Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)
I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"
It is probably just a brand, like many others, and based on a reference design from the OEM.
I have a small Tenda 5-port gigabit dumb switch. It uses the same switch chip as this TP-Link, just with different branding; even the "SG105" model number is the same:
> the admin password to be 'admin'. They'd often even print it on the device itself.
Yes but aren't you supposed to change that one? The problem with the rzadmin is that it will continue to work even after you change the regular admin one...
My ex used to work in their sales department lol. But I'd seen them anyway, in the context of cheap unmanaged switches on Amazon. They are not a state owned company or anything so I doubt this is anything too nefarious, likely just absolutely not giving a crap about quality.
I was deeply alarmed when I figured out ISPs had effortless remote access to the routers and consequently to my LAN. Now they just provide me an ONT which terminates their fiber and connects into my own hardened GL.iNet router running OpenWRT.
I thought it was a safe assumption by now that any kit out of China is assumed — no, expected — to have hardcoded root credentials. Bonus if it's running a telnet daemon.
I don't even think it's malicious, it's an ingrained cultural disregard and not caring by the most disconnected, lack of empathy having human beings on Earth.
These are the same people that poison their own children to save pennies.
As someone who really doesn’t take themselves even the slightest bit seriously, if there was ever a chance that your comment was funny then I would have realised it was a joke. ;)
Hanlon's razor is backwards. My guess is that it's supposed to be a joke, other possible explanations are incompetence and malice.
It's also misdirecting the discursions. If shit happens the questions isn't if it was by malice or incompetence (since you're unlikely to prove it either way), but how to ensure that it won't happen again.
It's one of the worst memes out there with a huge negative impact.
I have done this accidentally at least once - we shipped a full-stack app, and telemetry started lighting up that on certain older phones and browsers (no points for guessing which brand and browser), the release version didn't load. The minifier did something in the release build that it didn't like.
So after a quick test, it was decided to deploy the debug version of just the frontend as a bandaid. Next day we saw we managed to deploy the debug version of the backend with admin stuff like this as well..
Did this too when I was working for a company that decided dongle-protecting their software was a good idea. We shipped with the protection check no-op'd out for, ah, debugging purposes and it never got re-enabled. Not really sure if it was by-accident-on-purpose or not.
Whatever these happen it's 50/50 either an internal debugging feature used when designing the device or intended as a way for customer support to more easily help people.
I remember when a backdoor was discovered in the most popular brand of keylogging devices[0], likely added there in case someone forgot their password and reached out to support.
> a way for customer support to more easily help people
This is my guess. People don't like it when a device they have turns into a brick of e-waste because they can't remember their password. So most consumer devices have either a "reset to defaults" feature or a hidden support password. Even enterprise routers and switches often have this.
> Whatever these happen it's 50/50 either an internal debugging feature used when designing the device or intended as a way for customer support to more easily help people.
The problem with this is, everyone who builds an intentional backdoor will also claim that it's this.
Sufficiently advanced ignorance is indistinguishable from malice, and sometimes needs to be treated as if it were malice.
At that point it’s not even a back door it’s just stupid default root password kind of design which used to be standard in this kind of hardware. Backdoor would at least try to be subtle :)
It's refreshing to see someone around here addressing the compulsively overlooked elephant in the room; plausible deniability. I am not implying it applies directly here, but notice the trend -- it's taboo to even speculate on and often gets rebuke for even hinting at it. The social convention around it is perfect cover. And I am not the only one that knows this. If we were to wake suddenly and realize the scale of relevance here, we'd probably all go full luddite. Call me paranoid though.
If this wasn’t Tenda maybe I would be more inclined to agree with you. We are talking about an extremely shitty bargain basement vendor. The three stars on Amazon kind of router company.
I think sufficiently explained by incompetence over malice applies here. Some nefarious three letter agency having a backdoor like this is pretty pointless anyway.
