I get uncomfortable how this is probably true with all these smart TVs as well (especially the budget TVs). I set up piHole to try to prevent this but nothing stops it from phoning home via a direct IP. It sucks because all our electronics get poisoned since good brands get squashed out by these low cost alternatives that consumers love at the expense of privacy that no one cares about anymore. Also, another crazy thing is ISP provided routers. I was unable to change the DNS on my modem/router, let alone change the security settings.
The fix for this is to just never ever connect your TV to the internet. Devices like the chromecast and game consoles generally have better app support and usability than most smart tvs anyway.
It doesn't make sense to tie the lifespan of a display to the lifespan of software support when the computing hardware is so ubiquitous outside of the TV anyway.
This is a field that cries out "decent regulation". Terrible IoT security? Please see massive fines, Senators on TV claiming national security at risk, never allow that brand to be sold "on our soil" again.
I know there is no obvious technical framework that can be applied as " best practise", that IoT is a horrible wild west and governments choosing winners will lead down sub optimal paths but it's hard to see a real alternative fix.
This is an extremely difficult problem. The proximate problem is that there isn't liability for industry when there should be. The proximate fix is adding liability into the equation one way or another. Using regulation may work, it theoretically ought to but Regulators tend to get captured by industry. Another way is to open the issue up to civil liability/class action lawsuits which requires a cooperating political and legal class who also tend to get captured by industry. The only way to overcome that is for the population to make it politically untenable to kowtow to industry. However, the population isn't educated on this and the political class which controls education for most people is unlikely going to push for it. Even if they were educated because the costs are diffuse and the interests are concentrated the population is unlikely going to feel the urgency to make this a political priority and the special interests certainly won't. Politically speaking the priorities of the Hacker News crowd amounts to very little. I would love to hear ideas about how to overcome these problems.
The EU which is a bit more pro regulating stuff is having a go eg:
>The European Telecommunications Standards Institute (ETSI) has released what it calls a globally applicable standard for cybersecurity in the Internet of Things (IoT). The new specification, TS 103645, seeks to establish a security baseline for internet-connected consumer products and provide a basis for future IoT certification schemes. https://futureiot.tech/europe-gets-first-global-consumer-iot...
> The fix for this is to just never ever connect your TV to the internet.
This conversation happens on HN every week, and each time, commenters point out the numerous flaws in this plan:
Manufacturer requiring a firmware update or internet connection for the TV to work, quietly connecting to internet over HDMI, connecting automatically to neighbour's unsecured wifi, shipping with an internal cell modem, and many other methods that might be around the corner as privacy norms drift and certain technologies become cheaper.
Add IPV6 to this scenario and it allows for incredibly fine-grained device identification and possibly/probably location. I can really imagine data-gatherers/advertisers going crazy for that.
They exist, but not at the big stores. You need to find one targeted at a conference room, or factory. The factory is probably better because safety information is displayed on them so people can die if it doesn't work for some reason.
In the US I'm pretty sure it's legal at the federal level because the network is actively advertising itself by broadcasting the SSID and no user name or password is required when connecting.
AFAIK, violating the CFAA would involve actively circumventing a mechanism intended to restrict access.
The only way to stop wifi on my Samsung TV was to plug in ethernet and block all traffic from it on my firewall. Extremely annoying that there is no setting to disable it.
Why would you connect a Chromecast to the internet but not your TV? They're equally as bad, as they both collect your data/viewing habits to sell to other people, same with Roku.
Don't connect your TV to the internet, buy an Apple TV.
I would be surprised if consumer home electronics like this would be shipped with anything other than bluetooth/wifi radios.
While the advertising / data sharing revenue is valuable to them, the vast majority of those are going into homes where they're going to be internet connected already. The cost of a modem + service fees for it wouldn't be worth it for most of them.
Amazon is starting to ship their Sidewalk protocol[1] which will be embedded into a bunch of their devices - but that seems to be mainly for low-power/remote devices to connect back to a Sidewalk access point, rather than to provide an alternative data-path for (say) customer metrics.
We are shipping a SmartTV, we expect our users to therefore have internet access, because the device is mostly non-working without it.
Why would we then include: a cellular radio AND make us pay for a cellular data service on an ongoing basis? Is the data from some small fraction of users who don't already have wifi valuable enough to pay off the hardware and service costs in every other TV? Seems unlikely.
You'd only have to pay for cellular data service for devices that don't connect to WiFi. So the only real cost is whatever the modem costs.
I think what'll really happen is they'll become always online devices where if you're offline for more than X days they quit working and claim they need an update - please connect to the internet.
Kindles with Whispersync over 2G was subsidised directly by you buying books.
You'll note though that getting a Kindle with 3G nowdays means paying for the more expensive models - Paperwhite or Oasis.
