[emillon]

That is my opinion too, but I would go even further and say that this change could have been made on the compiled binary.

This kind of statement must take 10-15 bytes max to patch and the build boxes are typically less safe than source control systems.

[revelation]

If you look at the disassembly in the link, the backdoor was inserted smack in the middle of the authentication function, which caused jump labels further down to change.

This is all trivial for a compiler to adjust, but it's not what someone manually tampering with the binary would do.

[Deregibus]

In addition, AFAIK this affects both the ARM and x86 firmware, so a patched binary would imply two separate modifications. Though that would still leave open the possibility that the toolchain was exploited before compilation occurred.

[emillon]

This is correct, I missed this!

[xorcist]

Why would you choose that particular password if you patched the binary? That particular string would stick out in a binary, it certainly looks more like source code.

[emillon]

That's assuming that this particular string was already present somewhere in the binary. Since it is only present as a reference, you would not see the string in a binary patch.

[Deregibus]

It would have been something that already existed in the string table for the binary, so you would have just been referencing an address and not inserting a string inline.