Unless you’ve enabled remote management you can’t even get to this backdoor from a physical network perspective.
And then you change some router settings which really aren’t a magical access point into your devices in your home. My PC isn’t just going to magically allow you to browse the file system just because a malicious actor got on my local network. They can’t intercept anything moving over TLS.
Not saying it’s good to have that kind of access, but I think at the scale of “typical home network of consumer devices” the utility and blast radius is pretty limited. Go ahead and launch a DDOS attack on my printer and use up my ink cartridges, I guess.
Well, as mentioned (but perhaps not with sufficient emphasis), I wasn’t implying that this case is necessarily some 3-letter agency op. However, things eg(*) CopyFail, XZ Utils / Jia Tan, Intel ME/IME, Heartbleed, Dirty COW, CVE‑2021‑3156, third‑party contractors, supply chains, and the myriad opportunities all around, are but a few examples that leave me cynical. I don’t claim detailed, expert understanding for any of these; however, I’m convinced the majority of such things remain unknown, and a that our perceived malice:incompetence ratio is off.
I think we could stop reflexively defaulting to “incompetence” when the end result just as easily resembles a deliberate exploit. Plausible deniability is an extremely effective cover when it’s smartly applied.
I’m not disputing any of your specific technical points; my cynicism is thematic. Even when I try to muzzle it, it tends to get through. The parent comment, though short, is dense with implications about cheap gear, opaque firmware, exposure surfaces I think deserve more sustained attention.
* A quick, generic, maybe sub-ideal list to harden my point.
Somehow this reads like German to me. Because "rz" is a common abbreviation of RechenZentrum, meaning DataCenter.
So in English it would be like "dcadmin". Maybe they outsourced it to someone doing "gute Deutsche Wertarbeit", or it's a leftover from some agency having had their fun, or smoke&mirrors from whomever for whichever reasons.
Use openWrt (https://openwrt.org), and use their hardware list to pick a consumer router with the feature set you need that can be flashed to use openWrt.
Ryzen 5 with a dual 10Gbps NIC, running Debian. Overkill for a router/firewall, but I run other services on the same hardware including an email stack, Podman containers, and small AI model for use within Home Assistant.
I wouldn't buy new hardware. Any modest machine built in the last decade would do. If possible, get a machine with an internal ATX power supply rather than an external brick, they tend to be more reliable.
If all you need is 1Gpbs and WiFi, OpenWrt on consumer hardware is probably enough though.
I have a Lenovo thin client running Debian as internet gateway/firewall. With some minor modifications and a small low power blower fan you can add a dual sfp pcie card in it (not all versions can, though there are more manufacturers of thin clients with 4x pcie slots). The blower fan is because the main fan stops often and it needs some cooling.
You can use basically any hardware. I've done it with trash-picked laptops and USB ethernet adapters. Best option these days is a N100/N150 mini-pc with multiple NICs onboard, but with the price of everything going up maybe trashpicking will make a return.
Man, I remember doing this in the late 90s with ipchains as the only way to get a router that didn't cost an arm and a leg. Eventually consumer/prosumer routers came out.
Have used their travel wifi product back when hotel wifi was a strange beast. Wouldn't expect to need it now eSIM and ubiquitous internet travel pricing means the hotel wifi may be the LEAST valid path to access things.
I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.
I’m working on a hotel right now. And I’ve gone to great lengths to make the wifi more secure. Everyone on their own VLAN. Separate PPSK for each room. Credentials are randomly generated and not some ridiculous pattern of last name and room number or similar. We built our own custom access control system, with what at the time was the strongest keycards we could find (mifare desfire ev3), I’m really trying to make a hotel who’s security isn’t such a joke.
My Macbook is permanently locked out of Cox's hotspot system (used in some U.S. hotels) because the password was given to me on a tiny label which I couldn't read as a blind person except through OCR, and the OCR was wrong a few too many times.
