The potentially serious issue was found by researchers at TrustWave. The company discovered that “numerous” devices by Chinese brand DblTek contain a hidden and undocumented root shell that can be remotely accessed.
The shell allows attackers to login to the device with full system privileges, effectively giving them unhindered access to the product and its data. This could be exploited to monitor network connections made by the devices, force the installation of a malicious firmware update or log legitimate user activity.
DblTek’s firmware documentation details two secret login accounts that administrators can use to inspect devices. Both expose limited information about its operation and can be controlled by the user-defined administrator password.
TrustWave uncovered a third user account labelled “dbladm.” Instead of a password, it’s protected by a flawed proprietary authentication system. Once logged in, it provides root-level access to the firmware.
In short, the device “challenges” the user with a prompt that only authenticated individuals, such as DblTek developers, should understand. The information in the prompt is then used to calculate the password and access the shell. However, the weak encryption algorithms used could allow anyone to work out the correct password using the challenge alone.
Additionally, TrustWave found the firmware attempts to send network packets to a device on its local network. If a valid response is received, it automatically authenticates the user. This is probably designed to allow developers to login without providing a password. However, attackers could exploit it by listening for requests to the IP address and sending back an “authenticate” signal.
TrustWave reported its findings to DblTek in mid-October. The company responded by releasing an updated firmware version in late-December. According to TrustWave, DblTek’s patch doesn’t solve the issue. It merely upgrades the authentication system to be more complex while still retaining the original flaw.
DblTek has since stopped contacting TrustWave and hasn’t stated whether it intends to properly fix the issue. In the meantime, the security firm has identified hundreds of vulnerable devices that are already in use. Even if an update is released, it’s doubtful every product will receive it, potentially leaving many systems unsecured and open to public access for evermore.
With Internet of Things devices now regularly being used to mount sophisticated cyberattacks, backdoors in products have serious implications for their users and the web. DblTek makes devices for small to medium-size businesses that bridge mobile networks and Internet calling systems, putting a wide audience at risk.