Dave Emery wrote:
This is not that uncommon. We implemented such a backdoor in a router I worked on the design of some years ago. The magic password was a function of the model and serial number of the machine (not as I remember a very strong hash either), and different for all boxes. We (or rather the marketing and support people) felt that leaving a customer who forgot his password with no option but reset the router to its factory defaults was more undesirable than providing a potential attack point for sophisticated hackers and spooks
This is still unexcusable. It would have been just as simple to include a hidden reset switch in a pannel somewhere that would zap all the passwords on the router without zapping the config, and maybe send some alarms out via SNMP incase it wasn't something that was wanted. That would be something the client could do themselves without opening security holes.
I suspect that a large fraction of alarms, security systems, pbxs and the like incorperate such backdoors for precisely the same kinds of reasons - it is simply too catastrophic to reset everything if someone forgets the password. I know several commercial Unixes had such backdoors in them for emergency access years ago, and wouldn't be overwhelmingly surprised if some current OS's still have magic backdoors.
That doesn't mean that the ankle biters won't find them. For example, I could put a sniffer on the network coming into the router and call up tech support and say "Hi" I lost my password, here's my IP address, help, help. I can then do the same thing a week later with the same router incase the hash is time dependant, and then later with another router with a different serial number, and I'll have much info to get started on how your hash works. Piece of cake.
Of course these holes are dangerous, as it is not beyond possible for someone with serious criminal intentions to obtain a copy of your product and slog through the EPROMS/flash memory with a disassembler and determine the magic algorithm which may give him access to all other machines running the same basic code, especially if he has some method of poking around in memory of his target machine or predicting such things as its secret serial numbers.
