The Chinese Don’t Need To Hack Us, They Let Themselves In Via The Back Door They Left Open

August 28, 2015 mitch tanenbaum Leave a comment

The Computer Emergency Response Team (CERT), a part of the Department Of Homeland Security, released an alert this week regarding yet another series of DSL routers that have hard coded userids and passwords. The routers, which likely share firmware from a common Chinese manufacturer, all have passwords of the form XXXXairocon, where XXXX are the last 4 digits of the router’s MAC address. That means that hackers, worst case, have to try all combinations of 4 digit passwords to get into the router, but in reality, they can ask the router what it’s MAC address is and the router will tell the hacker, so they don’t need to guess at all.

Who knows if the Chinese did this on purpose so that they could walk into the network if they wanted to, but that is certainly a possibility.

CERT says that the vulnerability is not new, so who knows if hackers, the Chinese, the Russians and/or intelligence agencies have been using this open back door for years. That would not surprise me. US Cyber Command formalized a policy earlier this year that says that they will keep these vulnerabilities secret if it is important to national security. CERT released an earlier advisory last year listing a different set of routers that have a similar problem.

CERT also says that they know of no way to mitigate this vulnerability other than to unplug the router, run your car over it and replace it with a different router.

This is a precursor to the Internet of Things (IoT) security nightmare to come. IoT devices typically have an embedded web server and other software, written by a Chinese software company and purchased by the IoT device manufacturer from the lowest bidder. These devices are usually not patched from when the shrink wrap is first removed until they visit a landfill at the end of their life.

That does not mean that these devices don’t have vulnerabilities, but rather that no one is looking for those vulnerabilities or patching them. Even if the vendor does issue a patch, consumers are highly unlikely to install a patch. After all, when was the last time you patched your refrigerator or VCR? Do you even know HOW to patch them? I will admit that I had my dishwasher repaired a few months ago and the technician literally COULD NOT close the repair ticket until he patched the dishwasher. If I had not had a service call, the dishwasher would remain unpatched.

A link to the CERT advisory, which lists some of the affected routers, can be found in the Computerworld article linked below.

Information for this post came from Computerworld.