Rotten routers? More brands found to contain hidden “backdoors”

Routers from Chinese manufacturer Tenda contain a hidden “backdoor” which could allow attackers to “take over” the router and send it commands. The company also sells routers branded as Medialink, and the machines are available around the world.

The backdoor was found by Craig Heffner, who discovered a similar backdoor in D-Link routers this month.

Heffner says that he made “short work” of cracking the routers, and that all an attacker needs to do is send a “magic string” to execute commands, according to Hacker News.

Heffner found “”suspicious code” in firmware. The vulnerability affects several Tenda models, including ones rebranded as MediaLink, according to Heffner’s blog post, From China With Love.

“They all use the same ‘w302r_mfg’ magic packet string,” Heffner writes. Contributors to Heffner’s site have added a list of potentially affected models.

Such vulnerabilities can be used for surveillance, or to intercept data from the network.

“It is exploitable over the wireless network, which has WPS enabled by default with no brute force rate limiting,” Heffner writes. “My shiny new ReaverPro box made relatively short work of cracking WPS, providing access to the WLAN and a subsequent root shell on the router (they also ship with a default WPA key, which you might want to try first).”

D-Link has since issued patches for affected routers, saying, “We are proactively working with the sources of these reports as well as continuing to review across the complete product line to ensure that the vulnerabilities discovered are addressed.”

Heffner, formerly of the National Security Administration, claimed that D-Link’s backdoor appeared to have been placed deliberately – and could allow attackers access to unencrypted data.

Earlier this year, Heffner found a vulnerability which could allow attackers to control security cameras – including those made by D-Link.

Heffner described the scope of the vulnerabilities as allowing “Hollywood-style” attacks – referring to the manipulation of video feeds commonly seen in heist movies.

“Thousands of these cameras are Internet accessible, and known to be deployed in homes, businesses, hotels, casinos, banks and prisons, as well as military and industrial facilities,” says Heffner.

Author , We Live Security

  • FL

    seriously the security community is too slow

    – i got two Dlink routers hacked and infected with a BOT program

    the routers started to send traffic while the computers on the network shutdown

    also a lot of MITM attacks
    BTW : the normal reset + hardreset didn’t work :) + firmware change didn’t work

    quoted from dider stevens :

    “But if you suspect that there is malware in the router (i.e. that the router
    firmware has been altered to add malicious code), then there is no 100%
    guarantee that you will ever be able to remove this malicious code.
    Although resetting is a hardware signal, the reset to factory default is
    also done by code in the firmware, which can be altered too to
    circumvent this and allow the malicious code to persist.
    upgrading is done by code in the firmware, which again, can be altered
    to circumvent this and allow the malicious code to persist.
    The only way to fix this requires hardware intervention, which is beyond our scope.

    Now if you suspect that there is a malicious configuration in the router
    (e.g. the DNS setting points to a malicious DNS server) but that the
    code itself (firmware) remains unaltered, then resetting will indeed
    remove these malicious configuration entries. But this is something that
    can be done with a careful review of all settings too.”

  • hidden

    @FL don’t forget that in experianced home users never update their firmware

    (they don’t know what firmware is in the first place )

    they never change the default admin password

    and from what i read from that quote it’s impossible to disinfect some routers

    from your post i find you are not that inexperianced and yet you couldn’t disinfect your


    then what the normal bob will do if that happend to him ?

    people lately started to update their software are you going to tell them to

    update their firmware too

    not to forget about the hidden backdoors that can be exploited by malware

    and install a hidden unremovable rootkit

Follow us

Copyright © 2017 ESET, All Rights Reserved.