Top
Best
New

Posted by miniBill 17 hours ago

Tenda firmware (multiple versions) contains hidden authentication backdoor(kb.cert.org)
306 points | 107 comments
greyface- 14 hours ago|
The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does:

https://boschko.ca/tenda_ac1200_router/

Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.

thibaut_barrere 12 hours ago||
That backdoor is so up front about it. We might as well call it a frontdoor.
Wololooo 8 hours ago||
I mean, it's 99% sure this was supposed to be a debug feature...
DaSHacka 26 minutes ago|||
Whatever these happen it's 50/50 either an internal debugging feature used when designing the device or intended as a way for customer support to more easily help people.

I remember when a backdoor was discovered in the most popular brand of keylogging devices[0], likely added there in case someone forgot their password and reached out to support.

[0] https://old.reddit.com/r/cybersecurity/comments/jw6k5v/backd...

SoftTalker 13 minutes ago||
> a way for customer support to more easily help people

This is my guess. People don't like it when a device they have turns into a brick of e-waste because they can't remember their password. So most consumer devices have either a "reset to defaults" feature or a hidden support password. Even enterprise routers and switches often have this.

torginus 3 hours ago||||
I have done this accidentally at least once - we shipped a full-stack app, and telemetry started lighting up that on certain older phones and browsers (no points for guessing which brand and browser), the release version didn't load. The minifier did something in the release build that it didn't like.

So after a quick test, it was decided to deploy the debug version of just the frontend as a bandaid. Next day we saw we managed to deploy the debug version of the backend with admin stuff like this as well..

rootatixww3 8 hours ago||||
and "accidentally" they forgot to disable it when releasing
Wololooo 5 hours ago|||
Wouldn't be the first nor the last time someone is asked to ship something and it gets rushed through for reasons XYZ...

This being said makes the situation for an attacker awfully convenient...

amarant 4 hours ago|||
Believe it or not, shit happens in the software business.

I know this from personal experience.

rasz 5 hours ago|||
Enemy of the state:

- What did you think was going on?

Jack Black: Oh, I thought it was an STO.

- STO?

Jack Black: Standard Training Op.

BloondAndDoom 9 hours ago|||
At that point it’s not even a back door it’s just stupid default root password kind of design which used to be standard in this kind of hardware. Backdoor would at least try to be subtle :)
Asraelite 8 hours ago||
Backdoors are often (almost always?) designed to look like incompetence so that there's plausible deniability.
ktm5j 2 hours ago|||
That sounds like a fun thing to wonder about, but how could anyone possibly know that for sure?
eth0up 1 hour ago|||
It's refreshing to see someone around here addressing the compulsively overlooked elephant in the room; plausible deniability. I am not implying it applies directly here, but notice the trend -- it's taboo to even speculate on and often gets rebuke for even hinting at it. The social convention around it is perfect cover. And I am not the only one that knows this. If we were to wake suddenly and realize the scale of relevance here, we'd probably all go full luddite. Call me paranoid though.
Grombobulous 46 minutes ago||
If this wasn’t Tenda maybe I would be more inclined to agree with you. We are talking about an extremely shitty bargain basement vendor. The three stars on Amazon kind of router company.

I think sufficiently explained by incompetence over malice applies here. Some nefarious three letter agency having a backdoor like this is pretty pointless anyway.

Unless you’ve enabled remote management you can’t even get to this backdoor from a physical network perspective.

And then you change some router settings which really aren’t a magical access point into your devices in your home. My PC isn’t just going to magically allow you to browse the file system just because a malicious actor got on my local network. They can’t intercept anything moving over TLS.

Not saying it’s good to have that kind of access, but I think at the scale of “typical home network of consumer devices” the utility and blast radius is pretty limited. Go ahead and launch a DDOS attack on my printer and use up my ink cartridges, I guess.

lemagedurage 13 hours ago|||
Sounds like a convenience feature for a dev that they forgot to remove before distribution, since it's this poorly hidden.
sph 10 hours ago||
In computer security, never attribute to ignorance that which is adequately explained by malice.
torginus 3 hours ago|||
Dunno, if I were to backdoor a piece of my code, I would definitely put in an exploit instead of a deliberate bypass.

Plausible deniability is important.

