Backdoor Found in Linksys and Netgear Routers

backdoor in linksys routersEloi Vanderbeken of Synacktiv Digital Security has discovered a very interesting backdoor into Linksys and Netgear routers. He found it during Christmas vacation at his family’s home where he needed access to a Linksys WAG200G wireless DSL gateway, but didn’t have the password. Scanning the network he found that the device was listening on port 32764. Since this port is non-standard it took a bit of digging to figure out what it did, What he found was quite interesting.

After downloading and examining the device’s firmware, he found that the port would respond to several commands, including a command that gave him access to a shell. From there it was easy to change whatever he wanted to. A true backdoor, but it’s unclear as to why it even exists.

After finding this backdoor it was confirmed that it also existed in several other routers, notably some built by Netgear. Why both Linksys AND Netgear? Well, it turns out that that the common theme between them is another company called SerComm. SerComm builds networking equipment, and most importantly, provides some of the firmware that’s common to many routers from these two companies. They’re the ones who are ultimately responsible for the backdoor.