Router makers including Netgear, Cisco and Diamond have decided that rather than fixing a backdoor to their products it is better that they just plant a tree over the entrance and hope no one sees it.
Over Christmas Eloi Vanderbecken of Synacktiv Digital Security discovered a backdoor in 24 models of wireless DSL routers. The problem was patched, but now Vanderbecken has found that the patch doesn’t actually get rid of the backdoor—it just conceals it.
He told Ars Technica that the fix suggests that the backdoor, which is part of the firmware for wireless DSL routers based on technology from the Taiwanese manufacturer Sercomm, was intentional.
The backdoor exists in other systems based on the same Sercomm modem, including home routers from Netgear, Cisco and Diamond.
Vanderbecken said that the “fixed” code concealed the same communications port he had originally found (port 32764) until a remote user sent a specially crafted network packet that reactivates the backdoor interface.
He said that the knock packet was the same used by “an old Sercomm update tool. The packet’s payload, in the version of the backdoor discovered by Vanderbecken in the firmware posted by Netgear, is an MD5 hash of the router’s model number (DGN1000).
His theory is that the nature of the change which uses the same code as was used in the old firmware to provide administrative access over the concealed port, suggests that the backdoor is an intentional feature of the firmware and not just a mistake made in coding.
Vanderbecken said that the hack would need to be sent from within the local wireless LAN, or from the Internet service provider’s equipment. They could be sent out from an ISP as a broadcast, essentially re-opening the backdoor on any customer’s router that had been patched.
Once the backdoor is switched back on, it listens for TCP/IP traffic just as the original firmware did, giving “root shell” access—allowing anyone to send commands to the router, including getting a “dump” of its entire configuration.