backdoor in wireless DSL routers

[tonysamson]

I read this article about a backdoor in wireless DSL routers like Linksys, Netgear, others that lets attacker reset router, get admin.

http://is.gd/tptu6L

I'm just wondering if there's a similar hack for the Asuswrt-Merlin?

 

[KevTech]

combination router/DSL modems

Does not mention anything about a stand alone router.

 

[RMerlin]

In all the time I spent working with the firmware code (about 20 months now) I never saw any trace of a backdoor in Asus's firmware. So, pretty sure it's safe.

 

[tonysamson]

that's good to hear. Thanks Merlin..

 

[janosek]

In all the time I spent working with the firmware code (about 20 months now) I never saw any trace of a backdoor in Asus's firmware. So, pretty sure it's safe.

I doubt they would put any backdoors in the GPL anyway. No one really knows everything the CTF does. It might also "Cut Through Security"

 

[Skripka]

In all the time I spent working with the firmware code (about 20 months now) I never saw any trace of a backdoor in Asus's firmware. So, pretty sure it's safe.

I doubt they would put any backdoors in the GPL anyway. No one really knows everything the CTF does. It might also "Cut Through Security"

They're sneaky bastards guys. These are the same people who infiltrated the IPSEC drafting committee and watered down/modified IPSEC standards to the point where no one on the committee could say how secure it was....these are also the same people that got RSA to use a flawed (not-at-all) random number generator in their encryption for a mere $10 million USD. They've also been intercepting overseas computer hardware shipments to place backdoors in the hardware.

Not saying y'all haven't looked...just saying you may not have been looking in the right place. Good to know you're looking, and have a healthy paranoia though

 

[RMerlin]

I doubt they would put any backdoors in the GPL anyway. No one really knows everything the CTF does. It might also "Cut Through Security"

That would be a bad place to put a backdoor, considering that CTF isn't loaded at all by the kernel if HW acceleration isn't enabled.

 

[RMerlin]

They're sneaky bastards guys. These are the same people who infiltrated the IPSEC drafting committee and watered down/modified IPSEC standards to the point where no one on the committee could say how secure it was....these are also the same people that got RSA to use a flawed (not-at-all) random number generator in their encryption for a mere $10 million USD. They've also been intercepting overseas computer hardware shipments to place backdoors in the hardware.

Not saying y'all haven't looked...just saying you may not have been looking in the right place. Good to know you're looking, and have a healthy paranoia though

I can't speak about the encryption level of things as I don't have the source code for these parts, but Asus does, and they ain't an US company, so they could tell the NSA to shove it if asked to insert any backdoor in that code.

CTF is the only bit for which Asus does not have the source code AFAIK, and since that module is only optionally loaded, it's not a very effective location to put any backdoor, so I'm relatively confident that it's safe (unless it has any known vulnerability - a whole different story).

But when it comes to blatant backdoors left by third party firmware developers (like Alpha Networks did with DLink's recent "Joel backdoor"), I can confirm that there isn't any visible in the Asus firmware. Keep in mind that that firmware was also originally forked from Tomato, which was also open source development.

And unlike Netgear or Linksys, I have to say that Asus's GPL is pretty easy to navigate through, which means it'd be harder to hide any backdoor in there.

 

[RMerlin]

BTW, is VxWorks still used by any modern home gateway, or have they all gone Linux now? VxWork not being GPL, it might raise more questions IMHO than Linux-based routers.