8 comments

  • greyface- 8 minutes ago
    The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does:

    https://boschko.ca/tenda_ac1200_router/

    Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.

  • fusslo 1 hour ago
    > Tenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment.

    I was unfamiliar with Tenda.

    > Shenzhen Tenda Technology Co.,Ltd. ( https://www.tendacn.com/us/profile )

    Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)

    I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"

    • TedDoesntTalk 30 minutes ago
      I’m in the USA and have a Tenda WiFi usb stick. Not as popular as other brands but they are around
  • naturalmovement 12 minutes ago
    I thought it was a safe assumption by now that any kit out of China is assumed — no, expected — to have hardcoded root credentials. Bonus if it's running a telnet daemon.

    I don't even think it's malicious, it's an ingrained cultural disregard and not caring by the most disconnected, lack of empathy having human beings on Earth.

    These are the same people that poison their own children to save pennies, why would this be any different?

    https://en.wikipedia.org/wiki/2008_Chinese_milk_scandal

  • SubiculumCode 1 hour ago
    Up and out the back door, any 'ol time.
  • RetroTechie 1 hour ago
    Yet another Chinese company selling backdoor'd product. Surprise surprise...
    • cwmoore 1 hour ago
      Are you referring to the concept of “prayer?”
  • nttylock 10 minutes ago
    [flagged]
  • tangsoupgallery 49 minutes ago
    [flagged]
  • vachina 53 minutes ago
    Chinese undocumented auth: commies tryna steal mah api tokenz

    US undocumented auth: legitimate usecase for out of band support nothing to see here

    • Terr_ 51 minutes ago
      If you're accusing CERT of hypocrisy, what's an example of the second case?