badly!! Most users also use a soft firewall that blocks open ports, along with other means of blocking open ports. This really is a non - issue for those of us who are security savy!

If by "every aspect of what was posted above has already been taken care " you mean that you have patched your own router, good for you; however, in the context of this thread, that is meaningless and is dangerous to portray it as a "non-issue" without several qualifications. Blankslate is 100% correct.<-- I disagree with you...this is truly a non issue...unless you are a total noob at internet security! It has been my experience in this forum that most people are already aware and are pro-active in their own security!

The reason you have more than one layer of protection is just incase one of the layers gets compromised......what do you not understand about that??

Where Blankstate is correct is in pointing out there is an open port that could be exploited....
Most people with common sense already know that and take measures to block that open port or make it so that it cannot be exploited...as was stated earlier --

You need to already be on the local network for this exploit to even work, and it affects a specific subset of wireless DSL routers.

If an attacker already has local access to your network, you have a lot more to worry about than having them get into your router settings. Is he going to waste time resetting your router's admin password, or is he going to sit there sniffing all your sensitive traffic and dumping trojans on your network shares?

We can put our tinfoil hats on and bang pots about the NSA until we pass out from exhaustion, but considering these are budget oriented DSL routers, the real odds here are that this was simply a debug feature that the manufacturer neglected to disable and the limited QA process neglected to catch before they were shipped and sold. We're not talking $150+ SOHO broadband routers here, we're talking the cheapos that ISPs give out for free.

IndyColtsFan · Apr 1, 2014

JEDIYoda said:
The reason you have more than one layer of protection is just incase one of the layers gets compromised......what do you not understand about that??

As someone who has multiple levels of redundancy and security in his network, I likely understand that concept better than you. However, that's not what we're discussing. Everyone knows multiple layers are better. For example, do you have your wireless network segmented to a different network segment and the entire network connected to a third leg of a firewall, requiring clients to gain access to the internal network through VPN or other means? That's an additional layer that would be prudent to employ even in a home network.

Anyway, that tangent aside, what we are discussing is the need to patch a vulnerability rather than just saying "Oh well, I have a second layer so I'm fine. It is a non-issue." It is not a non-issue. What if a zero-day exploit occurred and because you didn't patch the first line of defense (your router), someone was able to get into your network and circumvent your second line of defense? That's what I'm saying.

Most people with common sense already know that and take measures to block that open port or make it so that it cannot be exploited...as was stated earlier --

Many people come to these forums. Some people may be reading about this exploit for the first time because of blankslate's post. You can't just assume that because you read about the exploit a couple of months ago that everyone else has. The purpose of this forum is to point out exploits and have a discussion about them. If I'm Joe Public coming to AT the first time and read that article, I'm probably going to be concerned and want some advice on how to fix it. Dismissing it because YOU might have blocked that port doesn't help Joe Public. That's all I'm saying. We need to be cautious about saying things are "non-issues" when the lurking reader base of AT may not know any better.

fabler · Apr 4, 2014

As a 'newbie' and Joe Public I'd like to thank blankslate for the info.

BACKDOOR found in ROUTERS from various vendors.... Ars Technica article

Diamond Member

Lifer

Lifer

Diamond Member

Diamond Member

Lifer

Diamond Member

Lifer

Diamond Member

Golden Member

Lifer

Lifer

Diamond Member

Golden Member

Lifer

Lifer

Lifer

Lifer

Lifer

fabler