> Nobody is making you pay for service
I think you missed what I said. I was talking from the perspective of a manufacturer.
The cost of buying and integration the new hardware, and also an ongoing monthly sim cost for the benefit of getting analytics and ads from a tiny fraction of your userbase that does NOT already have their TV hooked up to wifi is significant, and I doubt it comes close to the added revenue you might get from that fraction of users.
That also assumes that those who don't have their Smart TV hooked up to wifi are going to be in cellular range.
LTE-M1 chips are getting closer to that region. Besides, cars have had it for decades, under “telematics” terminology. Intention is Google Analytics for physical cars, but they OTA, connects to internal CAN bus, technologically not infeasible to cause unintended accelerated drive into walls if taken, and it’s completely on the house, free of any payment.
If a cellular network IoT is the future, why is it blocked by 5G deployment? Seems like it could just happen now with 4G. Does 5G relax the need for a phone number (which I believe all 4G devices have, even if they can't make calls) or something?
I dislike a lot of "smart" devices, but off-brand or no-brand IoT and "smart" things are a hard no. I assume these to basically be spies or malware vectors. Even if they're not deliberately malicious I figure there's a good chance they are insecure as hell.
I tend to go with US-based companies because they would legally be liable for damages, which would in theory mean they'd be less likely to knowingly ship malware and security disasters.
>>I tend to go with US-based companies because they would legally be liable for damages
I am not sure under what legal basis you draw this conclusion given the EULA's and other laws explicitly shield them from said liability
you would have to prove intentional malicious intent not simply negligence
One of the big problems I have with more US Companies is they are a network of vendor Lock-in proprietary ecosystems that often do not work well together at all.
I prefer Open protocols, which sadly seem to be only adopted by non-US Companies.
That's a good idea but it still doesn't protect you from spying. And you'd have to put each device on a different network to prevent them from infecting eachother. That probably also has the side effect of making them basically useless. How do you segregate your smart speaker and your smart lightbulb and your smart TV and still control them from your cell phone?
Either your devices and hub don't need to be exposed to the net (so why are you even using a router connected to the web?), or they do.
If they do, it's because that's how you control them, via the web. If that's the case, it doesn't matter what network your phone is on; command and control is done via the web.
Now, in terms of infecting each other, sure. But the point is to keep my data devices and such separate from my IoT devices. Yes, the whole IoT infrastructure may get infected and need a purge, but my goal is to keep infection of those from getting, say, my banking information. And yes, it assumes that the command and control app is reasonably secure, but that's a whole different issue (and one reason why I would rely on Amazon or Alexa as a hub, and not some random no name company).
Sure, this is why I have almost no IoT things. The only thing I can think of is my scale.
I'm curious if you have suggestions for a hackable home automation/IoT hub that I can use without giving it access to the internet. I'm happy to DIY anything that doesn't deal with mains voltage.
For true automation sure but I can think of "IoT" applications where using the phone would be nice. Lighting most of all.
I have a small arcade in my basement and the ability to control the lights from my phone would be way better than using the wall switch, mostly because of outlet placement and the fact the switch has to stay on.
My living room only has one switched outlet and it is the one closest to the switch. The lights across the room have to be manually controlled.
I've done some research into wifi controlled outlets and I have some very old radio controlled ones but I need more. Do you have any suggestions for hackable wifi plugs that do not connect to the internet? Maybe something that connects to a hub?
My dream would be something where I can make my own sensors and talk over wifi to outlets that are UL listed, without involving the internet. I'm happy to DIY anything that doesn't interact with mains voltage.
What gateway is the TV using? You can put your own router in front of the ISP one, and set your computers including your TV to use your router as the gateway, not the ISP one. Relying 100% on a third party router (where you do not control the OS) is similar relying 100% on a third party DNS provider (many PiHoles are set up to use third party DNS providers). This is willingly delegating 100% control to a third party. Some of that control can be retained if desired by using own router (with OS you can fully control), or in the case of DNS by using own DNS that you can fully control.
I had to put a router in between. So the setup is piHole -> Secondary Router with PiHole as router-wide DNS --> ISP router/modem. I'm kind of tempted to just straight up buy my own modem.
If the ISP charges you a monthly fee for the modem/router (you are "leasing" the modem), and you have been a long-term customer, you may have already paid the full price of the modem; yet you do not own it.
Let's say the customer connects their own Wifi router to the ISP modem/router via Ethernet cable. There is no need for the ISP modem/router's Wifi AP. Does the ISP modem/router allow the customer to disable it?
So if say your TV calls out to backdoor.example.com - then PiHole can block it.
If instead it calls out to 1.2.3.4 (i.e no DNS lookup) - then PiHole won't block it for you, you'd have to instead set up controls on the firewall/router/etc to filter traffic.