A lot of the stuff I worked on already had glaring issues like that without me having to add it..

hnlmorg 10 hours ago|||
You’ve got the saying backwards:

“Never attribute to malice that which is adequately explained by stupidity.”

https://en.wikipedia.org/wiki/Hanlon%27s_razor

jchw 10 hours ago|||
Pretty sure the point was to invert it. :)
hnlmorg 10 hours ago||
Yes, I got their point. My point is that’s the opposite of reality.
jchw 1 hour ago|||
The main reason I assumed you didn't is because you linked to Hanlon's Razor and explained it in a way that made it seem like you didn't think the other person knew.

I think it's true to some extent that a lot of the backdoors really are just stupidity, like debugging tools put into prod for convenience. Rather than suggesting that it is genuine malice, maybe the right thing to say is that for security, it doesn't matter whether or not it is malice for most purposes. If it did, it would give more incentive to do as much as possible to disguise malicious backdoors as mistakes.

naruhodo 8 hours ago||||
His point is that in security, the opposite applies. The supposed "incompetence" is just plausible deniability for a malicious act.
hnlmorg 7 hours ago||
Yes, and my point is that hasn’t been the case in my experience.
natebc 4 hours ago||
It's because you (like me) aren't quite as paranoid as security people are. Personally I couldn't sleep at night if I was security people.

It's really a matter of context. Security people tend to only be involved when things are already nefarious where as boring old normal people like us see get to see the mundane everyday mistakes so not just the nefarious bits.

coldpie 2 hours ago|||
I'm a security people. I can say with confidence that a tiny, tiny, tiny, tiny fraction of these security issues are deliberate. Almost all of them are just dumb mistakes because making good software is really hard and really, really expensive and there is no market incentive to make good software. You don't need to get hired at the safe factory to build an elaborate back door into the production line if safes are actually just cardboard boxes, you know?

It's possible the backdoor is deliberate, I have no idea in this particular case, but the more likely situation, absent more information, is that someone who is earning a middling wage just added the "feature" and didn't think about the security implications because no one cares about computer security.

UweSchmidt 8 hours ago|||
Maybe it's time to take a closer look at reality and correct this meme, which might casually blur the issue and deflect responsibility?

Looking at the IT security landscape we see every layer, every product category if not every product itself riddled with issues at one point or another. At the same time the incentives to put those security issues in are huge, and we know attackers work systematic, creative and persistent to introduce those weak points.

Security is hard and many bugs certainly happen due to mistakes, but I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.

So I would go with “Never attribute to ignorance that which is adequately explained by malice.”

hnlmorg 6 hours ago||
> I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.

The saying doesn’t mean that all vulnerabilities are blunders. It means we shouldn’t automatically assume vulnerabilities are nefarious.

If closer inspection proves beyond reasonable doubt that it was placed there deliberately and maliciously then that’s different.

But the point is most vulnerabilities are blunders so it’s better to assume that until proven otherwise.

psychoslave 7 hours ago|||
Looks like this time you interpreted the message in a malicious way.
hnlmorg 6 hours ago||
How? Neither their comment nor mine have anything malicious in their tone nor content.
psychoslave 3 hours ago||
Unfortunately, explaining a joke won’t make it funny afterward I guess.
petee 2 hours ago|||
Nearly 4 years from last notification and the password is the same; either thats real incompetence, or a hilarious power move
LargoLasskhyfv 2 hours ago||
Somehow this reads like German to me. Because "rz" is a common abbreviation of RechenZentrum, meaning DataCenter.

So in English it would be like "dcadmin". Maybe they outsourced it to someone doing "gute Deutsche Wertarbeit", or it's a leftover from some agency having had their fun, or smoke&mirrors from whomever for whichever reasons.

pbasista 8 hours ago||
> The associated username is not validated, so any provided username will succeed when paired with the backdoor password.

Great. I am really wondering why should the customers trust these manufacturers.

At this point I would not use any router with vendor-provided black box firmware. Full stop.

I would always install OpenWRT or something similar on it before using it.

And if that is not possible for whatever reason, I would not even think about buying such a device.

bayindirh 8 hours ago||
Last time when I looked OpenWRT was unable to support MIMO and beamforming capabilities of many of the devices it was running on.

This capabilities are crucial to have decent coverage, signal strength and throughput where I live (i.e.: crowded/congested wireless networks in an apartment complex).

