Zyxel router - Patch now!
Towards the end of 2020, a researcher at Dutch cybersecurity company EYE was taking a look at the firmware of a Zyxel network router.
He examined the password database that shipped in the firmware and noticed an unusual username of zyfwp.
That name didn’t show up in the official list of usernames shown in the router’s user interface…
…yet it did have a password hash in the database itself, which was interesting all on its own.
According to Zyxel, the zyfwp account “was designed to deliver automatic firmware updates to connected access points through FTP.”
Active attack scanning tools not only probe for open ports and insecure devices, but also follow up their probes by automatically attempting to break in using tricks that are likely to work, including trying out well-known username/password combinations for specific vendors, devices and models.
We’re guessing that the plan was for wireless access points on the network to call home on a regular basis to their local router and check for updates.
That sounds harmless enough, assuming that anything downloaded via FTP included a digital signature of its own, given that FTP connections themselves are unencrypted and therefore easily tampered with.
Somehow, however – let’s assume that the code was still in development – the account intended for updating access points (zyfwp might stands for “Zyxel firmware patch” or something similar) got shipped in an update build that was inadvertently still set up for development rather than for release.
After all, an account used merely for fetching firmware updates needs neither login rights nor admin access, though giving it those powers temporarily may have been very convenient during development and testing.