Router

Some older routers built on the WiMAX technology contain backdoor accounts that appear to have been introduced somewhere along the devices' supply chain.

These backdoor accounts came to light in September 2016, when security researchers from SEC Consult discovered tens of thousands of WiMAX routers that were exposing their web-based administrative console on the Internet.

After auditing the firmware of some devices, researchers found a severe vulnerability, but also several backdoor accounts.

Attackers can change admin account password

The vulnerability they discovered is CVE-2017-3216, which is an authentication bypass in the web-based administration panel. According to researchers, an attacker can access a file on the built-in web server shipped with these routers and change the main admin account's password.

"An attacker can gain access to the device, access the network behind it and launch further attacks, add devices into a Mirai-like botnet or just simply spy on user," the SEC Consult team said. Routers affected by this issue are:

GreenPacket OX350 (Version: ?)
GreenPacket OX-350 (Version: ?)
Huawei BM2022 (Version: v2.10.14)
Huawei HES-309M (Version: ?)
Huawei HES-319M (Version: ?)
Huawei HES-319M2W (Version: ?)
Huawei HES-339M (Version: ?)
MADA Soho Wireless Router (Version: v2.10.13)
ZTE OX-330P (Version: ?)
ZyXEL MAX218M (Version: 2.00(UXG.0)D0)
ZyXEL MAX218M1W (Version: 2.00(UXE.3)D0)
ZyXEL MAX218MW (Version: 2.00(UXD.2)D0)
ZyXEL MAX308M (Version: 2.00(UUA.3)D0)
ZyXEL MAX318M (Version: ?)
ZyXEL MAX338M (Version: ?)
*It's very likely that other routers may also be affected.

The case of the mysterious OEM backdoors

But this wasn't it. SEC Consult researchers say that during their auditing operations, the tool they were using picked up a large amount of Unix-style password hashes hardcoded in the firmware of some routers. These types of hashes appear only when devices come with backdoor accounts.

Password hashes for backdoor accounts
Password hashes for backdoor accounts [Source: SEC Consult]

After taking a closer look at the code, they realized that both the authentication bypass vulnerability and the backdoor accounts were introduced via an SDK developed by Taiwanese hardware company MediaTek.

When researchers, together with officials from CERT/CC, reached out to MediaTek, the company said the files where these issues were found are not part of its original SDK package.

According to SEC Consult, MediaTek pointed the finger at ZyXEL as the possible source of the firmware additions, for both the vulnerability and backdoor accounts.

Further sleuthing from SEC Consult revealed that other affected vendors — GreenPacket, Huawei, ZTE — all bought white-label routers from MitraStar, one of ZyXEL's sister companies. This discovery reaffirmed MediaTek's theory that ZyXEL developers might have altered the SDK and then shared it with their colleagues.

Regardless of who modified the MediaTek SDK, the devices are far to spread among different ISPs for the backdoors to be their work.

Tens of thousands of routers are available online

Most of the affected routers are quite ancient, manufactured around 2010. Huawei said it stopped supporting all affected models circa 2014.

Despite this, researchers say that an Internet-wide scan unearthed between 50,000 and 100,000 vulnerable WiMAX-based routers that were exposing their administrative interface online.

The large bumber is justified by the fact that many of the vulnerable routers were configured by default to expose their web panel on the WAN interface.

Unless your ISP specifically blocks access to that interface, if you use any of the currently affected routers, it's very likely that some botnet operator will soon take over your device. If your WiMAX router allows you to block access to the administration interface via the WAN port, it's a good idea to enable that feature.

Overall, the number of vulnerable products is very large if we take into consideration that WiMAX is an old technology that was replaced in the meantime by LTE Advanced.

UPDATE [June 9]: In a statement provided to Bleeping Computer by a ZyXEL spokesperson, the company says it's working on solutions for affected models. The company has also provided the following instructions so customers can disable the web administration panel on the WAN interface:

  1. Log in the web-based management interface of the device
  2. Click “Maintenance” and “Remote MGMT”
  3. Disable (unclick) “HTTP and HTTPs – allow connection from WAN”
  4. Save the setting

ZyXEL workaround