Last year around Christmas, Eloi Vanderbeken of Synacktiv Digital Security, found an important backdoor exploit present in the majority of ADSL modem gateway wireless router combinations in circulation by fluke, while sniffing for open ports on his family’s modem during his holiday visit. He presented his findings using a PowerPoint illustration shared on Github, explaining how the exploit worked, demonstrating how easily an attacker could get full administrative access of the Linksys DSL modem/router, using port 32764 to listen to TCP/IP traffic. It was later discovered that all modem/router combinations manufactured by Sercomm we’re potentially affected, and due to the fact that the majority of router manufacturers outsource both the hardware and firmware to Sercomm for the modem portion of these gateways, almost all of the current devices from major brands such as Linksys and Netgear we’re said to be affected.
A database of Sercomm devices was compiled to quickly identify the affected gateway wireless router modems.The good news about the exploit was that it needed to be perpetrated by someone inside the LAN (Local Area Network), meaning that it is not possible to be attacked from the outside. However, wireless Wi-Fi access points were vulnerable to the attack, and to make things worse, some devices were reported to be accessible from the internet as well, meaning that attackers could take control from anywhere on the outside for certain gateway router models.
As early as January, vendors released an updated firmware that had supposedly patched the exploit. Shortly after on April 18, a new PointPoint presentation from Eloi Vaderbeken contained a startling discovery that the issue had not at all been patched, but instead deliberately modified to only accept special, secret network packet requests on that same original port of 32764. In technical terms, a “knock” packet specifically for this purpose would need to be used to gain access to the gateway modem/router. He used an Easter Bunny drawing to describe the new backdoor as an easter egg!
The port is accessible by wireless LAN or from ISPs themselves, with an additional risk that a general ISP broadcast could potentially open up all the patched ports once more, leaving the modem/router combinations vulnerable to attacks from the outside once more, with full root access and dump capabilities. In conclusion, the service was not at all fixed, but instead, an attempt to reserve the function for those having access to Sercomm’s secret packet and Internet Service Providers themselves, but the weak vulnerability can once again be used by attackers.
How to Better Protect Against the ADSL Sercomm Gateway Backdoor
With no current proper patch for this backdoor, some 25 routers are known to be affected and unless the user takes action, the vulnerability will remain a risk from both Wi-Fi and outside network attackers. So how does the everyday user protect himself or herself from these types of exploits purposely put in place? The answer is to change the firmware completely. Firmware in short, is the software application that makes the modem/router operate. A few different free open-source options are available, and not only do they present much higher security, additional functions such as VPN and NAS storage can be used across some such as DD-WRT. For more information on these firmwares, head to our overview of DD-WRT, Tomato, and Open WRT.
Another option is to replace the DSL Gateway modem & wireless router combination with a dedicated bridged ADSL modem and standalone router, it would still be a great idea to utilize superior DD-WRT firmware on the standalone router as well, but at least there would be no risk left with the modem or setup. For those of you who do not feel ready to try and flash your router’s firmware, you can always visit FlashRouters for pre-setup routers customized to your needs and pre-flashed with DD-WRT.