The holidays are a good time to dig up backdoors – at least for Eloi Vanderbeken.
At the end of December 2013, the France-based researcher discovered
that networking equipment manufacturer Sercomm is the link tying
together
wireless routers that contain backdoors, some of which are vulnerable to remote attacks.
Around Easter time, he learned that the backdoors, said to be
patched, were actually only covered up – and likely deliberately, too.
In another
illustrated slideshow,
posted on Friday, Vanderbeken chronicles his discoveries and explains
how he arrived at the conclusion that the backdoors can be reactivated
again, so long as users are on the local area network (LAN), or if they
are an internet provider.
Vanderbeken's slideshow is highly technical, so in a Tuesday email
correspondence, Craig Young, a researcher with Tripwire that has a
detailed knowledge of routers and router security, helped SCMagazine.com
more easily understand these new discoveries.
“[Vanderbeken] reviewed firmware updates from some affected devices
and found that the vendor had addressed the issue by invoking the
vulnerable ‘scfgmgr' program with a different flag,” Young said.
“Analysis of this binary revealed that the new flag instructs the system
to only listen for internal connections – Unix domain sockets – while
another flag still exists for loading the backdoor.”
Additionally, Vanderbeken found that the router is programmed to
listen for a “magic” frame, which, when received, triggers the backdoor
to open again, Young said.
In his initial research, Vanderbeken tinkered around with his Linksys
WAG200G wireless router and, in the end, learned that he could execute
commands against the device, including resetting the router's password
and accessing its administration panel.
Vanderbeken later learned that other routers are vulnerable –
including several from Cisco, Linksys, Netgear, Diamond and LevelOne –
and was able to draw the conclusion that all those devices were
connected to Sercomm.
So why was the backdoor left in there deliberately?
The vendor may have intentionally done it as a mechanism for
accessing and testing devices in the factory, Young said, explaining
that a factory producing routers for several different companies would
be able to configure the devices without having to take into account any
differences.
Stephen Bono, founder of Independent Security Evaluators, a security
company that has previously published studies on routers, told
SCMagazine.com in a Tuesday email correspondence that the backdoor is
certainly not a coding error, and that this only underscores other bad
security designs in routers.
“The steps [Vanderbeken] points out that are possible to reactivate
the backdoor are not unlike other very bad security designs for other
routers we've looked at,” Bono said. “For instance, requiring knowledge
of a router's MAC address is a prerequisite for several attacks against
routers, which have been pointed out before. Yet this prerequisite is
trivial to achieve. A router's MAC address is not a secret value and is
even broadcast by the device.”