Wanted: Firewall blocking all traffic directed at IP addresses not obtained from OS DNS resolver.
aka dynamic application level FQDN Egress Filtering. Mayor Cloud providers (aws, azure) and bigger firewalls (fortinet, cisco, paloalto) already offer ~half of what I want.
I want a little deamon that listens for DNS queries/replies and modifies firewall rules accordingly.
I force all outgoing traffic to 53 not Pi-Hole IPs (I run redundant) to go to a Pi-Hole instead. Initially I did tgat for Chromecast. However, I doubt Chromecast still cares. Why do you think Google push Do{H,T}?
Chromecast devices (some? all?) have Google's public DNS servers hard coded. Paul Vixie wrote a nice rant about catching these devices trying to bypass his local DNS servers.
All Chrome based browsers have 8.8.8.8 8.8.4.4 hardcoded under the guise of "helping resolve navigation errors", except its not helping anyone but Google in gathering statistics. Domains like hls.ttvnw.net (no A record) receive perfectly valid DNS reply (NOERROR, response code 0, DNS Query completed successfully) but trigger this feature and call hardcoded Google DNS resolver. Even domains that dont exist at all and browser receives valid response (NXDOMAIN, response code 3, Domain name does not exist) trigger to snitch on the user to hardcoded Google DNS resolver. No errors, google called.
> if it is using HTTPS for DNS resolution, I don’t know how you would block that
By filtering traffic sent from that particular device based on a query to your DNS filter to approve or deny the destination address. (Some implementation work probably required.)
This is also true for almost all of devices which could connect to internet. We need a portable small router with firewall feature which could physically ban the specific IPs or domains.
For example, iOS to Apple, mac to Apple, Win10 to MS, etc. These connections are much difficult to ban nowadays. What we could do might be limiting their upstream connection via physical firewall router with built-in good web-based GUI.
AT&T pushed an update that added an "Application Statistics" page to the router which keeps track of ports and sites visited and is basically hostile to privacy.
thing is - this is a rented router, so what can the customer do?
Also every time they push an update wifi turns itself back on. So I go in and disable it and then I get a giant warning email "AT&T wifi gateway settings updated".
That is precisely the reason why I want ( or I once want ) Apple to make an TV set and not a TV Box. Their Brand, software and UX could create enough value for consumer to buy and set the standard for TV industry.
Or someone to create a standard where the Panel is now working more like a Monitor and All electronics are into a separate box.
That still doesn't help with direct IP communication. You'd have to block all traffic except services you want to interact with. That probably means never getting a firmware update or at least uploading some telemetry when you allow a connection back to the mothership for a firmware update.
The top device on my network being blocked from reaching it's mothership are my Roku devices. This is the top analytics from my NextDNS console for the past two weeks:
scribe.logs.roku.com 417,115
stats.gc.apple.com 24,752
ssl.google-analytics.com 16,178
track.sr.roku.com 7,534
Roku is easily on the top of my list on spying devices on my network. The Apple ones, while still worrying, are on a network with tons of Apple devices between phones, MacBooks, watches, iPads, etc whereas there are three Roku's making all that traffic.
Am I the only one who thinks that Wal-Mart should be absolutely slammed for doing this? Like, they are a corporation actively participating in the material worsening of our national security. I don't even want to think about a threat model that includes undermined router hardware! If they can't be patched remotely those things need to be recalled, destroyed, and Wal-Mart fined significantly.
(When I say slammed I mostly mean "pay big fines", maybe jail time if the flaw was known, and it should result in real reputational damage to Wal-Mart and its willingness to sell anything with a network connected computer in it. At the very least, if the buy cost is even less than the china price, that difference is coming from somewhere. Wal Mart should have spotted that.)
It doesn’t sound like the back door was put in for Walmart to use. So no, Walmart shouldn’t be slammed for this vulnerability anymore than for the vulnerabilities in the PCs they sell.
Someone within US jurisdictions ought to be liable.
As far as I can tell, that's the company who imported and sold it. If Amazon and Walmart are liable, I won't need to worry about fake Sandisk memory cards, fake medicines, fake clothing, and other fake products there.
I'd love that.
Maybe I just had a really bad 6 months with Amazon, but it seems everything that comes is a fake or a scam.
I'd gladly pay 10% more for real products than 10% less for 50-50. Right now, I switched to mostly buying off-brands direct from China for a lot of products, since I get the same thing as Amazon, but at a lower price and with an honest label.
Or buying direct from manufacturers if I want something real.
I got screwed once doing even that, though. I ordered a brand-name headset. They did... fulfillment by Amazon. The headset is barely usable, so I'm assuming Amazon did commingled products. Or perhaps I got a defective copy. In either case, not worth fighting for 50 bucks.
If Walmart sold products that were contaminated with lead, and people got sick, they would still be held liable even if they didn't manufacture the products themselves.
