Discussion summary
Recent discussions highlight concerns about hidden backdoors in Tenda firmware across multiple versions, raising security and ethical questions.
What the discussion says
- Many users believe backdoors are common in consumer electronics.
- Some suggest Chinese companies are more prone to such practices.
- US and Israeli companies have also been implicated in backdoor concerns.
“Almost all consumer electronics come with backdoors—especially given the prevalence of computational advertising.”
“This must have been some sort of stupidity… if they tried to build in some backdoor, they would have done it differently…”
Comments
Hacker News
by finalhacker
by SubiculumCode
This is the main reason why you should always use OpenWRT or other opensource router OS. If it gets an issue, at least it would get patched in the next update.
by deeddy
by zb3
https://www.schneier.com/wp-content/uploads/2016/09/paper-ke...
by seethishat
Security holes in networking equipment
Affects not just the compromised devices.
by emsign
by like_any_other
by daneel_w
And if you ever looked inside the firmwares of these IoT Linux boxes (be it sip phones, payment terminals, ip cameras, routers, modems, etc.) you'd not want it anywhere near anything that needs to be secure. OpenWRT or your own thing, or very strict isolation, or nothing.
by megous
by matltc
by riskd
by hathym
Backdoor passwords left for convenient debugging are not surprising anymore.
by linzhangrun
by daneel_w
by chirsz
binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
516 0x204 OpenSSL encryption, salted, salt: 0x436999A39FECA649
binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.bin DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
516 0x204 OpenSSL encryption, salted, salt: 0x81235B7D4130B6AB
The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected:binwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
64 0x40 uImage header, header size: 64 bytes, header CRC: 0x95335734, created: 2026-06-16 09:09:35, image size: 2159135 bytes, Data Address: 0x80100000, Entry Point: 0x805F41C0, data CRC: 0x5ABEDB00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Tenda Linux-4.14.90"
128 0x80 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 6947248 bytes
2159263 0x20F29F Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8971644 bytes, 847 inodes, blocksize: 1048576 bytes, created: 2026-06-16 08:53:20
Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers: sys.rzadmin.username=rzadmin
sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin)
sys.guest.username=guest
sys.guest.password=Z3Vlc3Q= (ed: base64 decoded: guest)
And /squashfs-root/webroot_ro/default_router.cfg which offers: sys.rzadmin.username=rzadmin
sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin)
From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd
by dhx
reminds me of a bug I found in some tplink router it compared passwords of 3 different users but that table was empty so basically 15 NULL bytes would log you in as admin lol
by high_byte
by HDBaseT
by ranger_danger
by k_g_b_
by Gigachad
by cedel2k1
by drnick1
by matltc
by SuperMouse
What's old is new again.
by ikidd
I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.
by ggm
by VladVladikoff
Also honest take this looks less like a "backdoor" (implies malicious - this is a link to a CVE after all) and more like a developer access credential/default credential that was burned into the firmware (i'd imagine the code remains but on a production run they randomize the key so its non-guessable but then you get lazy and dont run that extra step and this slips in/you burn the bare firmware with no production configs).
by Fabricio20
by idiotsecant
Join the discussion
Write your take first — we'll ask for email only when you're ready to publish.
- Hacker News
- Almost all consumer electronics come with backdoors—especially given the prevalence of computational advertising. Before criticizing Tenda, we ought to clarify whether this is a consumer-facing (2C) or business-facing (2B) product.by finalhacker
- Up and out the back door, any 'ol time.by SubiculumCode
- I've seen it last night, and I was like wtf?! Frankly, if they tried to build in some backdoor, I bet they would have done it differently, not so obviously. This must have been some sort of stupidity done for testing purposes, and just got buried deep in the code and forgotten.
This is the main reason why you should always use OpenWRT or other opensource router OS. If it gets an issue, at least it would get patched in the next update.
by deeddy - Typical for Chinese companies. Of course US companies also provide backdoors, but more official and more secure..by zb3
- No backdoor is secure. Read the "Keys under Doormats" paper from 2015:
https://www.schneier.com/wp-content/uploads/2016/09/paper-ke...
by seethishat - Not to sound too alarming. But
Security holes in networking equipment
Affects not just the compromised devices.
by emsign - So will this finally be treated as sabotage/criminal hacking, or is it just yet another example of letting manufacturers do whatever they want to their customers without any punishment? Meanwhile if I find and publish the emails of Tenda customers that they accidentally left unprotected, I get raided by the FBI.by like_any_other
- What a surprise.by daneel_w
- Most of the software is this way, it seems. Military intelligenece in our country were recently changing configs on peoples routers without their knowledge or consent to get rid of similarly dangerous thing on several types of tp-link routers.
And if you ever looked inside the firmwares of these IoT Linux boxes (be it sip phones, payment terminals, ip cameras, routers, modems, etc.) you'd not want it anywhere near anything that needs to be secure. OpenWRT or your own thing, or very strict isolation, or nothing.
by megous - My ifconfig is simple: if it's made in Shenzhen, throw it outby matltc
- Yikesby riskd
- I bet more than half of components in all your electronics are made in Shenzhenby hathym
- Common situation for small-company software...
