Comment by greyface-
15 hours ago
The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does:
https://boschko.ca/tenda_ac1200_router/
Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.
That backdoor is so up front about it. We might as well call it a frontdoor.
I mean, it's 99% sure this was supposed to be a debug feature...
Whatever these happen it's 50/50 either an internal debugging feature used when designing the device or intended as a way for customer support to more easily help people.
I remember when a backdoor was discovered in the most popular brand of keylogging devices[0], likely added there in case someone forgot their password and reached out to support.
[0] https://old.reddit.com/r/cybersecurity/comments/jw6k5v/backd...
1 reply →
I have done this accidentally at least once - we shipped a full-stack app, and telemetry started lighting up that on certain older phones and browsers (no points for guessing which brand and browser), the release version didn't load. The minifier did something in the release build that it didn't like.
So after a quick test, it was decided to deploy the debug version of just the frontend as a bandaid. Next day we saw we managed to deploy the debug version of the backend with admin stuff like this as well..
and "accidentally" they forgot to disable it when releasing
2 replies →
Enemy of the state:
- What did you think was going on?
Jack Black: Oh, I thought it was an STO.
- STO?
Jack Black: Standard Training Op.
At that point it’s not even a back door it’s just stupid default root password kind of design which used to be standard in this kind of hardware. Backdoor would at least try to be subtle :)
Backdoors are often (almost always?) designed to look like incompetence so that there's plausible deniability.
That sounds like a fun thing to wonder about, but how could anyone possibly know that for sure?
It's refreshing to see someone around here addressing the compulsively overlooked elephant in the room; plausible deniability. I am not implying it applies directly here, but notice the trend -- it's taboo to even speculate on and often gets rebuke for even hinting at it. The social convention around it is perfect cover. And I am not the only one that knows this. If we were to wake suddenly and realize the scale of relevance here, we'd probably all go full luddite. Call me paranoid though.
2 replies →
Sounds like a convenience feature for a dev that they forgot to remove before distribution, since it's this poorly hidden.
In computer security, never attribute to ignorance that which is adequately explained by malice.
Dunno, if I were to backdoor a piece of my code, I would definitely put in an exploit instead of a deliberate bypass.
Plausible deniability is important.
A lot of the stuff I worked on already had glaring issues like that without me having to add it..
You’ve got the saying backwards:
“Never attribute to malice that which is adequately explained by stupidity.”
https://en.wikipedia.org/wiki/Hanlon%27s_razor
15 replies →
Nearly 4 years from last notification and the password is the same; either thats real incompetence, or a hilarious power move
Somehow this reads like German to me. Because "rz" is a common abbreviation of RechenZentrum, meaning DataCenter.
So in English it would be like "dcadmin". Maybe they outsourced it to someone doing "gute Deutsche Wertarbeit", or it's a leftover from some agency having had their fun, or smoke&mirrors from whomever for whichever reasons.