The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does:

https://boschko.ca/tenda_ac1200_router/

Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.

That backdoor is so up front about it. We might as well call it a frontdoor.

I mean, it's 99% sure this was supposed to be a debug feature...

Whatever these happen it's 50/50 either an internal debugging feature used when designing the device or intended as a way for customer support to more easily help people.

I remember when a backdoor was discovered in the most popular brand of keylogging devices[0], likely added there in case someone forgot their password and reached out to support.

[0] https://old.reddit.com/r/cybersecurity/comments/jw6k5v/backd...

> Whatever these happen it's 50/50 either an internal debugging feature used when designing the device or intended as a way for customer support to more easily help people.

The problem with this is, everyone who builds an intentional backdoor will also claim that it's this.

Sufficiently advanced ignorance is indistinguishable from malice, and sometimes needs to be treated as if it were malice.

> a way for customer support to more easily help people

This is my guess. People don't like it when a device they have turns into a brick of e-waste because they can't remember their password. So most consumer devices have either a "reset to defaults" feature or a hidden support password. Even enterprise routers and switches often have this.

> So most consumer devices have either a "reset to defaults" feature or a hidden support password.

One of those is sensible, and one is not. Put a recessed "hold to reset" button on the device, problem solved, no backdoor required or desired.

I have done this accidentally at least once - we shipped a full-stack app, and telemetry started lighting up that on certain older phones and browsers (no points for guessing which brand and browser), the release version didn't load. The minifier did something in the release build that it didn't like.

So after a quick test, it was decided to deploy the debug version of just the frontend as a bandaid. Next day we saw we managed to deploy the debug version of the backend with admin stuff like this as well..

and "accidentally" they forgot to disable it when releasing

Wouldn't be the first nor the last time someone is asked to ship something and it gets rushed through for reasons XYZ...

This being said makes the situation for an attacker awfully convenient...

Believe it or not, shit happens in the software business.

I know this from personal experience.

Enemy of the state:

- What did you think was going on?

Jack Black: Oh, I thought it was an STO.

- STO?

Jack Black: Standard Training Op.

At that point it’s not even a back door it’s just stupid default root password kind of design which used to be standard in this kind of hardware. Backdoor would at least try to be subtle :)

Backdoors are often (almost always?) designed to look like incompetence so that there's plausible deniability.

That sounds like a fun thing to wonder about, but how could anyone possibly know that for sure?

That's what makes it plausible deniability.

[flagged]

It's refreshing to see someone around here addressing the compulsively overlooked elephant in the room; plausible deniability. I am not implying it applies directly here, but notice the trend -- it's taboo to even speculate on and often gets rebuke for even hinting at it. The social convention around it is perfect cover. And I am not the only one that knows this. If we were to wake suddenly and realize the scale of relevance here, we'd probably all go full luddite. Call me paranoid though.

If this wasn’t Tenda maybe I would be more inclined to agree with you. We are talking about an extremely shitty bargain basement vendor. The three stars on Amazon kind of router company.

I think sufficiently explained by incompetence over malice applies here. Some nefarious three letter agency having a backdoor like this is pretty pointless anyway.

Unless you’ve enabled remote management you can’t even get to this backdoor from a physical network perspective.

And then you change some router settings which really aren’t a magical access point into your devices in your home. My PC isn’t just going to magically allow you to browse the file system just because a malicious actor got on my local network. They can’t intercept anything moving over TLS.

Not saying it’s good to have that kind of access, but I think at the scale of “typical home network of consumer devices” the utility and blast radius is pretty limited. Go ahead and launch a DDOS attack on my printer and use up my ink cartridges, I guess.

Well, as mentioned (but perhaps not with sufficient emphasis), I wasn’t implying that this case is necessarily some 3-letter agency op. However, things eg(*) CopyFail, XZ Utils / Jia Tan, Intel ME/IME, Heartbleed, Dirty COW, CVE‑2021‑3156, third‑party contractors, supply chains, and the myriad opportunities all around, are but a few examples that leave me cynical. I don’t claim detailed, expert understanding for any of these; however, I’m convinced the majority of such things remain unknown, and a that our perceived malice:incompetence ratio is off.

I think we could stop reflexively defaulting to “incompetence” when the end result just as easily resembles a deliberate exploit. Plausible deniability is an extremely effective cover when it’s smartly applied.

