IoT devices from a Chinese vendor contain a weird backdoor that the vendor is refusing to fix, we're told.
The vulnerability was discovered in almost all devices produced by VoIP specialist dbltek, and appears to have been purposely built in as a debugging aid, according to researchers at TrustWave. The infosec biz says that it followed a responsible disclosure process, but claims the manufacturer responded only with modifications to its firmware that leave access open.
Trustwave claims the vendor then cut off contact with it. The security firm says it has since been able to write exploits that open both the old and new backdoors.
The vulnerable firmware is present in almost all dbltek GSM-to-VoIP devices, a range of equipment mostly used by small to medium size businesses, it claims. Trustwave researchers claimed they had found hundreds of at-risk devices on the internet. According to the researchers:
Trustwave recently reported a remotely exploitable issue in the Telnet administrative interface of numerous DblTek branded devices. The issue permits a remote attacker to gain a shell with root privileges on the affected device due to a vendor backdoor in the authentication procedure.
An undocumented user, namely "dbladm", is present which provides root level shell access on the device. Instead of a traditional password, this account is protected by a proprietary challenge-response authentication scheme.
Basically, when you try to telnet into the device as dbladm, the gadget tries to connect to UDP port 11000 on 192.168.2.1 on its local network. If it receives a valid response, it grants access. This is perfect for malware, or some other miscreant, lurking on a corporate or home network.
El Reg asked dbltek to respond to Trustwave's accusations on Wednesday but we've yet to hear back from the manufacturer. We'll update this story as and when we hear more.
Trustwave went public with its findings on Thursday. ®