Keeping The Family Off The Net With An Undocumented Backdoor


When [Eloi] was home for Christmas, he faced one of the most difficult problems man has ever faced: his entire family, equipped with smartphones and laptops, siphoning all the Internet through a 1Mb/s connection. For any technically minded person, the fix for this problem is to limit the bandwith for all those Facebook and Twitter-heads, while leaving [Eloi]’s battlestation unaffected. [Eloi] had originally set up the Linksys WAG200G router in the family home a few years ago but had since forgotten the overly complex admin password. No worries, then, because apparently the WAG200G is open as wide as a barn door with a completely undocumented backdoor.

Without the password to the admin panel of the router, [Eloi] needed a way in. After pointing nmap at the router, he found an undocumented service running on port 32764. Googling this observation resulted in a lot of speculation, so the only option was to download the router’s firmware, look for the service, and figure out a way in.

[Eloi] eventually got a shell on the router and wrote a very short Python script to automate the process for all WAG200G routers. As for where this backdoor came from, it appears a SerComm device on the router is responsible. This means a whole bunch of routers with this specific SerComm module also have this backdoor, and we’d assume anything with a service running on port 32764 is suspect.

If you’re looking for a fix for this backdoor, your best bet is probably installing OpenWRT or Tomato. The OpenWAG200 project, an open firmware specifically designed for [Eloi]’s router, still has this vulnerability, though.

33 thoughts on “Keeping The Family Off The Net With An Undocumented Backdoor

      1. … and trying to get a shell couldn’t possibly trigger b) either? Would have been fun if he managed to discover a remote DoS vulnerability by bricking it accidentally ;)

  1. My family isn’t just into social integration, but heavily into Netflix. 3.3Mb/s down speed on a good day split between five users is bad news bears. Tomato Speedmod on my WRT54GL + some QoS rules to heavily throttle all IPs (strangely not including mine; oops! c:) on non-HTTP/HTTPS port traffic (not including Tumblr/Instagram/Vine/Youtube/Netflix/etc. domains) fixed the problem. Also setup WLAN traffic to be on a lower priority than LAN traffic just to make sure.

  2. Does anyone have a web-tutorial for general router admin stuff? I wouldn’t mind getting my hands a little dirty with this. Some programs are sucking a bit too much bandwidth at seemingly random times at home.

    1. Routers don’t do Application layer filtering. You could filter through port numbers and protocols, though false positives become a problem for anything beyond 1024. Most cheap routers lack the kind of sophistication to do anything more. What you are looking for is a piece of software or a security appliance.

      Squid and iptables would work just fine.

      In any case, if you want to get your hands dirty then you are going to have to dig up some dirt first.

        1. Agreed that the pricing scheme versus residential/SMB service offerings is way off, but what the T1 providers sell with the miserable speed is SLA/uptime stats. Wait til Time Warner business class goes down because a construction crew severed a line 3 miles away. You get ‘best effort’ at resolution. The T1 providers promise RTO of ~ 4 hours +/- based on your contract, or face charge backs from clients if they go beyond SLA.
          Having said that, as IT for a company that has thousands of remote sites on the other end of (mostly) T1 circuits, the bandwidth is abismal, and something as simple as an outlook local copy rebuild can crush the circuit, rendering critical business operations dead in the water.

        2. A lot of times T-1s are still better than a lot of DSL connections due t the fact that a T-1 is 1.544 Mbps in both direction where you end up seeing a lot of DSL connections promising 10 Mpbs down but only offer 768k up (especially on business class connections).

          A T-1 also allows linking a remote site directly to the main network without having to set up a VPN or trying to tunnel through the internet.

          1. Totally. It is very, very worth it if you absolutely need dedicated connections (reliability, real privacy, availability, and consistency). It also is far superior for large VoIP usage and that is what new T1 installs are usually for.

    1. Rural places in Chile (If we are lucky, most rural places don’t have)…. At mayor cities you can get up to 150Mbps though. Darn companies that don’t want to invest a single penny, not even for maintenance. But makes us pay US$38 for a 1Mbps connection that DC’s every now and then and sometimes connects at 512kps or less <.<

  3. I admit I would have most likely opted for the 30-30-30 reset, but none the less after reading the slides and looking into this more this is an excellent case of “the hammer is faster but I prefer the screwdriver”! Love it!


  4. If I remember correctly from Reddit, this all happened because he was too lazy to get out of bed. He turned off the webconsole to the WLAN (even though, in his presentation he notes that he lives in the middle of nowhere and doubts anyone would be on his WLAN).

    Could he have pushed the reset button and done a 30-30-30? Sure. Could he have gone to the wired desktop PC and logged in? Sure.

    But either of those would have required him leaving bed.

  5. Hit the news two days ago in Germany with the focus on the until now undocumented backdoor to a whole family of routers rather than getting around admin passwords you could bypass by using the reset button…

  6. How hard could it be to google “WAG200G reset password” ???

    Of course, if you are leaching WiFi and want to throttle the legitimate owners, this could indeed be most useful….

  7. Okay, I need a way to get me more speed for the half hour I will need it. On my way to get that, I spend days developing a way in to the router, then a script to automate it. By now I don’t have time for the game any more. This sounds like my way of gaming :D

    I’m glad he preferred the screwdriver over the hammer

Leave a Reply

Please be kind and respectful to help make the comments section excellent. (Comment Policy)

This site uses Akismet to reduce spam. Learn how your comment data is processed.