Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Backdoor Found In Arcadyan-based Wi-Fi Routers

timothy posted more than 2 years ago | from the no-auth-cat dept.

Security 59

Mojo66 writes "A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore. According to German computer publisher Heise, some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone. (Google translation, original here.) What makes things worse is the fact that in order to exploit the backdoor, no button has to be pushed on the device itself and on some of the affected routers, the backdoor PIN ("12345670") is still working even after WPS has been disabled by the user. The only currently known remedy for those models is to disable Wi-Fi altogether. Since all Arcadyan routers share the same software platform, more models might be affected."

cancel ×

59 comments

Sorry! There are no comments related to the filter you selected.

Duff link (3, Insightful)

ledow (319597) | more than 2 years ago | (#39806561)

Duff link to the translation.

Editors? Firehose? What, precisely, is the point of having them?

Re:Duff link (4, Informative)

Mojo66 (1131579) | more than 2 years ago | (#39806613)

Dunno what happened to the link, this is the link I've submitted [google.com] .

Re:Duff link (1)

Blue Stone (582566) | more than 2 years ago | (#39807641)

>Editors?[...] What, precisely, is the point of having them?

Eye candy?

Re:Duff link (2)

arth1 (260657) | more than 2 years ago | (#39809773)

>Editors?[...] What, precisely, is the point of having them?

Eye candy?

You must not have seen any of the slashdot editors...

12345670? Really? (1)

Anonymous Coward | more than 2 years ago | (#39806615)

Sounds like the combination to some idiot's lunch box.

"Someone change the combination on my luggage!" (1)

nweaver (113078) | more than 2 years ago | (#39806671)

"Someone change the combination on my luggage!" -President Skroob

Re:12345670? Really? (2)

Black Parrot (19622) | more than 2 years ago | (#39806679)

Sounds like the combination to some idiot's lunch box.

Using base 8 is actually pretty sophisticated.

Re:12345670? Really? (1)

dmmiller2k (414630) | more than 2 years ago | (#39807983)

Gee, and I thought I was being clever omitting 8 and 9

President Skroob (1)

Anonymous Coward | more than 2 years ago | (#39806667)

Secures his wifi...

Obama ate a dog. (-1)

Anonymous Coward | more than 2 years ago | (#39806789)

Obama ate a dog.

Re:Obama ate a dog. (0)

Black Parrot (19622) | more than 2 years ago | (#39807023)

Obama ate a dog.

Funny, but while "Man Bites Dog" is news and "Dog Bites Man" isn't, the reverse is try when you switch 'Bites' to 'Eats'.

Re:Obama ate a dog. (0)

mr1911 (1942298) | more than 2 years ago | (#39807307)

It was in college and he was drunk.
She had a good personality.
He and Michelle were "on a break".

Re:Obama ate a dog. (-1)

Anonymous Coward | more than 2 years ago | (#39807415)

i found a backdoor in your mom.

Re:Obama ate a dog. (0)

Anonymous Coward | more than 2 years ago | (#39811877)

i found a backdoor in your mom.

Bet it smelled better than the frontdoor on yours.

Legal Liability? (5, Insightful)

Anonymous Coward | more than 2 years ago | (#39806809)

Are hardware and software companies going to be taken down by lawsuits over failed security?

Probably not because they write the EULAs, as in, "You use the product at your own risk." type language.

But when the companies leave the door completely unlocked, that is akin to negligence which should not be covered by a EULA. I have never read a EULA (nearly impossible to read by the way) that said "We are not responsible for making it trivail to hack our devices, you are."

I tried to read a Microsoft EULA one time and before I was 25% through, they disconnected me because I "timed out", having failed to read what was easily over 50 pages in about 10 minutes or so.

Sick.

Re:Legal Liability? (1)

nurb432 (527695) | more than 2 years ago | (#39806873)

They can still be sued, and lose their shirt fighting then settling to avoid being ground into bankruptcy.

its the business model for some companies these days. ( ri*cough*aa )

Re:Legal Liability? (1)

CanHasDIY (1672858) | more than 2 years ago | (#39806917)

Are hardware and software companies going to be taken down by lawsuits over failed security?

Probably not because they write the EULAs, as in, "You use the product at your own risk." type language.

Depends on where you live; Some nations/states have laws that all products of category X must be warrantied for Y number of years.

Didn't Apple get burned on this very thing over in France not too long ago?

Re:Legal Liability? (1)

clemdoc (624639) | more than 2 years ago | (#39807839)

In the EU (not only in France), warranty is two years, AFAIK. That's what's bitten Apple. I'm not sure, however, that the warranty would cover this. The devices are still working, only 'a little bit too well'.
You'd probably say, and I would agree, that such a blatant security flatulence should cause the producer to take back and repair his device. The producer will probably disagree and then? A court of law... because of a WiFi router? Probably not going to happen, if not done by some consumer advocacy group.

