Backdoor Found In Arcadyan-based Wi-Fi Routers

Mojo66 writes "A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore. According to German computer publisher Heise, some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone. (Google translation, original here.) What makes things worse is the fact that in order to exploit the backdoor, no button has to be pushed on the device itself and on some of the affected routers, the backdoor PIN ("12345670") is still working even after WPS has been disabled by the user. The only currently known remedy for those models is to disable Wi-Fi altogether. Since all Arcadyan routers share the same software platform, more models might be affected."

Duff link

[ledow]

Duff link to the translation.

Editors? Firehose? What, precisely, is the point of having them?

Re:Duff link

[Mojo66]

Dunno what happened to the link, this is the link I've submitted [google.com].

Re:

[Blue Stone]

>Editors?[...] What, precisely, is the point of having them?

Eye candy?

Re:

[arth1]

>Editors?[...] What, precisely, is the point of having them?

Eye candy?

You must not have seen any of the slashdot editors...

12345670? Really?

[Anonymous Coward]

Sounds like the combination to some idiot's lunch box.

"Someone change the combination on my luggage!"

[nweaver]

"Someone change the combination on my luggage!" -President Skroob

Re:

[Black Parrot]

Sounds like the combination to some idiot's lunch box.

Using base 8 is actually pretty sophisticated.

Re:

[loustic]

Organizationally unique identifier of Arcadyan Technology Corporation : http://standards.ieee.org/develop/regauth/oui/oui.txt [ieee.org] (It's begining of the MAC address...)

Re:

[dmmiller2k]

Gee, and I thought I was being clever omitting 8 and 9

President Skroob

[Anonymous Coward]

Secures his wifi...

Re:

[Black Parrot]

Obama ate a dog.

Funny, but while "Man Bites Dog" is news and "Dog Bites Man" isn't, the reverse is try when you switch 'Bites' to 'Eats'.

Re:

[mr1911]

It was in college and he was drunk.
She had a good personality.
He and Michelle were "on a break".

Legal Liability?

[Anonymous Coward]

Are hardware and software companies going to be taken down by lawsuits over failed security?

Probably not because they write the EULAs, as in, "You use the product at your own risk." type language.

But when the companies leave the door completely unlocked, that is akin to negligence which should not be covered by a EULA. I have never read a EULA (nearly impossible to read by the way) that said "We are not responsible for making it trivail to hack our devices, you are."

I tried to read a Microsoft EULA one time and before I was 25% through, they disconnected me because I "timed out", having failed to read what was easily over 50 pages in about 10 minutes or so.

Sick.

Re:

[nurb432]

They can still be sued, and lose their shirt fighting then settling to avoid being ground into bankruptcy.

its the business model for some companies these days. ( ri*cough*aa )

Re:

[CanHasDIY]

Are hardware and software companies going to be taken down by lawsuits over failed security?

Probably not because they write the EULAs, as in, "You use the product at your own risk." type language.

Depends on where you live; Some nations/states have laws that all products of category X must be warrantied for Y number of years.

Didn't Apple get burned on this very thing over in France not too long ago?

Re:

[clemdoc]

In the EU (not only in France), warranty is two years, AFAIK. That's what's bitten Apple. I'm not sure, however, that the warranty would cover this. The devices are still working, only 'a little bit too well'.
You'd probably say, and I would agree, that such a blatant security flatulence should cause the producer to take back and repair his device. The producer will probably disagree and then? A court of law... because of a WiFi router? Probably not going to happen, if not done by some consumer advocacy grou

Re:

[CanHasDIY]

You'd probably say, and I would agree, that such a blatant security flatulence should cause the producer to take back and repair his device. The producer will probably disagree and then? A court of law... because of a WiFi router? Probably not going to happen, if not done by some consumer advocacy group.

I think it will most likely be handled in a similar manner to automotive recalls: The manufacturer will weigh the cost of litigation against the cost of recall, and go with the cheaper option.

Fortunately, unlike with automotive recalls, no one is likely to die if the manufacturer decided litigation is cheaper

Re:

[Anne_Nonymous]

>> Are hardware and software companies going to be taken down by lawsuits over failed security?

