Intentional Backdoor | TechSNAP 159

Intentional Backdoor | TechSNAP 159

A back backdoor found in many common routers gets covered up instead of patched, and all it takes is a knock on the door to exploit it. We’ll share the details.

Plus cross VM attacks just got much easier, a great batch of your questions – our answers, and much much more!

On this week’s episode of TechSNAP!

Thanks to:




Direct Download:

HD Video | Mobile Video | MP3 Audio | Ogg Audio | YouTube | HD Torrent | Mobile Torrent

RSS Feeds:

HD Video Feed | Mobile Video Feed | MP3 Audio Feed | Ogg Audio Feed | iTunes Feeds | Torrent Feed

— Show Notes: —

Intentional backdoor in home routers, when reported vendor just attempts to hide it better

  • Back around Christmas researchers found a backdoor in 24 different models of routers from Cisco, Linksys, Netgear and Diamond. The backdoor gave an attacker who knew about the flaw a full root shell on the router, and allowed them to dump the entire config, and make changes to the configuration
  • This could allow an attacker to get inside your network by forwarding ports etc, but also conduct a Man-in-the-Middle attack by changing the DNS resolvers on your router to be malicious ones that would direct your traffic to the wrong location
  • Shortly there after, Netgear released updated firmware from the vendor (sercomm)
  • When the researchers dissected the firmware, they found that the backdoor was still there, but was only listening on a UNIX domain socket, inaccessible from the network
  • However, they found that in specific circumstances, the backdoor will be reenabled
  • If the router receives a specially crafted ethernet frame, it will reenable the backdoor via TCP
  • They also found additional capabilities, including the ability to change query the router for its MAC access, change the LAN IP address, or cause different LED lights on the modem
  • Since this requires a specially crafted ethernet frame, it can only be sent from 1 hop away
  • This means that the backdoor can only be enabled from the local LAN or WLAN, or by the ISP
  • A number of the features of this ‘backdoor’ would appear to be useful to an ISP, querying data from the routers and reprogramming them etc
  • However the negative security aspects outweigh all of the gain
  • Researcher PDF

Fine grain Cross-VM Attacks on Xen and VMware

  • Researchers from Worcester Polytechnic Institute have published new research showing the cloud services may be vulnerable
  • “we show that AES in a number popular cryptographic libraries including OpenSSL, PolarSSL and Libgcrypt are vulnerable to Bernstein’s correlation attack when run in Xen and VMware (bare metal version) VMs, the most popular VMs used by cloud service providers (CSP) such as Amazon and Rackspace. We also show that the vulnerability persists even if the VMs are placed on different cores in the same machine. The results of this study shows that there is a great security risk to AES and (data encrypted under AES) on popular cloud services.”
  • Use a separate machine for each client, although this basically breaks the entire purpose of ‘the cloud’
  • Using AES-NI mitigates the attack entirely, however many clouds still use older machines that do not support AES-NI
  • Newer versions of the various libraries seem to mitigate the attack against the last round of crypto, but are still susceptible during the first round
  • The researchers suggest using AES256 instead of AES128 because 256 uses 14 rounds to 128’s 10


Round Up:

Question? Comments? Contact us here!