Re:Legal Liability? (1)

CanHasDIY (1672858) | more than 2 years ago | (#39808017)

You'd probably say, and I would agree, that such a blatant security flatulence should cause the producer to take back and repair his device. The producer will probably disagree and then? A court of law... because of a WiFi router? Probably not going to happen, if not done by some consumer advocacy group.

I think it will most likely be handled in a similar manner to automotive recalls: The manufacturer will weigh the cost of litigation against the cost of recall, and go with the cheaper option.

Fortunately, unlike with automotive recalls, no one is likely to die if the manufacturer decided litigation is cheaper

Re:Legal Liability? (1)

Anne_Nonymous (313852) | more than 2 years ago | (#39807479)

>> Are hardware and software companies going to be taken down by lawsuits over failed security?

If you produce a worthless product, people won't buy it. That's what's going to take them down.

Flaws not necessary? (3, Funny)

macraig (621737) | more than 2 years ago | (#39806817)

A recently reported flaw... isn't necessary... anymore.

Hmmm... I would have thought all flaws are unnecessary by definition.

God, it would be nice if editors did their damned jobs instead of rubber-stamping every gush of malformed junk that makes its way into the hose.

Re:Flaws not necessary? (1)

Mojo66 (1131579) | more than 2 years ago | (#39806931)

malformed junk that makes its way into the hose.

As you might have guessed from the link to the original article in german, english is not my native language. Whereas submitters of pieces that are already written in english can just copy/paste the relevant parts into their /. submission, non-english sources have to be translated by the submitter. It's anyone's choice to wait until an english-speaking site picks up the story written in perfect english, or read the "malformed junk" version while it is still fresh...

Re:Flaws not necessary? (2)

Black Parrot (19622) | more than 2 years ago | (#39807081)

No need to justify it. The geeky amateurism is half of what makes Slashdot fun.

Most of us read comic books instead of Proust.

Re:Flaws not necessary? (0)

Anonymous Coward | more than 2 years ago | (#39807131)

Grand's rant was not about you, who submitted the story. His rant was about the editor who merely approved your submission.
You are entitled to send whatever you want of can, but editor's JOB is to right the wrongs and make a better summary that the original submitter did.

Nothing wrong with your submission, only wrong with the editor's non editing.

Re:Flaws not necessary? (1)

macraig (621737) | more than 2 years ago | (#39807201)

I recognize with regret that not everyone who posts to the Interwebs will have a fluent grasp of English. That is why editors/moderators exist. It's the job of the editor to either clean up your non-native English or reject the submission if it's irredeemable. This particular editor did neither.

Re:Flaws not necessary? (1)

Jeng (926980) | more than 2 years ago | (#39807289)

Slashdots "editors" pretty much just choose which stories to post. I think that might be the extent of their duties.

Re:Flaws not necessary? (1)

macraig (621737) | more than 2 years ago | (#39807403)

Monkeys can do that job, and they don't demand a 401k or benefits. Slashdot should employ a few, which would really help since the monkey unemployment rate is about 100%, unless you count laboratory servitude. Maybe Caesar will even be among the hires? I for one welcome my new banana-eating editorial overlords.

Re:Flaws not necessary? (1)

X0563511 (793323) | more than 2 years ago | (#39807299)

See, this is where you are wrong. The editors' jobs are to approve flamebait stories, intentionally break links, and sneak in (or not so sneak) advertising.

Re:Flaws not necessary? (2)

macraig (621737) | more than 2 years ago | (#39807443)

I stand correc... errr, edited.

Re:Flaws not necessary? (1)

X0563511 (793323) | more than 2 years ago | (#39807283)

You made perfect sense to me; macraig is just being an asshole.

Re:Flaws not necessary? (1)

interval1066 (668936) | more than 2 years ago | (#39807323)

english is not my native language

Yeah, calm down guy.

Re:Flaws not necessary? (1)

KlomDark (6370) | more than 2 years ago | (#39811475)

Don't worry about it. I had zero trouble reading it and English is my first and only language other than programming languages.

What confused/confuses me was what the guy meant by "duff link", WTF is a duff link?

Re:Flaws not necessary? (1)

gl4ss (559668) | more than 2 years ago | (#39806999)

the point is that abusing the flaw isn't necessary for pwning some wireless boxes.

Re:Flaws not necessary? (1)

macraig (621737) | more than 2 years ago | (#39807087)

I know what his point was. My point is that he communicated his point rather poorly. I didn't appreciate having to waste extra calories trying to figure out what he actually meant to say. Reducing calorie consumption is after all the point of effective language use.

Re:Flaws not necessary? (1)

MagicM (85041) | more than 2 years ago | (#39807241)

Reducing calorie consumption is after all the point of effective language use.