Backdoor passwords left for convenient debugging are not surprising anymore.
by linzhangrun - This is not a case of "convenient debugging".by daneel_w
- A quick search reveals several other serious vulnerabilities in Tenda routers that could grant administrator privileges. Therefore, I tend to believe this is due to the company's incompetence and lack of technical skill rather than malicious intent—but it's still a reason to avoid using Tenda products. There's a reason why Tenda's market share is far lower than TP-Link's.by chirsz
- It looks like recent Tenda hardware/firmware is encrypted per below examples, making it harder to audit.
binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin
binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.binDECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 516 0x204 OpenSSL encryption, salted, salt: 0x436999A39FECA649
The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected:DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 516 0x204 OpenSSL encryption, salted, salt: 0x81235B7D4130B6ABbinwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin
Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers:DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 64 0x40 uImage header, header size: 64 bytes, header CRC: 0x95335734, created: 2026-06-16 09:09:35, image size: 2159135 bytes, Data Address: 0x80100000, Entry Point: 0x805F41C0, data CRC: 0x5ABEDB00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Tenda Linux-4.14.90" 128 0x80 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 6947248 bytes 2159263 0x20F29F Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8971644 bytes, 847 inodes, blocksize: 1048576 bytes, created: 2026-06-16 08:53:20
And /squashfs-root/webroot_ro/default_router.cfg which offers:sys.rzadmin.username=rzadmin sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin) sys.guest.username=guest sys.guest.password=Z3Vlc3Q= (ed: base64 decoded: guest)
From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".sys.rzadmin.username=rzadmin sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin)Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd
by dhx - this is definitely a backdoor, not necessarily that they use it to infiltrate users but definitely they put them at risk.
reminds me of a bug I found in some tplink router it compared passwords of 3 different users but that table was empty so basically 15 NULL bytes would log you in as admin lol
by high_byte - The US/Israel would never do such a thing, buy UniFi/Fortinet/Palo Alto!by HDBaseT
- Not sure if you're joking, but both have already done so. And any US company is subject to secret orders forcing them to implement a backdoor if demanded.by ranger_danger
- They'll have a lot of work to do, if they want to catch up with the amount and rate of "hidden authentication backdoors" all those companies (and also Cisco) have. E.g. https://www.thestack.technology/cisco-hard-coding-passwords-...by k_g_b_
- There was a meme going round of a network diagram that layers a Chinese firewall behind a US firewall behind a Russian firewall so they can all block each other countries backdoors.by Gigachad
- Reminds me of LKWPETER. I lost a bet when insinsting this couldn't be true.by cedel2k1
- And this is why I handroll my own routers/firewalls, using commodity hardware and a Linux distribution.by drnick1
- Looking to do this to get off stock isp leased router. What's your hardware/distro rec?by matltc
- Tenda has good support among OpenWRT.by SuperMouse
- Man, I remember doing this in the late 90s with ipchains as the only way to get a router that didn't cost an arm and a leg. Eventually consumer/prosumer routers came out.
What's old is new again.
by ikidd - Have used their travel wifi product back when hotel wifi was a strange beast. Wouldn't expect to need it now eSIM and ubiquitous internet travel pricing means the hotel wifi may be the LEAST valid path to access things.
I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.
by ggm - I’m working on a hotel right now. And I’ve gone to great lengths to make the wifi more secure. Everyone on their own VLAN. Separate PPSK for each room. Credentials are randomly generated and not some ridiculous pattern of last name and room number or similar. We built our own custom access control system, with what at the time was the strongest keycards we could find (mifare desfire ev3), I’m really trying to make a hotel who’s security isn’t such a joke.by VladVladikoff
- Oh this is amazing! I have a few of their cube routers sitting around and I always hated how app-locked their firmware was when it really is just a wifi repeater with a few extras (mesh) on top. Root access will do wonders to bypassing the app now (and also disabling their ping-for-green-light mechanism which spams the network with a constant dns resolution to microsoft.com lol).
Also honest take this looks less like a "backdoor" (implies malicious - this is a link to a CVE after all) and more like a developer access credential/default credential that was burned into the firmware (i'd imagine the code remains but on a production run they randomize the key so its non-guessable but then you get lazy and dont run that extra step and this slips in/you burn the bare firmware with no production configs).
by Fabricio20 - Yes, it is randomized but due to a quirk in the universal probability waveform it always randomizes to 'rzadmin'. Scientists are baffled.by idiotsecant
Related stories
Decoding the obfuscated bash script on a Uniqlo t-shirt
tris.sherliker.net · 1063 points · 181 comments
StreetComplete: Fixing OpenStreetMap, one tiny quest at a time
streetcomplete.app · 761 points · 182 comments
Every new car sold in the European Union must include a driver monitoring camera
allaboutcookies.org · 736 points · 969 comments
Chat Control 1.0 and 2.0 Explained
fightchatcontrol.eu · 645 points · 238 comments
Microsoft fire idTech team at Id software
gamefromscratch.com · 597 points · 533 comments
Chat Control passed first round in EU Parliament
heise.de · 567 points · 246 comments