On Sun, May 10, 1998 at 08:27:53PM -0400, Sunder wrote:
It is remote access - via telnet!
This is not that uncommon. We implemented such a backdoor in a router I worked on the design of some years ago. The magic password was a function of the model and serial number of the machine (not as I remember a very strong hash either), and different for all boxes. We (or rather the marketing and support people) felt that leaving a customer who forgot his password with no option but reset the router to its factory defaults was more undesirable than providing a potential attack point for sophisticated hackers and spooks - the problem being that there was often days of work in setting up the configuration and getting it right, and if the customer did not have a good backup forcing him to destroy all of his hard won setup just because he couldn't remember which wife's name he used as the password wasn't a good deal. And from a support point of view, helping the turkey to get everything right again was very expensive and painful, whereas leaving a hole for a possible sophisticated attacker was not something that cost support very much even if some bad guy used it to do real damage. I think most if not all uses of our backdoor were handled by having someone in our customer support login to the machine and restablish a password or give the customer the specific master password for his box - I don't think we ever gave anyone the hash. I suspect that a large fraction of alarms, security systems, pbxs and the like incorperate such backdoors for precisely the same kinds of reasons - it is simply too catastrophic to reset everything if someone forgets the password. I know several commercial Unixes had such backdoors in them for emergency access years ago, and wouldn't be overwhelmingly surprised if some current OS's still have magic backdoors. Of course these holes are dangerous, as it is not beyond possible for someone with serious criminal intentions to obtain a copy of your product and slog through the EPROMS/flash memory with a disassembler and determine the magic algorithm which may give him access to all other machines running the same basic code, especially if he has some method of poking around in memory of his target machine or predicting such things as its secret serial numbers. -- Dave Emery N1PRE, die@die.com DIE Consulting, Weston, Mass. PGP fingerprint = 2047/4D7B08D1 DE 6E E1 CC 1F 1D 96 E2 5D 27 BD B0 24 88 C3 18