There was a meme going round of a network diagram that layers a Chinese firewall behind a US firewall behind a Russian firewall so they can all block each other countries backdoors.
Not sure if you're joking, but both have already done so. And any US company is subject to secret orders forcing them to implement a backdoor if demanded.
From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".
Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd
So will this finally be treated as sabotage/criminal hacking, or is it just yet another example of letting manufacturers do whatever they want to their customers without any punishment? Meanwhile if I find and publish the emails of Tenda customers that they accidentally left unprotected, I get raided by the FBI.
Almost all consumer electronics come with backdoors—especially given the prevalence of computational advertising. Before criticizing Tenda, we ought to clarify whether this is a consumer-facing (2C) or business-facing (2B) product.
A quick search reveals several other serious vulnerabilities in Tenda routers that could grant administrator privileges. Therefore, I tend to believe this is due to the company's incompetence and lack of technical skill rather than malicious intent—but it's still a reason to avoid using Tenda products. There's a reason why Tenda's market share is far lower than TP-Link's.
The consistency with which networking hardware companies produce such garbage is crazy.
And it’s always amateur hour backdoors somehow. If it was something sophisticated they might get a pass on „ok some security agency made them do it probably“
Not exposing your management interface to internet and running a guest network which doesn't have access to said management interfaces can block 95%+ of the attacks, I believe.
Last time when I looked OpenWRT was unable to support MIMO and beamforming capabilities of many of the devices it was running on.
This capabilities are crucial to have decent coverage, signal strength and throughput where I live (i.e.: crowded/congested wireless networks in an apartment complex).
Did OpenWRT team managed to work around them, or did the manufacturers started to play nicer with open drivers with loadable firmware?
Hm, do you ever go over 1gbit? If my understanding is correct, good affordable routers like Mikrotik's CCR2004 are fully closed, so the only option is to build your own shitty box which will be much less energy efficient than their specialized switch chips.
Because of lax security in commercial routers, this backdoor being a prime example of what I'm concerned about, I'd have my own shitty box as a firewall between them and my other kit anyway, so there isn't an efficiency saving either way. It is just a choice of where the walls are, and therefor where my shitty box(es) is/are, not whether my shitty box exists or not.
Currently my primary shitty box router does everything wrt external connectivity and a bought AP/router sits inside offering WiFi. I'd like to remove that AP completely with a WiFi adaptor controlled by my shitty box, but I've not got around to that as it would mean learning to configure a mesh (and so at least one more of my own shitty boxes!) to get good coverage everywhere (I only have a small place, but there are still a couple of blind-ish spots depending on where I put the primary AP). Not trusting a bought router/AP to not have back doors like this raises the question: if they are going to add backdoors for direct outside connections, what is to stop the firmware instead/also trying to tunnel out and letting unwanted connections in that way?
No. None of the local ISPs offer speeds above 1 Gbps.
However, I use FriendlyElec NanoPi R5C as the main entrypoint router. It has two 2.5G ethernet ports. It costs less than 100 euros. And it runs OpenWRT.
It is not a multiport, multi-gigabit device though. And I have not tested it above 1 Gbps so I am unsure about its real world performance.
Pfsense or OPNsense can handle ~5 gbps routing/firewall on a low power AMD or Intel embedded chip. My now old router Pfsense box I got off Aliexpress can comfortably handle 2.5 gbps on an ancient Celeron J4125 running sub-10W.
I've seen it last night, and I was like wtf?! Frankly, if they tried to build in some backdoor, I bet they would have done it differently, not so obviously. This must have been some sort of stupidity done for testing purposes, and just got buried deep in the code and forgotten.
