An internal document listing the backdoor accounts for switches manufactured by networking equipment vendor Allied Telesis was circulating online Friday, a day after an internal support page providing instructions on accessing hard coded back door accounts in the company’s products was found to be publicly accessible.
The Excel spreadsheet, “Password_List” was apparently downloaded from Allied’s support Web site and posted to a public, file sharing Web site on Thursday. It contains instructions for accessing around 20 models of network switching equipment manufactured by Allied Telesis, including default administrative user name and password information and special key combinations and passwords that can be used to enable back door features in the switches.
The spreadsheet was one of four documents accessible from an Allied Telesis support page containing instructions on enabling back doors. The page was marked for internal use only, but ended up visible to the public Internet. While some of the switches listed in the document have hard coded back door account passwords, many have dynamic passwords that are based on the MAC address of the hardware and require a separate password generator application to create. The password generator application was also available from the support page and has also been leaked online.
The availability of the hard coded passwords and the generator application online follows public disclosure of the support page on Thursday and could present problems for customers if malicious hackers decide to use the information to compromise Allied Telesis equipment deployed on customer networks.
Jody Feigle, North American Customer Support Manager at Allied said the document – part of a larger content management system – was accidentally recategorized from “public-internal” to “public global,” making it accessible from the public Internet. While the company isn’t sure exactly when that change happend, Allied spokesman Serge Timacheff said the support document may have been publicly accessible for more than a year.
However, Allied took issue with the characterization of the support features as a “back door.” In a statement, the company said that the term “backdoor” was a misnomer and that the leaked support note merely described an “industry-standard” password recovery feature. “All documentation describing this password recovery process as a proprietary ‘backdoor’ feature is incorrect, and has been removed from the website,” Allied said.
Importantly, Allied said that an attacker would need to have physical access to the device and connect to an administrative port directly to enter the back door credentials.
“By definition this is not a ‘backdoor’ feature; it is a standard
password recovery process for a person who has physical access to the
device,” the company said.
The company said it is aware of Web sites that have posted the support documents. “We are working with those site administrators to remove those materials and any attachments from the public domain,” the statement read.
Chris Wysopal, the Co-Founder and Chief Technology Officer at application testing firm Veracode said that using the devices machine – or MAC – address to generate a unique password is insecure, because it can be determined remotely by someone with access to the local area network (LAN) that the device is connected to.
In an e-mail, Wysopal said that back door features are a way for vendors to keep support costs low. “The quicker they can get a customer back up and running after they have locked themselves out the less cost they have to spend on support,” he said. Backdoors are less expensive than restoring the device to its default settings and rebuilding it.
Veracode frequently finds such features in the applications it tests on behalf of customers. “We look for that for malicious intentions but it more often turns out to be a function intentionally built in for support purposes,” he said.
However, default backdoor credentials such as static or easily reproduced user names and passwords are a “huge security risk,” Wysopal said.
There are secure alternatives. Rather than using static, hard coded credentials, companies might use a public cryptographic key to have a device verify that a command to reset the password or log in as an administrator was signed by the vendor’s private key. “The vendor would just need to generate this signature instead of the hokey methods they use to compute a “secret” from a well know piece of data such as MAC address,” Wysopal said.
Jody Feigle, North American Customer Support Manager, said the company wasn’t committed to changing the recovery password features, but that it is an issue that has been raised with product management within Allied.
In the meantime, the company was informing its support personnel about the breach. It had not decided whether to inform its customer base of the leaked documents, but Allied would use social media to get the word out, Timacheff said.