Critical backdoor in Linksys and Netgear routers found
A backdoor in some Linksys and Netgear wireless routers that allows malicious users to reset the devices’ configuration to factory settings and, therefore, to default router administration username and password, has been discovered and its existence shared with the world.
French security systems’ engineer Eloi Vanderbeken has first discovered the backdoor in his own Linksys WAG200G wireless DSL gateway, after deciding to limit the bandwidth used by his holiday guests and remembering he forgot the complex username and password combination he chose for accessing the router’s administration panel.
By probing and prodding the device’s firmware, he discovered that there was an unknown service listening on network port TCP 32764. The service accepts thirteen types of messages, among which are two that allowed him to peak into the configuration settings, and one that restored the router to its default factory settings.
After sharing the colourful details of his “quest” on his Github account, other hackers around the world took it upon themselves to check what other routers have the same backdoor.
Unfortunately, there are quite a few. The list allowed people to speculate that the affected devices have one thing in common: they have been manufactured by Sercomm, a firm that builds routers both under its own name and for several other companies, including Linksys and Netgear.
Other companies Sercomm works for are 3Com, Aruba and Belkin, so it’s likely that those devices also sport the flawed firmware. Hopefully all of these companies will be pushing out a patched version as soon as possible.
SANS ISC CTO Johannes Ullrich has noted that since the revelation of the existence of the backdoor, they have been seeing an increase in probes for port TCP 32764.
“Our data shows almost no scans to the port prior to today, but a large number from 3 source IPs today. The by far largest number of scans come from 188.8.131.52. ShodanHQ has also been actively probing this port for the last couple of days,” he shared.
“At this point, I urge everybody to scan their networks for devices listening on port 32764/TCP. If you use a Linksys router, try to scan its public IP address from outside your network.”
Sophos’ Paul Ducklin also offered good advice on what to do and check.