This is the main reason why you should always use OpenWRT or other opensource router OS. If it gets an issue, at least it would get patched in the next update.
this is definitely a backdoor, not necessarily that they use it to infiltrate users but definitely they put them at risk.
reminds me of a bug I found in some tplink router it compared passwords of 3 different users but that table was empty so basically 15 NULL bytes would log you in as admin lol
Oh this is amazing! I have a few of their cube routers sitting around and I always hated how app-locked their firmware was when it really is just a wifi repeater with a few extras (mesh) on top. Root access will do wonders to bypassing the app now (and also disabling their ping-for-green-light mechanism which spams the network with a constant dns resolution to microsoft.com lol).
Also honest take this looks less like a "backdoor" (implies malicious - this is a link to a CVE after all) and more like a developer access credential/default credential that was burned into the firmware (i'd imagine the code remains but on a production run they randomize the key so its non-guessable but then you get lazy and dont run that extra step and this slips in/you burn the bare firmware with no production configs).
Maybe so when you factory reset the device that it sets the admin to something you can maybe read off the label? At least that way the random attacker needs physical access to your space.
112 comments
[ 3.2 ms ] story [ 39.9 ms ] threadI was unfamiliar with Tenda.
> Shenzhen Tenda Technology Co.,Ltd. ( https://www.tendacn.com/us/profile )
Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)
I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"
I have a small Tenda 5-port gigabit dumb switch. It uses the same switch chip as this TP-Link, just with different branding; even the "SG105" model number is the same:
https://goughlui.com/2022/02/27/unbox-teardown-tp-link-tl-sg...
I have an ethernet over power adapter somewhere in a cupboard from perhaps 10 years ago.
Back then it was standard for the admin password to be 'admin'. They'd often even print it on the device itself.
Yes but aren't you supposed to change that one? The problem with the rzadmin is that it will continue to work even after you change the regular admin one...
US undocumented auth: legitimate usecase for out of band support nothing to see here
I don't even think it's malicious, it's an ingrained cultural disregard and not caring by the most disconnected, lack of empathy having human beings on Earth.
These are the same people that poison their own children to save pennies.
https://en.wikipedia.org/wiki/2008_Chinese_milk_scandal
https://boschko.ca/tenda_ac1200_router/
Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.
“Never attribute to malice that which is adequately explained by stupidity.”
https://en.wikipedia.org/wiki/Hanlon%27s_razor
It's also misdirecting the discursions. If shit happens the questions isn't if it was by malice or incompetence (since you're unlikely to prove it either way), but how to ensure that it won't happen again.
It's one of the worst memes out there with a huge negative impact.
Plausible deniability is important.
This being said makes the situation for an attacker awfully convenient...
I know this from personal experience.
- What did you think was going on?
Jack Black: Oh, I thought it was an STO.
- STO?
Jack Black: Standard Training Op.
So after a quick test, it was decided to deploy the debug version of just the frontend as a bandaid. Next day we saw we managed to deploy the debug version of the backend with admin stuff like this as well..
I remember when a backdoor was discovered in the most popular brand of keylogging devices[0], likely added there in case someone forgot their password and reached out to support.
[0] https://old.reddit.com/r/cybersecurity/comments/jw6k5v/backd...
This is my guess. People don't like it when a device they have turns into a brick of e-waste because they can't remember their password. So most consumer devices have either a "reset to defaults" feature or a hidden support password. Even enterprise routers and switches often have this.
One of those is sensible, and one is not. Put a recessed "hold to reset" button on the device, problem solved, no backdoor required or desired.
The problem with this is, everyone who builds an intentional backdoor will also claim that it's this.
Sufficiently advanced ignorance is indistinguishable from malice, and sometimes needs to be treated as if it were malice.
I think sufficiently explained by incompetence over malice applies here. Some nefarious three letter agency having a backdoor like this is pretty pointless anyway.
Unless you’ve enabled remote management you can’t even get to this backdoor from a physical network perspective.
And then you change some router settings which really aren’t a magical access point into your devices in your home. My PC isn’t just going to magically allow you to browse the file system just because a malicious actor got on my local network. They can’t intercept anything moving over TLS.
