Router backdoors put businesses at risk

Businesses and government systems are at risk from undocumented administrator accounts that provide a backdoor for unauthorised access.


Businesses and government systems are at risk from undocumented administrator accounts that provide a backdoor for unauthorised access.

An Ovum report entitled Can you trust your vendor? has revealed undocumented privileged administrator accounts in new network routers belonging to two telecoms service providers.

"This is not the first time that we have seen attempts to hack into enterprise and carrier networks by infiltrating network routers," says Graham Titterington, information security principal analyst at Ovum.

The unauthorised accounts were found by accident as most security audits do not check privileged admin accounts, says Titterington. He recommends that companies concerned about backdoors in their network routers check that there are no unauthorised privileged accounts.

Backdoors in routers used to be quite common, says Richard Brain, technical director at security firm Procheckup. "In 1999, certain Cisco routers had a backdoor maintenance account to reset passwords. Lots of backdoors have now been removed."

However, in 2006 Cisco "forgot" about the backdoor account on its Cisco Security Monitoring, Analysis and Response System. The company issued a workaround.

Although many router backdoors have been plugged, there is a bigger problem with backdoors in software, such as the system software providers use for online error reporting and remote maintenance.

Chris Wysopal, CTO of Veracode, a company which specialises in analysing software for security holes, warns that such backdoors are very common. "We find that hard-coded admin accounts and passwords are the most common security issue."

The problem here is that the servers software suppliers use for collecting the errors and for distributing software updates over the internet, may be attacked. This could lead to compromised code being installed via the legitimate maintenance "backdoor" suppliers use for auto updates. In 2001 the Apache Foundation servers which host open source code were targeted by such an attack.

"CIOs need to check with software suppliers that any special admin accounts built into the product are disabled," Wysopal says. Open source code is prone to abuse, where backdoor code can easily be inserted into the source code. However, Wysopal says the rogue code is often identified quickly, within a few days, and is removed.

Commercial, closed source software, is more problematic. Programmers with links to organised crime may slip through the vetting net and find ways to hide backdoors in commercial products, which Wysopal says can be extremely difficult to find.

The only sure way to prevent backdoor hacking attacks is to eradicate backdoors. Admin accounts should only be assigned to internal staff, based on their job role, and suppliers must be forced to reveal the backdoors built into their products.

Read more on IT for government and public sector