This one is mind-bogglingly stupid. But the story serves as a good example of what I mean when I say that computer security can only get so good, because the whole ecosystem is so thoroughly undermined that any effort to secure it can be over-topped by the attackers, with minimal additional effort.
Is this a deliberate backdoor, or just a developer having the stupids? Back in the day when I started coding networked applications, it seemed like a good idea to code in a power-user account that was disabled when the final system was compiled – it meant I didn’t need to set up the whole authorization framework every time I wanted to test the software. Fortunately, I learned better – although I regularly used to get questions about whether I had backdoor’d any of my firewall products. The idea that someone might do that is shocking to me, but that was the late 80s.
Zyxel has released a patch to address a critical vulnerability in its firmware concerning a hardcoded, undocumented secret account that could be abused by an attacker to login with administrative privileges and compromise its networking devices.
According to the advisory published by Zyxel, the undocumented account (“zyfwp”) comes with an unchangeable password (“PrOw!aN_fXp“) that’s not only stored in plaintext but could also be used by a malicious third-party to login to the SSH server or web interface with admin privileges.
Zyxel said the hardcoded credentials were put in place to deliver automatic firmware updates to connected access points through FTP.
FTP’ing firmware updates to an access point, using an undocumented backdoor is less crazy than you might think. I mean, it’s really stupid, but it’s the kind of thing that software engineers come up with when a feature shows up on a product schedule and nobody tells them to do a bit of research and design before they just come up with a brilliant idea and run with it.
I’m not kidding. Back in 2012, I had a conference call with engineers and managers from a major printer manufacturer that was planning on expanding their product line from normally-USB-connected printers to local area network-connected print servers; I had to step them through the whole idea that a print server was a target and if it was running a general-purpose operating system, it was going to embed the operating environment’s vulnerabilities and be vulnerable, itself. I was fortunate, on that conference call, because I had documentation regarding an incident in which a Kyocera “Document Solutions” photocopier machine had been compromised by hackers (it was running Linux inside) and used to pivot into launching Nessus scans and Metasploit attacks onto the local network. The printer manufacturer I was talking to was furious that they were going to have to spend time figuring out how to write Ipchains rules to control traffic into/out of their print management software, which turned out to be a horrible, un-authenticated http-based piece of crap. You want a fun conference call? Tell some big vendor that they need to rewrite something they just announced was available on the market. Then, imagine it has a hardware distribution component, and they didn’t think of a way that the base operating environment can be updated, “ship your printer back to the manufacturer” does not cut it.
That’s the problem: when you depend on something, you’re embedding its vulnerabilities and those vulnerabilities must then be managed. Imagine if you had set up a financial transaction management system, and had used Xyxel’s otherwise excellent and inexpensive firewall/access points? Now, anyone who has read about it, can walk through your security architecture as if it’s not even there.
In fact, I have/use a Xyxel Wifi access point/firewall, because it is small, cheap, and USB-powered – in my case, it’s OK because I just used it as a way of providing Wifi access to a high-speed camera that was designed with a hard-wired interface (idiots!) [ranum] At $40 bucks apiece, you can be sure that lots of people have used the Xyxel firewall/Wifi points for all kinds of things. It’s a big deal because that type of application is exactly the type that does not get reviewed regularly, and never gets updated. Applications like that will never show up on vulnerability scans or on Shodan; this is a hole that will exist for a very long time.
When I first started working on firewalls, the state of the art was to write access control lists in a Cisco router. Many organizations used to just block telnet port 23 inbound and I was amazed when I scanned all the ports (this was 1989) and found an undocumented telnet listener at port 2020. That has finally been fixed, but it was an important lesson for me: you can’t assume that the vendor is not unutterably stupid.
In the Xyxel case, I assume it’s just common-or-garden stupidity, but Xyxel is headquartered in Taiwan and Taiwan is part of the US intelligence community’s sphere of influence. If it was a China-based company, like Huawei, you could expect the US Government to be freaking the fuck out, but instead this story is being treated like just another *yawn* design flaw. I’m willing to state with a high degree of confidence that this backdoor is not one that was influenced by NSA, because theirs are so much better.
The Republic of China (ROC, Taiwan) is operating a major signals intelligence (SIGINT) facility in co-ordination with the US National Security Agency (NSA) on Yangmingshan Mountain, just north of Taipei, Jane’s Defence Weekly has learned.
The NSA helps the ROC co-ordinate and process its SIGINT data collected from various SIGINT stations located around Taiwan. Data collected by the facility is processed for use by Taiwan’s Military Intelligence Bureau (MIB) and relayed back by satellite to the NSA.
The facility is a “data processing centre” located on a ROC military compound that is also identified as the Taiwan headquarters of a US telecommunications company based in Maryland. The company has been identified by a high-level US State Department official and a source within the MIB as a commercial front for the NSA.
Taiwan headquarters of a US telecommunications company based in Maryland, eh? A bit of querying makes L3 Communications/Harris pop up. L3/Harris makes all kinds of stuff, including cell phone IMSI catchers (“stingrays”) and other surveillance tech.
One of the little games I still play with myself is to hypothesize how a vulnerability is discovered. In the case of the Xyxel backdoor, it would not be discovered by someone randomly connecting to the device’s web server and trying all the possible user/password combinations. Someone probably took a copy of the firmware [zyxel] and ran “strings(1)” against it. Hard, huh? Unless the user/password were obfuscated in the code, that’s all it would take.
I’ve discussed the Huawei problem before, and I’m not very impressed by the US Government’s frantic bleating about Huawei maybe having backdoors – if there were, and they were known, it’d be easy enough to simply trickle the backdoors out, one a month, and it’d make the products unmarketable by raising the management cost to be stratospheric; imagine if you were a telco and you had to keep upgrading your 5G infrastructure’s firmware every month. It’s that, or leave the vulnerabilities in (and then the NSA and FSB and Mossad would cheerfully exploit them) I still believe that the main reason behind the US Government’s Huawei freak-out is because Cisco hasn’t got a competitive offering and they’re lobbying hard to lock the Chinese company out of the US market until they do.
You can bet your bottom dollar that if there was a vulnerability like this in a Huawei product, it’d be trumpeted from the roof-tops, “Chinese government backdoor found in popular Wifi infrastructure device!”