Not saying it’s good to have that kind of access, but I think at the scale of “typical home network of consumer devices” the utility and blast radius is pretty limited. Go ahead and launch a DDOS attack on my printer and use up my ink cartridges, I guess.
I think we could stop reflexively defaulting to “incompetence” when the end result just as easily resembles a deliberate exploit. Plausible deniability is an extremely effective cover when it’s smartly applied.
I’m not disputing any of your specific technical points; my cynicism is thematic. Even when I try to muzzle it, it tends to get through. The parent comment, though short, is dense with implications about cheap gear, opaque firmware, exposure surfaces I think deserve more sustained attention.
* A quick, generic, maybe sub-ideal list to harden my point.
So in English it would be like "dcadmin". Maybe they outsourced it to someone doing "gute Deutsche Wertarbeit", or it's a leftover from some agency having had their fun, or smoke&mirrors from whomever for whichever reasons.
I wouldn't buy new hardware. Any modest machine built in the last decade would do. If possible, get a machine with an internal ATX power supply rather than an external brick, they tend to be more reliable.
If all you need is 1Gpbs and WiFi, OpenWrt on consumer hardware is probably enough though.
https://nbailey.ca/post/router
What's old is new again.
(Good to know it remains useful by using openWRT and doesn't become landfill)
I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.
My Macbook is permanently locked out of Cox's hotspot system (used in some U.S. hotels) because the password was given to me on a tiny label which I couldn't read as a blind person except through OCR, and the OCR was wrong a few too many times.
binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin
binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.bin The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected:binwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin
Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers: And /squashfs-root/webroot_ro/default_router.cfg which offers: From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd
Security holes in networking equipment
Affects not just the compromised devices.
And it’s always amateur hour backdoors somehow. If it was something sophisticated they might get a pass on „ok some security agency made them do it probably“
Or the amateur hour backdoors are there to be found.
Great. I am really wondering why should the customers trust these manufacturers.
At this point I would not use any router with vendor-provided black box firmware. Full stop.
I would always install OpenWRT or something similar on it before using it.
And if that is not possible for whatever reason, I would not even think about buying such a device.
This capabilities are crucial to have decent coverage, signal strength and throughput where I live (i.e.: crowded/congested wireless networks in an apartment complex).
Did OpenWRT team managed to work around them, or did the manufacturers started to play nicer with open drivers with loadable firmware?
Currently my primary shitty box router does everything wrt external connectivity and a bought AP/router sits inside offering WiFi. I'd like to remove that AP completely with a WiFi adaptor controlled by my shitty box, but I've not got around to that as it would mean learning to configure a mesh (and so at least one more of my own shitty boxes!) to get good coverage everywhere (I only have a small place, but there are still a couple of blind-ish spots depending on where I put the primary AP). Not trusting a bought router/AP to not have back doors like this raises the question: if they are going to add backdoors for direct outside connections, what is to stop the firmware instead/also trying to tunnel out and letting unwanted connections in that way?
No. None of the local ISPs offer speeds above 1 Gbps.
However, I use FriendlyElec NanoPi R5C as the main entrypoint router. It has two 2.5G ethernet ports. It costs less than 100 euros. And it runs OpenWRT.
It is not a multiport, multi-gigabit device though. And I have not tested it above 1 Gbps so I am unsure about its real world performance.
Backdoor passwords left for convenient debugging are not surprising anymore.
This is the main reason why you should always use OpenWRT or other opensource router OS. If it gets an issue, at least it would get patched in the next update.
reminds me of a bug I found in some tplink router it compared passwords of 3 different users but that table was empty so basically 15 NULL bytes would log you in as admin lol
Also honest take this looks less like a "backdoor" (implies malicious - this is a link to a CVE after all) and more like a developer access credential/default credential that was burned into the firmware (i'd imagine the code remains but on a production run they randomize the key so its non-guessable but then you get lazy and dont run that extra step and this slips in/you burn the bare firmware with no production configs).