Did OpenWRT team managed to work around them, or did the manufacturers started to play nicer with open drivers with loadable firmware?

486sx33 6 hours ago||
Some routers specifically allow openWRT.. example, Routers like the GL.iNet GL-MT6000 (Flint 2) and TP-Link Archer AX6000 come with OpenWrt pre-installed and are designed for easy OpenWrt use.
Benanov 3 hours ago||
...usually because they have a fork of the codebase, and it's not vanilla base OpenWRT.
pshirshov 7 hours ago|||
Hm, do you ever go over 1gbit? If my understanding is correct, good affordable routers like Mikrotik's CCR2004 are fully closed, so the only option is to build your own shitty box which will be much less energy efficient than their specialized switch chips.
gh02t 1 hour ago|||
Pfsense or OPNsense can handle ~5 gbps routing/firewall on a low power AMD or Intel embedded chip. My now old Pfsense box I got off Aliexpress can comfortably handle 2.5 gbps on an ancient Celeron J4125 running around 10W total. 10+ gbps is feasible on a reasonable power budget with higher end hardware, though it starts to get more expensive.
dspillett 4 hours ago||||
Because of lax security in commercial routers, this backdoor being a prime example of what I'm concerned about, I'd have my own shitty box as a firewall between them and my other kit anyway, so there isn't an efficiency saving either way. It is just a choice of where the walls are, and therefor where my shitty box(es) is/are, not whether my shitty box exists or not.

Currently my primary shitty box router does everything wrt external connectivity and a bought AP/router sits inside offering WiFi. I'd like to remove that AP completely with a WiFi adaptor controlled by my shitty box, but I've not got around to that as it would mean learning to configure a mesh (and so at least one more of my own shitty boxes!) to get good coverage everywhere (I only have a small place, but there are still a couple of blind-ish spots depending on where I put the primary AP). Not trusting a bought router/AP to not have back doors like this raises the question: if they are going to add backdoors for direct outside connections, what is to stop the firmware instead/also trying to tunnel out and letting unwanted connections in that way? (other than this having less “plausible deniability” once discovered)

pbasista 2 hours ago|||
> do you ever go over 1gbit

No. None of the local ISPs offer speeds above 1 Gbps.

However, I use FriendlyElec NanoPi R5C as the main entrypoint router. It has two 2.5G ethernet ports. It costs less than 100 euros. And it runs OpenWRT.

It is not a multiport, multi-gigabit device though. And I have not tested it above 1 Gbps so I am unsure about its real world performance.

rootatixww3 8 hours ago|||
good approach, but your security should not depend on your router anyway, you should be immune to attacks from it
bayindirh 7 hours ago||
Not exposing your management interface to internet and running a guest network which doesn't have access to said management interfaces can block 95%+ of the attacks, I believe.
rootatixww3 7 hours ago||
yes, defense in depth
fusslo 15 hours ago||
> Tenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment.

I was unfamiliar with Tenda.

> Shenzhen Tenda Technology Co.,Ltd. ( https://www.tendacn.com/us/profile )

Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)

I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"

_puk 10 hours ago||
Tenda has been around for quite a few years now. I don't imagine they'll rebrand.

I have an ethernet over power adapter somewhere in a cupboard from perhaps 10 years ago.

Back then it was standard for the admin password to be 'admin'. They'd often even print it on the device itself.

ale42 10 hours ago|||
> the admin password to be 'admin'. They'd often even print it on the device itself.

Yes but aren't you supposed to change that one? The problem with the rzadmin is that it will continue to work even after you change the regular admin one...

puzzlingcaptcha 9 hours ago|||
I am still using their Powerline adapters and FWIW they have been very reliable.
morpheuskafka 4 hours ago|||
My ex used to work in their sales department lol. But I'd seen them anyway, in the context of cheap unmanaged switches on Amazon. They are not a state owned company or anything so I doubt this is anything too nefarious, likely just absolutely not giving a crap about quality.
dpacmittal 13 hours ago|||
Tenda is very popular in Asia, several ISPs use them as their default routers.
jamesnorden 6 hours ago|||
There's claims of it being "the first home-grown router and wireless network device manufacturer in China".
userbinator 11 hours ago|||
It is probably just a brand, like many others, and based on a reference design from the OEM.