Only if Walmart failed to apply a level of diligence sufficient to protect against lead exposure risk, a known risk with laws in place demanding appropriate care and notification and recalls.
What is the industry-accepted, “will pass muster by a judge and jury”, level of due diligence that is considered minimally acceptable when purchasing Internet-connected devices from a supplier for resale to consumers?
The current answer as I understand is, simply, “no level of due diligence is expected with regards to network functionality, as the relevant UL/CE standards for ‘networking’ only concern themselves with RF interference at most”.
Should all computer resellers of any business size, whether Walmart nationwide or PC Hand-Me-Downs in a single city, be required to hire specialists to disassemble device firmwares for auditing purposes? Should this burden be placed on importers? Is this even legal under the DMCA?
Should the UL certification be found at fault here, since clearly they did not audit nor certify the device’s preinstalled firmware?
Seems analogous the child labor and slave problem.
Walmart keeps on getting caught selling unethically produced goods. We need stronger laws to punish them when that happens. It doesn't seem to be enough to allow them to self govern.
I can come up with examples of unethical production, I doubt I could come up with a solid definition of unethical which covers all definitions of an unethically produced good.
For now, it's easy enough to say "Goods produced by slave and child labor". From there, I think it is healthy to expand the law and regulations to capture missed or current unethical production practices. For example, production which produces a lot of CO2. Or production which pollutes the local environment. You could even go so far as saying "production where anyone in a company is making more than 10x anyone else".
Some may disagree with my examples of what are unethical. Which is fine. I think there are sections, though, that nobody should disagree with (and if you do, you're a monster).
It's not the same thing. A PC can be patched. Patching the router requires firmware update, which requires cooperation from the vendor (which seems unlikely given the vendor intentionally implemented the vulnerabilities in the first place).
Yes, Walmart should be slammed for this. It's the Walmart's responsibility to protect its customers by sourcing secure electronics--especially when they're advertising the router as a Walmart exclusive. They're explicitly aligning themselves with the vendor.
But Walmart won't be slammed for this. Because the people who buy cheap routers from Walmart typically aren't the most tech savvy bunch.
I think they were talking about hardware wise. You can remove Windows and replace it with Linux or *BSD or what have you and then patch that yourself on commodity hardware.
Meanwhile, the router both A) Comes with an OS that you may or may not be able to patch, and B) You may or may not be able to replace it with something you can.
> actively participating in the material worsening of our national security
It's really just a symptom of the race-to-the-bottom that Wal-Mart has been strongly championing for a couple decades. Everything must be manufactured in China at the lowest BOM cost possible. And, of course, it's us consumers that fuel this race.
Sure, find some customers and sue on their behalf; this is a product liability issue. However, you would have to show actual damages to collect much. If the router the plaintiff purchased was never compromised, it might be tough to claim significant damages. Even the purported harm to privacy would have to be demonstrated. There may be other crimes related to selling compromised hardware, but that might require actual knowledge or constructive knowledge that the products were compromised.
So for example, if you buy a defective helmet for your kid from Walmart, the kid gets into an accident, and the kid dies, you sue Walmart for damages commensurate to the death of the child. For the router, you have to show the compromise that resulted from the vulnerability and the damages that ensued. If there was no compromise and just the potential for compromise the damages may be quite limited.
So Walmart might have some good faith defenses and it might be challenging to show enough damages.
There may also be some fines that the FTC could levy related to this because of the deceptive trade practices associated with selling a fatally defective product that could pose serious risks to privacy.
No, but Walmart should begin preparing to turn over a complete list of all identifiable purchasers of these devices when the FBI asks for it, and if we had a functioning US government, they should be compelled to issue a recall with refund for them.
I can see how the backdoor allows access to the router and makes the router itself part of the botnet.
But where do they get...
> This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network.
How do you gain "control" of a device (presumably a PC) merely by having access to the router it is connected to? Is it just that we're assuming that a typical home network will be a soft target of PC's? What about windows defender firewall, and all that stuff?
It's safe to assume that whoever undermined these routers has access to a grab bag of exploits that they are free to attempt at will, and without any detection, for all time, because they own your router. I like to think I "run a tight ship" security-wise, but if a state-run botnet owned my router, I don't think it would take long for them to find a weakness and get a foothold into my PC, and it would, in general, be pretty hard for me to know about it happening since I rely on the router to tell me about network activity!
(Personally, the best way to accomplish that goal in would be to require the owner to install an app to complete the router installation. The old, unpatched Android phones Wal-Mart shoppers use are generally easy to exploit I imagine. Although I expect that your app could ask for total control over the phone and all data sources, and people will just answer yes because they want their thing to work, and Wal Mart wouldn't sell it if it wasn't safe.)
