14 DAY TRIAL // Networking equipment manufacturer Allied Telesis has accidentally leaked an internal support document describing backdoors into its devices.
The document, which was labeled as "INTERNAL ONLY," was inadvertently made public on its website and subsequently indexed by Google.
The question answered in it was "How do I obtain a backdoor password for my Allied Telesis device" and contained solutions for different types of network switches.
"Depending on the device that you are locked out of, there is either a built in Backdoor function, or a way to generate a password, based on the MAC address of the device," the support entry read.
In addition, it had several files attached, including default password lists, a password generator program and special instructions.
The content was copied and posted on file sharing websites before the company had a chance to remove it from public access.
"The Backdoor Passwords listed here are INTERNAL ONLY. Do not give this information freely to any customer as this can compromise a network," a note on the document reads.
This warning has sparked fears that attackers can use the information to attack network switches, however, these procedures require physical access to the devices.
The manufacturer claims they are industry standard password recovery features and says the use of the term "backdoor" was unfortunate.
"All documentation describing this password recovery process as a proprietary 'backdoor' feature is incorrect, and has been removed from the website," Allied Telesis said, according to threatpost.
"By definition this is not a 'backdoor' feature; it is a standard password recovery process for a person who has physical access to the device," it added.
Nevertheless, security experts have argued that the use of MAC addresses to generate backup administrative passwords is not secure because they can be easily determined.
Chris Wysopal, chief technology officer at Veracode, said that vendors could use cryptographic methods to sign the password reset commands and have the devices verify them.
Allied is now working on removing the information from websites that posted it and they have also informed their support personnel about the leak.