Tenda firmware (multiple versions) contains hidden authentication backdoor
Nature of the Tenda Backdoor
- Firmware contains a hardcoded “rzadmin” credential stored as
sys.rzadmin.username/password, base64-encoded but trivial to decode. - The backdoor password works regardless of the normal admin password and appears not to be changeable via the UI.
- The username is reportedly not validated; any username paired with the backdoor password is accepted.
- Some describe it as so obvious it’s “more front door than back door.”
Firmware Analysis and Extra Functionality
- Newer firmware images are OpenSSL‑encrypted, making auditing harder.
- At least one unencrypted image shows
rzadminand aguest/guestpair in config files. - Binary analysis suggests:
- The httpd login function explicitly checks
sys.rzadmin.passwordbefore throwing a “password wrong” error. - An
imsdcomponent can upload logs including SSIDs, MACs, IPs, admin usernames, and has a function to retrieve the admin password. - A related library exposes a command set that looks like cloud management / remote debugging plumbing.
- The httpd login function explicitly checks
Malice vs. Incompetence
- Split views:
- Some see this as a debug/support convenience (forgotten in production), consistent with many low‑end vendors and past industry practice (default admin/admin, etc.).
- Others argue that in security one should not default to “stupidity”; plausible deniability makes deliberate backdoors look like accidents.
- Several security‑focused commenters state that, in their experience, the vast majority of vulnerabilities are unintentional, though intent is ultimately unclear here.
Trust in Router Vendors and Alternatives
- Many say this reinforces distrust of closed, vendor firmware on consumer routers.
- Strong support for:
- Using OpenWrt or similar where possible.
- Rolling your own router/firewall on commodity hardware (thin clients, mini‑PCs, old laptops) and using separate access points.
- Some note trade‑offs: OpenWrt may not fully exploit proprietary Wi‑Fi features (MIMO/beamforming), and high‑speed (>1 Gbps) routing can push people toward closed, hardware‑accelerated boxes.
Broader Security and Policy Concerns
- Backdoors in network gear affect not just the owner but the wider internet (botnets, DDoS, etc.).
- Several note that similar issues exist across vendors and countries; blaming one geography alone is seen as simplistic.
- Frustration that intentional or negligent backdoors face little legal consequence, while security researchers can face harsh penalties.