In addition to other posters, firewall rules in Windows are far more permissive for internal networks than external ones. So if you have a setup where your laptop can RDP into your desktop with minimal credentials, someone gaining control of the router can access your desktop as well. If you do practice good security and require a username/password for the RDP session, the router can still spy on that traffic for the malicious remote. In addition, the remote can issue Remote Assistance requests. More nefariously, if your PC is not on the latest patch, which most PCs aren't, an exploit could be used to install a RAT or ransomware or equivalent. Are you using a NAS that is open to every machine on the internal network? If so, the remote will have a field day with your backups and shared data.
In short, once the remote has gained access to your internal network, many types of attacks become possible.
> If you do practice good security and require a username/password for the RDP session, the router can still spy on that traffic for the malicious remote
Wow, Microsoft added TLS to RDP way back in Windows Vista (cite: I worked on it), and they apparently still don't have it required by default, based on some blog posts I see from 2019 explaining how to force it on. That's shameful.
>Wow, Microsoft added TLS to RDP way back in Windows Vista (cite: I worked on it)
Since you seem to be an expert on this, can you explain how exactly it's implemented? When connecting to a remote machine, the sequence of events goes something like this:
1. enter ip, click "connect"
2. login prompt shows up
3. enter username/password, click "ok"
4. self signed certificate warning shows up, asks me to accept/reject the certificate
5. after accepting the certificate, the connection succeeds and I can see the other machine.
This sequence of events makes me think that the password authentication step isn't done over TLS at all, or is done over TLS but is vulnerable to MITM attacks. Can you confirm/deny whether this is accurate?
The part about the username/password appearing before the cert warning sounds wrong. I distinctly remember that all the RDP packets went inside the TLS connection. Perhaps they just delay the cert warning until after RDP has been started? I'm sorry but it's been 14 years and I've tried not to look at RDP in the interim. You may revoke my "expert" status. :D I'd guess that even with TLS enabled you're still vulnerable to MITM since hardly anyone is going to use certs that can actually be validated against a root.
I have the same question. Maybe if there's a process running with an open port on the network and has a known vulnerability, then someone can gain access to the system once they're on the network?
People flock to "free" services and give away all their data to do so.
People buy "cheap" printers, and sign up for extortionate ink programs to do so.
We have a car maker to "takes back" software options sold when the car was new on re-sale of that car.
No we have people buying "cheap" Wi-Fi routers which are subsidized by their ability to be used by third parties for nefarious purposes.
Caveat Emptor only goes so far. The ability to fleece people through technology has been known and exploited for a long time, I wonder if we will ever see a consensus backlash against it.
"WiFi routers always seem to make you sacrifice something, don't they?
You're either paying for speed and spending an ungodly amount of money, or opting for the budget pick and waiting forever for things to load.
You shouldn't have to make that choice. One bright spot on the WiFi landscape could come from an unlikely place: Walmart. The big box store is gearing up to save you money and headaches by launching a line of store-exclusive routers that minimize cost and maximize performance."
Router prices have boggled my mind for a while now. I bought routers on amazon for $10-15 bucks about 5 years ago and they were fine. No issues and just some cheap brand. Then one day I stepped into a best buy and a guy came up to ask me if I needed anything and I said "do you have any routers cheaper than well...$40?" The guy scoffed and said "Not if you want a good one." He then proceeds to show me a $100 one made for like 1gigibit internet and like 10 ports. I said "Nah I'll just go on amazon, thanks."
2G+5G Routers with built in access points to support a multi-hundered mbit uplink?
If you just want a simple 2.4Ghz access point for a typical 60mbit dsl you could probably get away with something like https://mikrotik.com/product/RB931-2nD for $20.
Obviously supports all the essentials you need from a home router (dhcp servers, natting, ospf+bgp, various vpns, etc), as well as things like mpls and vpls capability.
>No we have people buying "cheap" Wi-Fi routers which are subsidized by their ability to be used by third parties for nefarious purposes.
You're assuming a) that the router is subsidized, and b) that the flaws are intentional. Neither are necessary, and neither make a lot of sense (why add a backdoor that anyone can exploit?)
It makes way more sense to consider this just another poorly made budget product. Same as anything else where sticker price is all that matters.
It's because people often value their time more than money.
Free services win because everyone can start using it and depending on it in 5 minutes, instead of having to pay for and download a comparable product, or worse, maintain an OSS alternative on a home server. The only time a consumer chooses to pay for something is when it's as entrenched into their minds as MS Office is, or when their employer/school demands it (also MS Office).
HP's ink is so successful since you can now just have it show up at your door when you're low on ink instead of having to make a trip to best buy. The extortionate price of unit-sold cartridges is only extra motivation.
And Tesla is only big because they have an appealing product; if other car manufacturers could offer the same (EV) range, software experience, and minimalistic design, they'd blow Tesla out of the water with superior service and build quality.