I’m not disputing any of your specific technical points; my cynicism is thematic. Even when I try to muzzle it, it tends to get through. The parent comment, though short, is dense with implications about cheap gear, opaque firmware, exposure surfaces I think deserve more sustained attention.

* A quick, generic, maybe sub-ideal list to harden my point.

Sounds like a convenience feature for a dev that they forgot to remove before distribution, since it's this poorly hidden.

In computer security, never attribute to ignorance that which is adequately explained by malice.

Dunno, if I were to backdoor a piece of my code, I would definitely put in an exploit instead of a deliberate bypass.

Plausible deniability is important.

A lot of the stuff I worked on already had glaring issues like that without me having to add it..

You’ve got the saying backwards:

“Never attribute to malice that which is adequately explained by stupidity.”

https://en.wikipedia.org/wiki/Hanlon%27s_razor

Pretty sure the point was to invert it. :)

Yes, I got their point. My point is that’s the opposite of reality.

The main reason I assumed you didn't is because you linked to Hanlon's Razor and explained it in a way that made it seem like you didn't think the other person knew.

I think it's true to some extent that a lot of the backdoors really are just stupidity, like debugging tools put into prod for convenience. Rather than suggesting that it is genuine malice, maybe the right thing to say is that for security, it doesn't matter whether or not it is malice for most purposes. If it did, it would give more incentive to do as much as possible to disguise malicious backdoors as mistakes.

His point is that in security, the opposite applies. The supposed "incompetence" is just plausible deniability for a malicious act.

Yes, and my point is that hasn’t been the case in my experience.

It's because you (like me) aren't quite as paranoid as security people are. Personally I couldn't sleep at night if I was security people.

It's really a matter of context. Security people tend to only be involved when things are already nefarious where as boring old normal people like us see get to see the mundane everyday mistakes so not just the nefarious bits.

> It's because you (like me) aren't quite as paranoid as security people are.

I work heavily with security-conscious clients where vulnerabilities would be catastrophic. And we are talking high profile clients that are juicy target for attacks.

My experience is still that the vast majority of vulnerabilities are accidental rather than due to malice.

And when I say “vast”, I mean the so heavily slanted in favour of “unintended” that it’s not even comparable.

> It's really a matter of context. Security people tend to only be involved when things are already nefarious

I’m guessing you’ve not worked with many “security people”?

You’d be surprised how much of their day-to-day is mundane.

I'm a security people. I can say with confidence that a tiny, tiny, tiny, tiny fraction of these security issues are deliberate. Almost all of them are just dumb mistakes because making good software is really hard and really, really expensive and there is no market incentive to make good software. You don't need to get hired at the safe factory to build an elaborate back door into the production line if safes are actually just cardboard boxes, you know?

It's possible the backdoor is deliberate, I have no idea in this particular case, but the more likely situation, absent more information, is that someone who is earning a middling wage just added the "feature" and didn't think about the security implications because no one cares about computer security.

[deleted]

Maybe it's time to take a closer look at reality and correct this meme, which might casually blur the issue and deflect responsibility?

Looking at the IT security landscape we see every layer, every product category if not every product itself riddled with issues at one point or another. At the same time the incentives to put those security issues in are huge, and we know attackers work systematic, creative and persistent to introduce those weak points.

Security is hard and many bugs certainly happen due to mistakes, but I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.

So I would go with “Never attribute to ignorance that which is adequately explained by malice.”

> I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.

The saying doesn’t mean that all vulnerabilities are blunders. It means we shouldn’t automatically assume vulnerabilities are nefarious.

If closer inspection proves beyond reasonable doubt that it was placed there deliberately and maliciously then that’s different.

But the point is most vulnerabilities are blunders so it’s better to assume that until proven otherwise.

[deleted]

Looks like this time you interpreted the message in a malicious way.

How? Neither their comment nor mine have anything malicious in their tone nor content.

Unfortunately, explaining a joke won’t make it funny afterward I guess.

As someone who really doesn’t take themselves even the slightest bit seriously, if there was ever a chance that your comment was funny then I would have realised it was a joke. ;)

Nearly 4 years from last notification and the password is the same; either thats real incompetence, or a hilarious power move

Somehow this reads like German to me. Because "rz" is a common abbreviation of RechenZentrum, meaning DataCenter.

So in English it would be like "dcadmin". Maybe they outsourced it to someone doing "gute Deutsche Wertarbeit", or it's a leftover from some agency having had their fun, or smoke&mirrors from whomever for whichever reasons.