Backdoors in Wi-Fi routers, said to be closed, can be reopened

The holidays are a good time to dig up backdoors – at least for Eloi Vanderbeken.
At the end of December 2013, the France-based researcher discovered that networking equipment manufacturer Sercomm is the link tying together wireless routers that contain backdoors, some of which are vulnerable to remote attacks.
Around Easter time, he learned that the backdoors, said to be patched, were actually only covered up – and likely deliberately, too.
In another illustrated slideshow, posted on Friday, Vanderbeken chronicles his discoveries and explains how he arrived at the conclusion that the backdoors can be reactivated again, so long as users are on the local area network (LAN), or if they are an internet provider.
Vanderbeken's slideshow is highly technical, so in a Tuesday email correspondence, Craig Young, a researcher with Tripwire that has a detailed knowledge of routers and router security, helped SCMagazine.com more easily understand these new discoveries.
“[Vanderbeken] reviewed firmware updates from some affected devices and found that the vendor had addressed the issue by invoking the vulnerable ‘scfgmgr' program with a different flag,” Young said. “Analysis of this binary revealed that the new flag instructs the system to only listen for internal connections – Unix domain sockets – while another flag still exists for loading the backdoor.”
Additionally, Vanderbeken found that the router is programmed to listen for a “magic” frame, which, when received, triggers the backdoor to open again, Young said.
In his initial research, Vanderbeken tinkered around with his Linksys WAG200G wireless router and, in the end, learned that he could execute commands against the device, including resetting the router's password and accessing its administration panel.
Vanderbeken later learned that other routers are vulnerable – including several from Cisco, Linksys, Netgear, Diamond and LevelOne – and was able to draw the conclusion that all those devices were connected to Sercomm.
So why was the backdoor left in there deliberately?
The vendor may have intentionally done it as a mechanism for accessing and testing devices in the factory, Young said, explaining that a factory producing routers for several different companies would be able to configure the devices without having to take into account any differences.
Stephen Bono, founder of Independent Security Evaluators, a security company that has previously published studies on routers, told SCMagazine.com in a Tuesday email correspondence that the backdoor is certainly not a coding error, and that this only underscores other bad security designs in routers.
“The steps [Vanderbeken] points out that are possible to reactivate the backdoor are not unlike other very bad security designs for other routers we've looked at,” Bono said. “For instance, requiring knowledge of a router's MAC address is a prerequisite for several attacks against routers, which have been pointed out before. Yet this prerequisite is trivial to achieve. A router's MAC address is not a secret value and is even broadcast by the device.”