Now this cheap Wi-Fi router isn't something people are buying because it's comparatively better or offers some features, it's just a cheap Chinese wifi router that some corporate Wal-Mart manager decided to stock since it would be high-margin and, as far as they know, offered basic wifi functionality. Your argument would work for any other (high end) router like Nest WiFi, Netgear, etc.
Now I'm a free market kind of guy and don't mind that people make such TVs and that some people choose to buy them over ones that don't do this. But I am saddened by the ability of this larger chunk of market to eliminate the option of a TV that isn't smart and doesn't do this. I have no idea how to fix that or even put pressure on it from happening.
That original research only looked at one Wavlink router. This is the extended research with the help of two other researchers. And of course the attempted exploit from a malicious IP address which was detected only recently
Hey, author of the article that's now linked at the top of this page, nice to meet you. You wrote a fine article. You should be proud of it. I was wrong about which article should have replaced the blogspam link that originally graced HN, and your sibling comment to this one ("Hi there, ...") did a great job of explaining why with patience and politeness. The mods clearly agreed and made the right call.
This comment I'm replying to, though... you don't need to do this. If it had been the only reply you posted, I would have come away from our exchange with a very different opinion of you, and that would've been a bit unfair. Just something to think about for the future.
It looks like the issue is the admin password gets exposed to everyone on the local network and there's an interface for running commands on the router as root from the local network?
There's no mention if this is vulnerable to XSS which is the more interesting issue.
Not to knock the researcher's work too much, but what he did was what people installing OpenWRT on devices have been doing for 15 years, and what he found is pretty typical. Except for the password in JS. That was just weird.
You don't need XSS, that's not interesting at all. You can get the admin password from an insecure page, and then there's also a page to run commands as root.
He doesn't demonstrate an attack over the internet in this article, but this makes me think he did investigate it from a remote attacker perspective vs. local network:
>So what does that get us from the perspective of a remote attacker? We have the ability to get the current admin credentials, and we can get a shell if the telnet binary is started. However, most remote attackers wont be able to solder on any wires, so I wasn’t going to stop there.
>Going through the rest of the pages in the www directory, there is another web page that provides this interface:
So you don't need telnet, but the creds being on the page + knowledge of the system command page would be enough to do whatever you wanted.
Also see this follow-up research page on the same devices:
> Right, but you have to be on the local network to do that
But who is "you" here? Are you assuming the attacker needs to be physically present on your network? can any malicious script running on browser's victim make an xhr request to "192.168.0.1/page-which-exposes-password"?
> a remote attacker can achieve RCE via a POST request to adm.cgi. There are several conditions required, including proper parameters and an active session. However, these conditions can all be met without any initial authentication required thanks to several specific exposed “live_(string).shtml” endpoints – so an attacker with the right background information about the device could achieve RCE fairly easily.
I played with OpenWRT a lot when the WRT54G was new-ish. Apparently the WRT54G-L is still being being sold new from Amazon, but considering I have a 14-year-old one running DD-WRT, still going strong, I'm not surprised.
Anyway, back then, a lot of these devices had really bad security. Some where so bad that you could do an XSS attack that gains root access to someone's router. Someone could definitely have intentionally added a backdoor, but I agree that it's pretty likely that developers working on a router with the goal of being cheap were lazy, rushed, or just didn't care, and left development backdoor open, allowed admin access on LAN and WAN, or something else.
There is more info in this article[1]. They say that this is separate from the admin page. It is basically a root shell on a web page exposed to the network.
I'd appreciate if the same kindness was shown to the Chinese router manufacturers. Sadly, when the manufacturer is Chinese, default credentials are suddenly a "secure CCP backdoor"
"The Jetstream and Wavlink routers showcase a simple GUI (or user-friendly interface) for its backdoors that is different from the interface presented to router admins."
I bought a small x86 board with dual gig network cards and put openwrt on it. If you haven’t looked at openwrt lately, it’s really good, clean UI, right to the point. Best thing I’ve done for my network besides running pihole. I recommend it.
It's not the AliExpress routers that worry me (although Walmart should have negotiated for better firmware), it's all the "name brand" routers that are running a 2.6.34brcm Broadcom kernel that'll never see another firmware update.
I probably shouldn't have picked that one in particular, it's just front of mind at the moment.
That one might be better updated than others - but if it is, they don't seem to update the version number making tracking difficult, a lot of the vendors will stop providing updates to old devices. The other problem is that if you have a Mediatek, Broadcom, Ralink, Hisilicon vulnerability (all have their own kernel forks and driver forks) then every device downstream using that kernel or driver is vulnerable, and not all devices will get fixed. Even if the vendor or upstream fixes it, who upgrades their router firmware?
>Low and behold, there was my super secret password in plain text, with the admin username in plain text, on a page that requires no authentication of any kind to view.
