Backdoor Still Hidden in Patch for Wi-Fi Routers

The backdoor affecting Sercomm wireless DSL routers has not been fixed, and lays hidden in the latest version of the devices` firmware to intercept users` home traffic, according to Ars Technica.

In December 2013, Eloi Vanderbecken discovered hackers could exploit his parents` Linksys Wi-Fi router to gain administrative rights and manipulate local network resources without admin credentials. The device was listening on an undocumented Internet Protocol port number (32764) which allowed him to execute several commands, including running a script and enabling administrator privileges.

Allegedly, the backdoor required the attacker to be on the local network. The raw Ethernet packets were sent from within the local wireless LAN or from the Internet service provider`s equipment. Vanderbeken later reported some routers could be hijacked via the Internet as well, leaving them vulnerable to remote attacks.

As a result, the systems based on the same Sercomm modem, including home routers from Netgear, Cisco and Diamond, have published an update meant to seal the vulnerability. However, the researcher recently disclosed that the communications flaw persists in the new code. The backdoor can be reactivated through a network packet used by “an old Sercomm update tool.” The packet`s payload is an MD5 hash of the router`s model number (DGN1000).

Once the backdoor is turned back on, it monitors TCP/IP traffic and allows hackers to send commands to the router, including a screenshot of its entire configuration. It also gives access to hardware features such as blinking the router`s lights.

Due to the variety of models and manufacturers, the number of devices affected is unknown. The manufacturers have not issued an official response up to this point.