06 January 2021

Someday Companies Will Take Security Seriously

But today is not that day. Backdoor account discovered in more than 100,000 Zyxel firewalls, VPN gateways | ZDNet

It is 2021, and companies are STILL hardcoding backdoors into Internet-facing hardware. This is beyond stupid.

More than 100,000 Zyxel firewalls, VPN gateways, and access point controllers contain a hardcoded admin-level backdoor account that can grant attackers root access to devices via either the SSH interface or the web administration panel.

Zyxel is blowing smoke. (CYA is in effect.) These are not bits of hardware sold to consumers. These are "enterprise grade" firewalls and access point hardware. More on that later.

So 100,000 enterprise firewalls, access points, and VPN gateways are worse than useless. They are the perfect launching pad for espionage (corporate or otherwise) and ransomware attacks and more. I am sure that soon the news of related ransomware incidents will be in the news.

Zyxel did exactly the same thing with their consumer-grade products in 2016. Even using the same password.

Zyxel should have learned from the 2016 backdoor incident

In an interview with ZDNet this week, IoT security researcher Ankit Anubhav said that Zyxel should have learned its lesson from a previous incident that took place in 2016.

So does this fall under the heading of "Fool me twice?"

Zyxel said, in their cover-your-ass press-release, that this hard-coded userid and password was there for auto-updates, but you have to update the firmware manually, if you own any of these things. Four out of five patches are available. They say the fifth won't be available until Friday, so there is an entire class of devices that are still vulnerable. That is not counting the ones that have not been updated yet.

The userid was stored in plaintext in the firmware. The password was hashed, but not very well, and a hashbreaker was able to decode it. But then you could have just guessed and used the PW from 2016, because why come up with a new password? It is so much easier just to remember the old one!

Never underestimate the power of human stupidity.
  —  Robert A. Heinlein, Time Enough for Love

Hat tip to Security Now - episode 800. Show notes can be found at this link.

at
Labels: ,

No comments:

Post a Comment

Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.

Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.

Subscribe to: Post Comments (Atom)