Backdoors in Wi-Fi routers, said to be closed, can be reopened

Share this article:
Researchers have observed attackers using DNS redirection attacks due to bugs in home routers.
Eloi Vanderbeken discovered that backdoors existing in certain wireless routers can be reactivated.

The holidays are a good time to dig up backdoors – at least for Eloi Vanderbeken.

At the end of December 2013, the France-based researcher discovered that networking equipment manufacturer Sercomm is the link tying together wireless routers that contain backdoors, some of which are vulnerable to remote attacks.

Around Easter time, he learned that the backdoors, said to be patched, were actually only covered up – and likely deliberately, too.

In another illustrated slideshow, posted on Friday, Vanderbeken chronicles his discoveries and explains how he arrived at the conclusion that the backdoors can be reactivated again, so long as users are on the local area network (LAN), or if they are an internet provider.

Vanderbeken's slideshow is highly technical, so in a Tuesday email correspondence, Craig Young, a researcher with Tripwire that has a detailed knowledge of routers and router security, helped more easily understand these new discoveries.

“[Vanderbeken] reviewed firmware updates from some affected devices and found that the vendor had addressed the issue by invoking the vulnerable ‘scfgmgr' program with a different flag,” Young said. “Analysis of this binary revealed that the new flag instructs the system to only listen for internal connections – Unix domain sockets – while another flag still exists for loading the backdoor.”

Additionally, Vanderbeken found that the router is programmed to listen for a “magic” frame, which, when received, triggers the backdoor to open again, Young said.

In his initial research, Vanderbeken tinkered around with his Linksys WAG200G wireless router and, in the end, learned that he could execute commands against the device, including resetting the router's password and accessing its administration panel.

Vanderbeken later learned that other routers are vulnerable – including several from Cisco, Linksys, Netgear, Diamond and LevelOne – and was able to draw the conclusion that all those devices were connected to Sercomm.

So why was the backdoor left in there deliberately?

The vendor may have intentionally done it as a mechanism for accessing and testing devices in the factory, Young said, explaining that a factory producing routers for several different companies would be able to configure the devices without having to take into account any differences.

Stephen Bono, founder of Independent Security Evaluators, a security company that has previously published studies on routers, told in a Tuesday email correspondence that the backdoor is certainly not a coding error, and that this only underscores other bad security designs in routers.

“The steps [Vanderbeken] points out that are possible to reactivate the backdoor are not unlike other very bad security designs for other routers we've looked at,” Bono said. “For instance, requiring knowledge of a router's MAC address is a prerequisite for several attacks against routers, which have been pointed out before. Yet this prerequisite is trivial to achieve. A router's MAC address is not a secret value and is even broadcast by the device.”

Sercomm did not respond to a request for comment.

Share this article:

Sign up to our newsletters

More in News

Cyber Command tests gov't collaboration in wake of attacks

The two-week exercise, "Cyber Guard 14-1," was completed this month.

Text message spammer settles charges filed by FTC

Text message spammer settles charges filed by FTC

Rishab Verma and his company agreed to settle charges filed by the FTC that Verma sent millions of spam text messages that deceitfully promised free merchandise.

Rhode Island hospital to pay $150K for past data breach

More than 12,000 patients' personal and health information was compromised in a breach at The Women & Infants Hospital of Rhode Island.