Back to News
Advertisement
Advertisement

⚡ Community Insights

Discussion Sentiment

100% Positive

Analyzed from 556 words in the discussion.

Trending Topics

#tenda#wifi#room#https#password#access#com#chinese#hotel#more

Discussion (18 Comments)Read Original on HackerNews

greyface-•about 1 hour ago
The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does:

https://boschko.ca/tenda_ac1200_router/

Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.

lemagedurage•10 minutes ago
Sounds like a convenience feature for a dev that they forgot to remove before distribution, since it's this poorly hidden.
fusslo•about 2 hours ago
> Tenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment.

I was unfamiliar with Tenda.

> Shenzhen Tenda Technology Co.,Ltd. ( https://www.tendacn.com/us/profile )

Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)

I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"

dpacmittal•4 minutes ago
Tenda is very popular in Asia, several ISPs use them as their default routers.
TedDoesntTalk•about 2 hours ago
I’m in the USA and have a Tenda WiFi usb stick. Not as popular as other brands but they are around
ggm•43 minutes ago
Have used their travel wifi product back when hotel wifi was a strange beast. Wouldn't expect to need it now eSIM and ubiquitous internet travel pricing means the hotel wifi may be the LEAST valid path to access things.

I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.

VladVladikoff•21 minutes ago
I’m working on a hotel right now. And I’ve gone to great lengths to make the wifi more secure. Everyone on their own VLAN. Separate PPSK for each room. Credentials are randomly generated and not some ridiculous pattern of last name and room number or similar. We built our own custom access control system, with what at the time was the strongest keycards we could find (mifare desfire ev3), I’m really trying to make a hotel who’s security isn’t such a joke.
ggm•10 minutes ago
As long as I can bind more than one device in my room, and as long as I can "see" the devices amongst themselves, I'd love this. I can imagine people who want inter-room access but they can live through proxies offsite. If I want to do in room sharing, I need in room wifi.

Gets hard when you bring "smart" TV's to the table. They're going to need to expose into this system somewhat 'credential-free' but if you do it off MAC address then a determined user could disconnect, find MAC, clone ...

HDBaseT•41 minutes ago
The US/Israel would never do such a thing, buy UniFi/Fortinet/Palo Alto!
Gigachad•11 minutes ago
There was a meme going round of a network diagram that layers a Chinese firewall behind a US firewall behind a Russian firewall so they can all block each other countries backdoors.
drnick1•about 1 hour ago
And this is why I handroll my own routers/firewalls, using commodity hardware and a Linux distribution.
matltc•5 minutes ago
Looking to do this to get off stock isp leased router. What's your hardware/distro rec?
SubiculumCode•about 2 hours ago
Up and out the back door, any 'ol time.
vachina•about 2 hours ago
Chinese undocumented auth: commies tryna steal mah api tokenz

US undocumented auth: legitimate usecase for out of band support nothing to see here

Terr_•about 2 hours ago
If you're accusing CERT of hypocrisy, what's an example of the second case?
murderfs•about 1 hour ago
I'll do better than a second case, here's three:

Barracuda Networks: https://krebsonsecurity.com/2013/01/backdoors-found-in-barra...

Fortinet: https://community.spiceworks.com/t/hard-coded-password-backd...

Korenix: https://sec-consult.com/vulnerability-lab/advisory/backdoor-...

The fact that the password is "rzadmin" makes it a lot more likely that this is just run of the mill stupidity, and not something more nefarious: you'd want a backdoor that isn't blindingly obvious and usable by the CIA.

RetroTechie•about 3 hours ago
Yet another Chinese company selling backdoor'd product. Surprise surprise...
cwmoore•about 2 hours ago
Are you referring to the concept of “prayer?”