I have a small Tenda 5-port gigabit dumb switch. It uses the same switch chip as this TP-Link, just with different branding; even the "SG105" model number is the same:

https://goughlui.com/2022/02/27/unbox-teardown-tp-link-tl-sg...

TedDoesntTalk 14 hours ago||
I’m in the USA and have a Tenda WiFi usb stick. Not as popular as other brands but they are around
Havoc 10 hours ago||
The consistency with which networking hardware companies produce such garbage is crazy.

And it’s always amateur hour backdoors somehow. If it was something sophisticated they might get a pass on „ok some security agency made them do it probably“

KingOfCoders 9 hours ago||
Or the amateur hour backdoors are those that are found.

Or the amateur hour backdoors are there to be found.

Ekaros 3 hours ago|||
Sad truth is that too few customers pay extra for proper security. And even then it is questionable will you get it.
daneel_w 5 hours ago||
They didn't produce garbage by accident. They followed a plan and made a decision.
Fabricio20 6 hours ago||
Oh this is amazing! I have a few of their cube routers sitting around and I always hated how app-locked their firmware was when it really is just a wifi repeater with a few extras (mesh) on top. Root access will do wonders to bypassing the app now (and also disabling their ping-for-green-light mechanism which spams the network with a constant dns resolution to microsoft.com lol).

Also honest take this looks less like a "backdoor" (implies malicious - this is a link to a CVE after all) and more like a developer access credential/default credential that was burned into the firmware (i'd imagine the code remains but on a production run they randomize the key so its non-guessable but then you get lazy and dont run that extra step and this slips in/you burn the bare firmware with no production configs).

tinyhitman 6 hours ago||
why would a consumer device need a randomized password?
vajrabum 1 hour ago||
Maybe so when you factory reset the device that it sets the admin to something you can maybe read off the label? At least that way the random attacker needs physical access to your space.
idiotsecant 5 hours ago||
Yes, it is randomized but due to a quirk in the universal probability waveform it always randomizes to 'rzadmin'. Scientists are baffled.
mjmas 4 hours ago||
Pulled out of fair hat. Guaranteed to be random.
ggm 13 hours ago||
Have used their travel wifi product back when hotel wifi was a strange beast. Wouldn't expect to need it now eSIM and ubiquitous internet travel pricing means the hotel wifi may be the LEAST valid path to access things.

I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.

VladVladikoff 13 hours ago|
I’m working on a hotel right now. And I’ve gone to great lengths to make the wifi more secure. Everyone on their own VLAN. Separate PPSK for each room. Credentials are randomly generated and not some ridiculous pattern of last name and room number or similar. We built our own custom access control system, with what at the time was the strongest keycards we could find (mifare desfire ev3), I’m really trying to make a hotel who’s security isn’t such a joke.
miki123211 12 hours ago|||
How do you distribute credentials to residents?

My Macbook is permanently locked out of Cox's hotspot system (used in some U.S. hotels) because the password was given to me on a tiny label which I couldn't read as a blind person except through OCR, and the OCR was wrong a few too many times.

user_7832 11 hours ago||
Do macs not spoof their macid (heh) everytime they join a network? I thought android (and windows?) did that already?
mh- 11 hours ago||
They do, by default. You have to override it on a per-network basis to disable this behavior.
ggm 13 hours ago|||
As long as I can bind more than one device in my room, and as long as I can "see" the devices amongst themselves, I'd love this. I can imagine people who want inter-room access but they can live through proxies offsite. If I want to do in room sharing, I need in room wifi.

Gets hard when you bring "smart" TV's to the table. They're going to need to expose into this system somewhat 'credential-free' but if you do it off MAC address then a determined user could disconnect, find MAC, clone ...

ikidd 12 hours ago|||
It would still be wiser to tie your own router into the hotel system as a gateway, and keep your own PAN behind that.
netsharc 9 hours ago|||
I stayed at a clinic once, and all the smart TVs were on the same network.. I wonder what would've happened if I streamed a video from my phone to another room's TV.
drnick1 14 hours ago||
And this is why I handroll my own routers/firewalls, using commodity hardware and a Linux distribution.
ikidd 12 hours ago||
Man, I remember doing this in the late 90s with ipchains as the only way to get a router that didn't cost an arm and a leg. Eventually consumer/prosumer routers came out.

