A network and security hardware vendor revealed it issued long overdue patches for eight of its product families to limit access to administrative accounts that could have allowed attackers to compromise the products.
The backdoor access could have given an attacker complete access to the devices, provided they knew the password—and possibly have stolen an encryption key.
The vendor did limit access to the backdoor features to certain ranges of Internet addresses, but the groups of addresses included a number of servers for other companies and individuals as well. Compromising those servers could have given an attacker the ability to access vulnerable networking hardware.
In secure environments, it is highly undesirable to use appliances with backdoors built into them, even if only the manufacturer can access them.
Our research has confirmed that an attacker with specific internal knowledge of a router appliances may be able to remotely log into a non-privileged account on the appliance from a small set of IP addresses. These vulnerabilities are the result of the default firewall configuration and default user accounts on the unit.
The controversy comes as corporations and national governments worry over the security of the networking products manufactured across the globe. In October, the U.S. government recommended that companies not use products from Chinese manufacturers Huawei and ZTE, for fear that the Chinese government might insert a backdoor into the products. In August, researchers presenting at the annual Defcon hacking conference found enough vulnerabilities in Huawei's routers to allow attackers to compromise the devices remotely.
In 2007, a series of vulnerabilities in Cisco's networking operating system would have allowed a knowledgeable attacker backdoor access to any product running the operating system. Last year, researchers found that a common embedded chip had backdoor functionality as well. In fact, one security professional estimated that 20 percent of consumer routers have backdoors as well as half all industrial control systems.
It is a common error to leave administrative privileges to a router set at the vendor’s original access code. That creates a backdoor, often available from on-line maintenance manuals.