If you produce a worthless product, people won't buy it. That's what's going to take them down.

Flaws not necessary?

[macraig]

A recently reported flaw... isn't necessary... anymore.

Hmmm... I would have thought all flaws are unnecessary by definition.

God, it would be nice if editors did their damned jobs instead of rubber-stamping every gush of malformed junk that makes its way into the hose.

Re:

[Mojo66]

malformed junk that makes its way into the hose.

As you might have guessed from the link to the original article in german, english is not my native language. Whereas submitters of pieces that are already written in english can just copy/paste the relevant parts into their /. submission, non-english sources have to be translated by the submitter. It's anyone's choice to wait until an english-speaking site picks up the story written in perfect english, or read the "malformed junk" version while it is still fresh...

Re:

[Black Parrot]

No need to justify it. The geeky amateurism is half of what makes Slashdot fun.

Most of us read comic books instead of Proust.

Re:

[macraig]

I recognize with regret that not everyone who posts to the Interwebs will have a fluent grasp of English. That is why editors/moderators exist. It's the job of the editor to either clean up your non-native English or reject the submission if it's irredeemable. This particular editor did neither.

Re:

[Jeng]

Slashdots "editors" pretty much just choose which stories to post. I think that might be the extent of their duties.

Re:

[macraig]

Monkeys can do that job, and they don't demand a 401k or benefits. Slashdot should employ a few, which would really help since the monkey unemployment rate is about 100%, unless you count laboratory servitude. Maybe Caesar will even be among the hires? I for one welcome my new banana-eating editorial overlords.

Re:

[X0563511]

See, this is where you are wrong. The editors' jobs are to approve flamebait stories, intentionally break links, and sneak in (or not so sneak) advertising.

Re:

[macraig]

I stand correc... errr, edited.

Re:

[X0563511]

You made perfect sense to me; macraig is just being an asshole.

Re:

[interval1066]

english is not my native language

Yeah, calm down guy.

Re:

[KlomDark]

Don't worry about it. I had zero trouble reading it and English is my first and only language other than programming languages.

What confused/confuses me was what the guy meant by "duff link", WTF is a duff link?

Re:

[gl4ss]

the point is that abusing the flaw isn't necessary for pwning some wireless boxes.

Re:

[macraig]

I know what his point was. My point is that he communicated his point rather poorly. I didn't appreciate having to waste extra calories trying to figure out what he actually meant to say. Reducing calorie consumption is after all the point of effective language use.

Re:

[MagicM]

Reducing calorie consumption is after all the point of effective language use.

I had to read that twice to understand what you're talking about. Now I have to eat an extra twinkie to make up for that. THANKS A LOT!

Re:

[macraig]

You're not fooling anybody... you would've eaten that extra Twinkie anyway!

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[gstrickler]

While the way it's written does leave it room for misinterpretation, your edit of it excludes the obvious predicate for "isn't necessary ... anymore", thus, your rant is actually based upon you reading the statement incorrectly. Had "...that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router..." been separated with commas, clearly identifying it as a prepositional clause, then your interpretation and rant would be valid. However, it wasn't, and

CPE is a nightmare...

[nweaver]

Overall, the "Customer Premises Equipment" or CPE in industry parlance, aka the user's NAT/home router and associated WiFi, is a nightmare of bad design and forever day bugs.

With Netalyzr we have been starting to probe for information about the CPE: we use UPnP to try to identify the NAT and we also do DNS queries that may indicate what software is running. The resulting picture, which we've only started to analyze, is dismal. We see NATs which are running versions of DNSmasq that were released in 2003/2004! So almost decade-old code that just never ever ever got upgraded.

Re:

[tlhIngan]

Overall, the "Customer Premises Equipment" or CPE in industry parlance, aka the user's NAT/home router and associated WiFi, is a nightmare of bad design and forever day bugs.

