When someone found an undocumented backdoor last week in networking hardware made by 3Com, the company had to release a list of the backdoor passwords so that administrators could manually change them. A design flaw in the boxes themselves, it was a major security risk for owners of these boxes – and still is, if administrators don't change the passwords.
The company released a security advisory last Friday, publishing all of the secret passwords in question and advising users to change them. The company distributed its advisory widely, putting the passwords on the Web and Business Wire and sending copies to every customer it had on record.
"We are following every means to reach everybody with this," said Duncan Potter, 3Com's director of Layer 3 switching products. "We really are taking this extremely seriously."
At issue are the CoreBuilder, models 2500/6000/3500, and SuperStack II Switch, models 2200/3900/9300. These network switches have secret, built-in accounts – "debug" and "tech" – for use by 3Com in the event of customer emergency, where 3Com technicians need to access the hardware themselves.
"I almost cried when I had a hardware failure [on my 3Com box] and the 3Com tech told me about this backdoor," said Mike Richichi, assistant director of Academic Technology at Drew University.
The passwords were found by a curious user who was looking at an upgrade file for the devices that were published on 3Com's Web site. By using strings, a simple Unix command that displays all of the printable characters in a file, he found a list of all "secret" passwords – they were listed in the update file, unencrypted.
"It's even worse than it first appears," Richichi said. "Not only is this backdoor password there, but you can change [passwords on] all the other accounts from the 'debug' account – without having to know the old passwords. So someone can lock you out of your switch completely."
This problem – companies embedding secret backdoors into their systems – is by no means unique to these 3Com network switching devices. Backdoors like this, often enabling total access to a machine, have been found in everything from PC motherboards to coffee vending machines.
Recently, a backdoor was found in the popular networked videogame Quake, where an attacker could remotely send commands to the Quake console by using a built-in password intended for use by the game's authors, Id Software, Inc. The company said that leaving the backdoor in the production version of the game was an honest mistake.
But "security through obscurity" – where a system is secure as long as technical specifications and source code is kept secret and proprietary – is one of the riskiest security techniques in the book. Especially in the networked Internet age, where this kind of information can spread around the globe almost instantaneously.
"A flat-out backdoor is just that: a backdoor," said network and security consultant Mike Scher. "It doesn't care who uses it."
These backdoors, he said, require customers to extend their trust to several things they shouldn't: any customer who "has a password emergency" to whom the company gives the backdoor login, every tech support person at the company with full access to its product, and finally, the obscurity of the password itself.
However, it is absolutely necessary for vendors such as 3Com to be able to access a system if the customer is experiencing an emergency situation, such as forgotten or lost passwords.
"It would be ridiculous to expect the customer to ship the router back to 3Com for them to replace the EPROM, or to wait for 3Com to ship a clean EPROM out," Scher said.
But there are other ways to safeguard software, without using backdoors. As an example, Scher is quick to mention Cisco, whose emergency-access scheme first has the site administrator reboot the device into a special debugging mode, and then log in through the serial port, not the network.
"It requires, more or less, physical access to the device in order to do the recovery," Scher said. "Providing a single password for an entire line of products – rather than a method the local user with physical access can employ – is close to reckless, in my opinion."
In a device like 3Com's switches, it should have – at minimum – a physical toggle that one must flip in order to enable the passwords.
"At the very least, make it something you have to do to the hardware – open the case, press a button," said Richichi. "Most systems (not just network equipment) can be gotten back into with physical access, and that's acceptable."
Richichi himself was given the "debug" password from 3Com not because he forgot his own password, but because the 3Com technician needed to access his 3Com hardware to obtain debugging information from it.
"Even better if the password is somehow indexed to the serial number or some other physical token," he said. "If you lose your system password, however, physical access is the only acceptable option for getting it back."
Potter said that the company was not aware of any reports of abuse resulting from this security hole. He also said that he was aware of no other 3Com products which contained these kinds of built-in backdoors, and that it is still undecided how newer versions of the CoreBuilder and SuperStack II products will handle emergency access.
"We're examining that at the moment, and I'm not ready to discuss where we are with it – we have various approaches on the table," he said.
In the meantime, the company is issuing a software fix for the affected switches, which will be available for download from their Web site on Wednesday.
"On the fix that we are issuing on Wednesday, what will happen is that the variable that shows any passwords will be blank," Potter said. And if the administrator changes his password, it will automatically change the other passwords on the box to match. "It allows us to implement security immediately," he said.