I had to read that twice to understand what you're talking about. Now I have to eat an extra twinkie to make up for that. THANKS A LOT!

Re:Flaws not necessary? (1)

macraig (621737) | more than 2 years ago | (#39807303)

You're not fooling anybody... you would've eaten that extra Twinkie anyway!

Re:Flaws not necessary? (0)

Anonymous Coward | more than 2 years ago | (#39826277)

My God, you actually burned a couple of calories while you sat on your ass reading Slashdot. HOW DARE HE.

Re:Flaws not necessary? (1)

worf_mo (193770) | more than 2 years ago | (#39808343)

The German article links to some previously discovered flaws. I read the TFS as in "the previously discovered flaw isn't necessary to calculate the PIN anymore, because a new backdoor has been discovered that makes things so much easier".

Your comment gave me a good chuckle, though.

Re:Flaws not necessary? (1)

gstrickler (920733) | more than 2 years ago | (#39809367)

While the way it's written does leave it room for misinterpretation, your edit of it excludes the obvious predicate for "isn't necessary ... anymore", thus, your rant is actually based upon you reading the statement incorrectly. Had "...that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router..." been separated with commas, clearly identifying it as a prepositional clause, then your interpretation and rant would be valid. However, it wasn't, and it's clear from context that "isn't necessary... anymore" refers to the clause about exploiting the flaw.

I understand you complaint about lack of editing. But your rant is about your misinterpretation.

CPE is a nightmare... (4, Interesting)

nweaver (113078) | more than 2 years ago | (#39807035)

Overall, the "Customer Premises Equipment" or CPE in industry parlance, aka the user's NAT/home router and associated WiFi, is a nightmare of bad design and forever day bugs.

With Netalyzr we have been starting to probe for information about the CPE: we use UPnP to try to identify the NAT and we also do DNS queries that may indicate what software is running. The resulting picture, which we've only started to analyze, is dismal. We see NATs which are running versions of DNSmasq that were released in 2003/2004! So almost decade-old code that just never ever ever got upgraded.

Re:CPE is a nightmare... (0)

Anonymous Coward | more than 2 years ago | (#39807601)

Worse than that. Some of the equipment was bought say 1-2 years ago. Now try getting any sort of updates for it. Forget it... They have already came out with a new plastic shell it costs them 2 dollars less to make and you are getting 0 support for your old model. Then they have 2-5 different revs of the 'same model' and you have no idea if you can even flash it to something that you can at least keep up to date... Much less any sort of support for the thing. The router I bought 2 years ago was supposed to get an ipv6 patch. Never happened, never will. There were a grand total of 2 patches. The second one had a handful of security things. So now I am at the behest of the goodwill of some third party who may or may not update my firmware. Even IF I goto an 'open source' one I am still at the good will of them if my model is even supported at all.

Re:CPE is a nightmare... (1)

tlhIngan (30335) | more than 2 years ago | (#39809079)

Overall, the "Customer Premises Equipment" or CPE in industry parlance, aka the user's NAT/home router and associated WiFi, is a nightmare of bad design and forever day bugs.

With Netalyzr we have been starting to probe for information about the CPE: we use UPnP to try to identify the NAT and we also do DNS queries that may indicate what software is running. The resulting picture, which we've only started to analyze, is dismal. We see NATs which are running versions of DNSmasq that were released in 2003/2004! So almost decade-old code that just never ever ever got upgraded.

Customers almost never buy CPE. It's usually provided by the provider. As such, it's demanded to be the cheapest crap available because CPE isn't something the provider wants to pay a lot of money on (it eats into subscrpition revenue).

So a company is basically forced to build a $20 cablemodem-router (or DSL router) with wireless. The hardware cost is already around $10-15 (you want the router part to at least be able to provide what the provider claims - 250Mbps+ in some stupid configuration), so there's very little money in the software. So it's cheaped out (and yes, they may use ancient Linuxes with smaller memory footprints). And no, there's no money for software support.

Me personally, I had my provider disable the router/wireless part and put the modem they have into bridge mode (i.e., cablemodem only) which required them to flash a special firmware on it to do just that. Connected it to my router (a much more capable piece of hardware).

There's a reason you can walk into Best Buy and pick up a $20 router that sells alongside $100, $150, and $200+ routers (and bet that Best Buy is STILL making a profit on the $20 one). And guess which router they're gonna throw into the "free" modem they provide you. Any problems like disconnections and such, sure they'll replace it (and pass your old one to someone who hopefully wouldn't care).