What's old is new again.

SuperMouse 10 hours ago|||
Tenda has good support among OpenWRT.
consp 10 hours ago||
So the next step is a hardware or boot firmware backdoor?

(Good to know it remains useful by using openWRT and doesn't become landfill)

matltc 13 hours ago||
Looking to do this to get off stock isp leased router. What's your hardware/distro rec?
yabones 4 hours ago|||
You can use basically any hardware. I've done it with trash-picked laptops and USB ethernet adapters. Best option these days is a N100/N150 mini-pc with multiple NICs onboard, but with the price of everything going up maybe trashpicking will make a return.

https://nbailey.ca/post/router

drnick1 10 hours ago||||
Ryzen 5 with a dual 10Gbps NIC, running Debian. Overkill for a router/firewall, but I run other services on the same hardware including an email stack, Podman containers, and small AI model for use within Home Assistant.

I wouldn't buy new hardware. Any modest machine built in the last decade would do. If possible, get a machine with an internal ATX power supply rather than an external brick, they tend to be more reliable.

If all you need is 1Gpbs and WiFi, OpenWrt on consumer hardware is probably enough though.

consp 10 hours ago||
I have a Lenovo thin client running Debian as internet gateway/firewall. With some minor modifications and a small low power blower fan you can add a dual sfp pcie card in it (not all versions can, though there are more manufacturers of thin clients with 4x pcie slots). The blower fan is because the main fan stops often and it needs some cooling.
dhruvrrp 12 hours ago|||
Use openWrt (https://openwrt.org), and use their hardware list to pick a consumer router with the feature set you need that can be flashed to use openWrt.
cedel2k1 4 hours ago||
Reminds me of LKWPETER. I lost a bet when insinsting this couldn't be true.
HDBaseT 13 hours ago||
The US/Israel would never do such a thing, buy UniFi/Fortinet/Palo Alto!
Gigachad 13 hours ago||
There was a meme going round of a network diagram that layers a Chinese firewall behind a US firewall behind a Russian firewall so they can all block each other countries backdoors.
sph 10 hours ago||
https://en.wikipedia.org/wiki/Swiss_cheese_model
k_g_b_ 10 hours ago|||
They'll have a lot of work to do, if they want to catch up with the amount and rate of "hidden authentication backdoors" all those companies (and also Cisco) have. E.g. https://www.thestack.technology/cisco-hard-coding-passwords-...
ranger_danger 12 hours ago||
Not sure if you're joking, but both have already done so. And any US company is subject to secret orders forcing them to implement a backdoor if demanded.
dhx 12 hours ago|
It looks like recent Tenda hardware/firmware is encrypted per below examples, making it harder to audit.

binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin

  DECIMAL       HEXADECIMAL     DESCRIPTION
  --------------------------------------------------------------------------------
  516           0x204           OpenSSL encryption, salted, salt: 0x436999A39FECA649
binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.bin

  DECIMAL       HEXADECIMAL     DESCRIPTION
  --------------------------------------------------------------------------------
  516           0x204           OpenSSL encryption, salted, salt: 0x81235B7D4130B6AB
The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected:

binwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin

  DECIMAL       HEXADECIMAL     DESCRIPTION
  --------------------------------------------------------------------------------
  64            0x40            uImage header, header size: 64 bytes, header CRC: 0x95335734, created: 2026-06-16 09:09:35, image size: 2159135 bytes, Data Address: 0x80100000, Entry Point: 0x805F41C0, data CRC: 0x5ABEDB00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Tenda Linux-4.14.90"
  128           0x80            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 6947248 bytes
  2159263       0x20F29F        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8971644 bytes, 847 inodes, blocksize: 1048576 bytes, created: 2026-06-16 08:53:20
Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers:

  sys.rzadmin.username=rzadmin
  sys.rzadmin.password=cnphZG1pbg==  (ed: base64 decoded: rzadmin)
  sys.guest.username=guest
  sys.guest.password=Z3Vlc3Q=  (ed: base64 decoded: guest)
And /squashfs-root/webroot_ro/default_router.cfg which offers:

  sys.rzadmin.username=rzadmin
  sys.rzadmin.password=cnphZG1pbg==  (ed: base64 decoded: rzadmin)
From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".

Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd

More comments...