With Netalyzr we have been starting to probe for information about the CPE: we use UPnP to try to identify the NAT and we also do DNS queries that may indicate what software is running. The resulting picture, which we've only started to analyze, is dismal. We see NATs which are running versions of DNSmasq that were released in 2003/2004

When poor design meets poor implementation

[SLot]

http://sviehb.files.wordpress.com/2011/12/viehboeck_wps.pdf [wordpress.com]

Ouch

[DaMattster]

Usually the first thing I do is disable that push-button, WPS thing as I don't usually trust "instant" security schemes anyhow. As I was reading the summary, I was thinking big deal, just turn off WPS. As I got near the end of the summary, I'm thinking "ouch," even though you turn it off the backdoor still exists. I would really like to see device manufacturers spend a little more time on security. It seems that security is an afterthought in the effort to bring a device to market and have it turn a profit.

Re:

[KlomDark]

True, but making a decent product very significantly increases the odds of making a second sale.

Anyone else find this hard to parse?

[wonkey_monkey]

*Spins around in a phonebox and becomes... Captain Pedantic!*

A recently reported flaw that allowed an attacker to drastically reduce the number of attempts needed to guess the WPS PIN of a wireless router isn't necessary for some Arcadyan based routers anymore.

Not necessary for what? That alone took me a while to figure it.

According to German computer publisher Heise, some 100,000 routers of type Speedport W921V, W504V and W723V are affected in Germany alone.

Affected by the flaw you've just mentioned above? The one that isn't necessary?

What makes things worse is the fact that in order to exploit the backdoor,

I still hadn't seen any mention of a second flaw, so on first reading it seemed like the backdoor is the same unnecessary flaw as mentioned above. I finally realised that there's an old flaw and a new flaw - or at least I think what's trying to be said...

Re:

[formfeed]

Hey Captain Pedantic!
You're late to the game, Captain Asshat beat you by 13/15th of an hour.

Thats the code the emperor has on his luggage

[davydagger]

1.2.3.4.5? Thats the code an IDIOT puts on his luggage!

*QUICK* someone change the emporer's luggage!

closed wifi ruling

[Gamasta]

A different ruling in Germany holds owners of open wifis accountable for any illegal action undertaken by its users. You're required to keep intruders off with authentication and encryption (unless you're a cafe or so). Now people could use closed wifis for illegal activities and the courts would have to hold the wifi manufacturer accountable.

Alternate solution for the owner

[damn_registrars]

If you protect the systems on your network, then the security of your router isn't as critical. Sure, there is a chance someone might use your internet access through your router to do something nefarious when you're gone, but if your own local data is protected your situation isn't nearly as bad.

Re:

[Anonymous Coward]

there is a chance someone might use your internet access through your router to do something nefarious

This I think, is the root of the problem. Everyone is held accountable for the traffic emanating from their router. This would make YOU responsible for the actions some hactivist took from your LAN. YOU are the terrorist in this case.

Re:

[PlusFiveTroll]

This ignores the point that most people with the type of equipment know nothing about securing their network from inside attacks.

The router is the number 1 piece of equipment to keep secure. Any unencrypted and unauthenticated traffic can be manipulated by your router, also it's the perfect point to launch a MiTM attack. Once a person is on the WLAN they are free to poke away at any other exploits the router may have till they get a shell on it, very few routers are firewalled on the inside.

Also as the AC's

Re:

[jimbolauski]

If your router is compromised you are vulnerable to MITM attacks, MD5 the standard encryption method for SSL and HTTPS has been show to be broken in a few seconds using an ordinary computer so faking certs is possible in a few seconds. You are in the clear as long as you don't bank on-line or do anything else where you want your communications encrypted.

12345670

[DarthVain]

Hey! That's the same password as my luggage!

Possible good news for Vodafone customers

[sbryant]

If you're a Vodafone/Arcor customer with an Easybox, check the label on the back. If it says Arcadyan, then I'm sorry for you, but if it says Sphairon (a different company) you're in luck. The cases look the same from the outside, but have different hardware and firmware inside, and the Sphairon kit is much better.

It's possible that this is the case for other ISPs too (eg: Telekom).

-- Steve