I'm sure many of them do, but it's trivial to make such a backdoor essentially unbreakable unless a high-level encyption key theft happens inside the manufacturer. E.g. user "backdoor" with the password being a hash of the unit's MAC address run through public key cryptography.
It's mind-bending foolishness for any programmer to release a product with a hard-coded, everywhere-the-same backdoor password. On Sat, Nov 12, 2016 at 8:52 AM, Mike Hammett <af...@ics-il.net> wrote: > I would be surprised if *EVERY* platform didn't have some secret > manufacturer backdoor, some just are better guarded than others. > > > > ----- > Mike Hammett > Intelligent Computing Solutions <http://www.ics-il.com/> > <https://www.facebook.com/ICSIL> > <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> > <https://www.linkedin.com/company/intelligent-computing-solutions> > <https://twitter.com/ICSIL> > Midwest Internet Exchange <http://www.midwest-ix.com/> > <https://www.facebook.com/mdwestix> > <https://www.linkedin.com/company/midwest-internet-exchange> > <https://twitter.com/mdwestix> > The Brothers WISP <http://www.thebrotherswisp.com/> > <https://www.facebook.com/thebrotherswisp> > > > <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> > ------------------------------ > *From: *"Jon Langeler" <jon-ispli...@michwave.net> > *To: *af@afmug.com > *Sent: *Saturday, November 12, 2016 8:44:59 AM > *Subject: *Re: [AFMUG] Trango Security Issue > > > It's not the first time that a manufacturer has a secret root account. It > just got out > > Jon Langeler > Michwave Technologies, Inc. > > > On Nov 12, 2016, at 7:09 AM, Paul Stewart <p...@paulstewart.org> wrote: > > Yikes…. > > > > [+] Credits: Ian Ling > [+] Website: iancaling.com > [+] Source: http://blog.iancaling.com/post/153011925478/ > > Vendor: > ================= > www.trangosys.com > > Products: > ====================== > All models. Newer versions use a different password. > > Vulnerability Type: > =================== > Default Root Account > > CVE Reference: > ============== > N/A > > Vulnerability Details: > ===================== > > Trango devices all have a built-in, hidden root account, with a default > password that is the same across many devices and software revisions. This > account is accessible via ssh and grants access to the underlying embedded > unix OS on the device, allowing full control over it. Recent software > updates for some models have changed this password, but have not removed > this backdoor. See source above for details on how the password was found. > > The particular password I found is 9 characters, all lowercase, no > numbers: "bakergiga" > Their support team informed me that there is a different password on newer > devices. > > The password I found works on the following devices: > > -Apex <= 2.1.1 (latest) > -ApexLynx < 2.0 > -ApexOrion < 2.0 > -ApexPlus <= 3.2.0 (latest) > -Giga <= 2.6.1 (latest) > -GigaLynx < 2.0 > -GigaOrion < 2.0 > -GigaPlus <= 3.2.3 (latest) > -GigaPro <= 1.4.1 (latest) > -StrataLink < 3.0 > -StrataPro - all versions? > > Impact: > The remote attacker has full control over the device, including shell > access. This can lead to packet sniffing and tampering, bricking the > device, and use in botnets. > > > Disclosure Timeline: > =================================== > Vendor Notification: October 7, 2016 > Public Disclosure: November 10, 2016 > > Exploitation Technique: > ======================= > Remote > > Severity Level: > ================ > Critical > > >