It is so fucking dumb that there is no other explanation other than an intentional backdoor. If anyone quotes Occam's Razor, you've been asleep for the past 5 years or so.
I disagree completely. This is exactly the kind of thing somebody might slip into a local debug build while testing.
This researcher isn't doing anything that complicated to find this page, and the page needs no authentication at all so it's not restricted to e.g. authentication via a secret that's held by the manufacturer.
If you want to make a backdoor, at least put some effort into it. This doesn't have the features I'd expect in a good backdoor.
Or maybe someone told the developer to implement a backdoor and this was the only way they thought they could do it?
Can someone explain what we get by assuming the Chinese are just so inept at technology (they aren't) that we give them the benefit of the doubt that this is a naive mistake here?
This has nothing to do with this being a Chinese device, and everything to do with it being a low cost consumer device.
The incentives for quality code here are incredibly weak, and the incentives for caring about security are basically zero. What damage does this vulnerability cause to Jetstream as a brand? It's not like they're going to lose many sales from people who read tech news sites.
If you need to get something working at the cheapest price point possible, you cut all the corners you can - especially in the ways that don't manifest until outside the return period. Paying senior developers and doing external code audits are luxuries you can't really afford.
To me it is the most logical option. It really comes down to what we pay for. If we order the cheapest possible unit price from China(or anywhere else in the world), we can't really expect them to care or even have the best people work on it. As clearly we don't either.
Just look at IoT crap produced around the world. Are they inept, or is security an after thought?
On other hand I believe that companies like Huawei are capable of very special things just like western counterparts.
> Can someone explain what we get by assuming the Chinese are just so inept at technology (they aren't) that we give them the benefit of the doubt that this is a naive mistake here?
Hardware manufacturers in general have a pretty poor reputation for security & software engineering, Chinese or otherwise. It’s not like Cisco has been vulnerability free.
From that article I honestly think the answer is incompetence. I've seen almost the exact same mistakes from really junior devs who are out of their conceptual league. They don't know what a session is or how auth is supposed to work or cookies and they have this web server that serves JS and templated HTML so they just use that. And it "works."
Ahh I misread. Even still. Directly injecting the password in the source of a JS file for the purposes of checking authentication? That screams naive error to me.
The last time I was in the market for a 'cheap' router, I settled on Mikrotik. Very cheap, and incredible features. Configuration should not be a mystery for the average HN poster. Mine is router only, no wifi, but I have heard good things about wifi versions too.
Not sure what to recommend for non tech-savvy users though. The overwhelming majority of routers in the market that are targeted to consumers are hot garbage. Some TP-Link models? Maybe... Google(if are ok with your most important device being from them)? Are Linksys still good? My last one was a WRT54G. It was ok out of the box, pretty good with custom firmware (that takes it outside the end-user territory once again).
For normal consumers, at least in Germany, AVM's FritzBox is the standard. They are such a solid product that about half of the big ISPs provide branded versions of them to their customers.
Yes, Zen in the UK supply them, and I was surprised how good they are. The web & mobile app UI are well-designed, and it's updated automatically every couple of months.
Even for non-technical users, the MikroTik routers ship set up how a consumer would expect it I think.
The configuration after a reset/as shipped (at least on all my old models) is a local network at 192.168.88.0/24 with NAT and DHCP set up, wireless enabled and bridged to lan, etc.
Only time it's going to get a bit dicey is if they want to customize the configuration (e.g., forward ports). But for 90% of people that's not going to be an issue.
My biggest struggle with my Mikrotik was discovering how much consumer grade routers do behind the scenes automagically that commercial grade routers will not.
For instance, I wanted working NAT reflection and since my external IPv4 address is dynamic I wanted to construct a static ruleset that didn't specifically reference it. The solution there required me to exclude traffic destined for my LAN address range in my dnat forwarding rules to get it working properly. Fun stuff.
Mikrotik fan checking in here - my "cheap" recommendation to anyone is the current hAP lite - USB powered, sub $30 shipped to your door. Web fig is as simple as can be; the most basic model still has all the features in 'Advanced' mode though.
For those thinking Walmart/Cheap router customers are more gullible, the Asus routers which are highly rated and used by tech savvy users (flashing custom ROM's) require accepting Trend Micro(TM) EULA's for most of the features on the box. Even QOS settings require user to accept specific EULA to share data with TM). Traffic monitor of your LAN also requires EULA.
The app that comes with Asus router is littered with button which if you accidentally click will make you accept EULA.
Reminds me of razer keyboards: their eula makes you agree that they can receive data about keyboard inputs. Gaming brands are pretty scary as a whole for this stuff
That's kind of an apples and oranges comparison. An EULA is merely a legal construct. There are a lot of instances someone might want to sign an EULA to share data, yet wouldn't want a device with a backdoor root shell.