Duh, (0)

Anonymous Coward | more than 2 years ago | (#39807053)

I have been trying Password1 for a long time with no avail,

Ouch (1)

DaMattster (977781) | more than 2 years ago | (#39807079)

Usually the first thing I do is disable that push-button, WPS thing as I don't usually trust "instant" security schemes anyhow. As I was reading the summary, I was thinking big deal, just turn off WPS. As I got near the end of the summary, I'm thinking "ouch," even though you turn it off the backdoor still exists. I would really like to see device manufacturers spend a little more time on security. It seems that security is an afterthought in the effort to bring a device to market and have it turn a profit. I would think that by spending a little more time on security, there would be more savings because it is costly to develop, test, and distribute patches. What if the patches brick a router, then even more money is spent on replacing the customer's hardware under warranty. Why not take the time and build a more secure router and spend a little more money which will be recouped over a longer period of time?

Re:Ouch (0)

Anonymous Coward | more than 2 years ago | (#39807497)

Because making a decent product does not significantly increase the odds of making a sale, while being late to ship significantly decreases those odds.

Re:Ouch (1)

KlomDark (6370) | more than 2 years ago | (#39811521)

True, but making a decent product very significantly increases the odds of making a second sale.

Anyone else find this hard to parse? (1)

wonkey_monkey (2592601) | more than 2 years ago | (#39807529)

*Spins around in a phonebox and becomes... Captain Pedantic!*

A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore.

Not necessary for what? That alone took me a while to figure it.

According to German computer publisher Heise, some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone.

Affected by the flaw you've just mentioned above? The one that isn't necessary?

What makes things worse is the fact that in order to exploit the backdoor,

I still hadn't seen any mention of a second flaw, so on first reading it seemed like the backdoor is the same unnecessary flaw as mentioned above. I finally realised that there's an old flaw and a new flaw - or at least I think what's trying to be said...

Re:Anyone else find this hard to parse? (1)

formfeed (703859) | more than 2 years ago | (#39807757)

Hey Captain Pedantic!
You're late to the game, Captain Asshat beat you by 13/15th of an hour.

Thats the code the emperor has on his luggage (1)

davydagger (2566757) | more than 2 years ago | (#39807705)

1.2.3.4.5? Thats the code an IDIOT puts on his luggage!

*QUICK* someone change the emporer's luggage!

closed wifi ruling (1)

Gamasta (557555) | more than 2 years ago | (#39807941)

A different ruling in Germany holds owners of open wifis accountable for any illegal action undertaken by its users. You're required to keep intruders off with authentication and encryption (unless you're a cafe or so). Now people could use closed wifis for illegal activities and the courts would have to hold the wifi manufacturer accountable.

Alternate solution for the owner (1)

damn_registrars (1103043) | more than 2 years ago | (#39808001)

If you protect the systems on your network, then the security of your router isn't as critical. Sure, there is a chance someone might use your internet access through your router to do something nefarious when you're gone, but if your own local data is protected your situation isn't nearly as bad.

Re:Alternate solution for the owner (0)

Anonymous Coward | more than 2 years ago | (#39808307)

True, until the cops come knocking at your door. Or you go over your data cap....see it's bad.

Re:Alternate solution for the owner (1)

Anonymous Coward | more than 2 years ago | (#39808325)

there is a chance someone might use your internet access through your router to do something nefarious

This I think, is the root of the problem. Everyone is held accountable for the traffic emanating from their router. This would make YOU responsible for the actions some hactivist took from your LAN. YOU are the terrorist in this case.

Re:Alternate solution for the owner (1)

PlusFiveTroll (754249) | more than 2 years ago | (#39810155)

This ignores the point that most people with the type of equipment know nothing about securing their network from inside attacks.

The router is the number 1 piece of equipment to keep secure. Any unencrypted and unauthenticated traffic can be manipulated by your router, also it's the perfect point to launch a MiTM attack. Once a person is on the WLAN they are free to poke away at any other exploits the router may have till they get a shell on it, very few routers are firewalled on the inside.

Also as the AC's have stated, why would you want people possible sending spam, death threats, child porn from your supposedly secure router?

Re:Alternate solution for the owner (1)

jimbolauski (882977) | more than 2 years ago | (#39811107)

If your router is compromised you are vulnerable to MITM attacks, MD5 the standard encryption method for SSL and HTTPS has been show to be broken in a few seconds using an ordinary computer so faking certs is possible in a few seconds. You are in the clear as long as you don't bank on-line or do anything else where you want your communications encrypted.

12345670 (1)

DarthVain (724186) | more than 2 years ago | (#39811565)

Hey! That's the same password as my luggage!

Possible good news for Vodafone customers (1)

sbryant (93075) | more than 2 years ago | (#39815137)

If you're a Vodafone/Arcor customer with an Easybox, check the label on the back. If it says Arcadyan, then I'm sorry for you, but if it says Sphairon (a different company) you're in luck. The cases look the same from the outside, but have different hardware and firmware inside, and the Sphairon kit is much better.

It's possible that this is the case for other ISPs too (eg: Telekom).

-- Steve

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?