Im not sure why but reading this article raises my internal BS skepto-meter.
The story explains that the companies in question have access to RPC functions similar to those that an ISP might use but that they are not ISPs. Then later on the article states that one of the companies described itself as an ISP.
The story also questions why there is a GUI for running remote commands and why a device would need to scan for nearby networks. I can think of a few legitimate reasons for both but no reason a decent backdoor would have a server side backdoor GUI.
Just my opinion but I get the feeling this whole situation was created by IP theft in the form of firmware duplication. It seems these companies have used a very insecure firmware possibly made intentionally bad to trap or setup these Chinese manufacturers.
If these are in fact intentional backdoors they were made with an incredible amount of effort to look like sloppy 0day exploits.
I should add that I don't doubt that these vulnerabilities are real, just the intent behind them.
If I was having my products manufactured in China, I might provide a similar bad firmware for the factory too, then patch the devices before providing them to my customers to prevent IP theft.
Hey there - author of the article here. The research team behind this has a lot of unanswered questions as well, and a lot of...(like you) conjectures about how this may have arisen.
Normally, one should not attribute to malice what can simply be attributed to stupidity or probably laziness here.
Even then, however, it's a bit too suspicious though. Of course, we asked the manufacturers behind these devices for comment and -- surprise! -- no comment. In past experience with Chinese vendors, we've had similar results.
Of course, we'll update with any information we get.
I would start by examining the getWifi.sh file a bit closer, chances are it's part of either a WPS or Network Bridge scheme.
Having thought about this story for a while now, I also think it is worth investigation, I might purchase an extender off Amazon.
The one part of the story I can't reconcile is how the Chinese IP attacker managed to find the device. I doubt this could have occured just from random port scanning so there must be a call home, possibly by loading a hidden image on the "Backdoor GUI"?
The story was well written, just not sure it made me thristy enough to drink the koolaid...or maybe it did! :P
Random attacks are much more frequent than one might expect. If you are unlucky enough to have a device that accepts the default telnet user/pass of 'root'/'xc3511' and you leave it open to the internet, you can expect it to be compromised in less than five minutes. [0]
While Wavlink bears a lot of responsibility for these problems, I bet this is a Mediatek or Ralink board support package that is security swiss cheese.
All the (three?) articles about this gloss over whether/how this is remotely exploitable or whether you need to be on the local network. This would seem to be evidence that it is:
> Basically, the first IP address you see there – 222.141.xx.xxx, which comes from China – was trying to upload a malicious file on the router using the vulnerabilities.
Since when does a router respond to the whole world on port 80 by default?
Overall its a good idea to avoid buying electronics from walmart unless its something simple like a cable
I've also heard that products such as TV's are usually lower quality compared to sold elsewhere; usually the manufacturer creates a model speficially for walmart, using lower quality parts, display panels which don't pass QA and are binned, SoC's which may have issues, etc
Not sure about Walmart in general, but this is a known thing for big box black friday electronics. These items will typically have different SKUs than their equivalent normal priced electronics and often have at the minimum reduced feature sets, like fewer HDMI ports, anything really that can get the BOM lowered is likely to be removed from the electronics. I haven't heard if they go as far as to use SoC with known issues, but certainly I can see them getting binned chips that fall with "acceptable" parameters, where acceptable is quite low.
Can someone explain what the actual backdoor is without me having to wade through pounds and pounds of narrative text that doesn't actually explain anything?
I started watching the video, but it just looks like self-congratulatory nonsense.
It's kind of a pain in the ass but a solution is to set these devices all in their own L2/L3 network segment with separate routing (via a different VPN) out to public.
Just spitballing here but would it be possible to write more secure firmware for these routers, wipe the firmware, install your own, and the sell the routers under your own brand?
Illogical response. The logical response is to use multiple layers of network security provided by different vendors and hardware/software stacks so that there is no single point of trust and you mitigate the impact of a breach. That way you don't need to struggle with the heavy burden of maintaining illogical beliefs such as mystical associations of 'western' supply chains being 'clean', whereas 'backdoors' are being actively created by 'bad actors' affiliated with 'the other' motivated by 'reasons' against your specific person because 'nothing better to do' despite 'vast scope' and 'international supply chain conspiracy'. Uhuh.
Wow, the investigation couldn't even figure out which company was actually making the Jetstream routers. They believe it's Winstars Technology Ltd but they're not sure.
Sounds shady when whoever's making it is apparently distancing themselves from their own product.
China is not our friend... I hope that by repeating this often enough and loud enough that peoples, politicians, and companies will get the hint.
Government sponsored, or not, it doesn't matter. The anti-world behavior exhibited by China and its populace clearly shows they are not a friend to anyone by themselves.
Trade with China should be reconsidered on a global scale.
