Follow

Jetstream is the Walmart brand name for a line of cheap Chinese wifi base-station/routers; other popular, cheap brands like Wavlink and Winstars appear to come from the same manufacturer and they all share a grave security vulnerability: a powerful back-door.

1/

· · Web · 1 · 8 · 4

A collaboration between Cybernews, Mantas Sasnauskas and James Clee and Roni Carta documents the back-door, attempts to connect multiple corporate identities to a common owner, and presents (very) rough estimate of the number of devices that share this defect.

cybernews.com/security/walmart

The researchers say that the back-door allows remote parties to "monitor and control all traffic coming through" affected devices, using an undocumented web-form that accepts commands and runs them as root.

2/

This form has only the crudest security, checking to see if there's ANY user activity on the network before allowing access. The researchers claim this as evidence that this is a deliberate back-door and not a forgotten testing feature or error.

3/

They also document a hidden feature that causes routers to enumerate nearby routers. While they say there's no reason for this to exist, I can think of at least two: first, for dynamic frequency selection to avoid interference, and second, to set up relaying services.

However, I agree with their contention that such a feature would be useful to the spread of malicious software that exploits the same back-door.

4/

I'm more dubious of their implied claim that all of this represents some kind of Chinese state intervention in product design in order to facilitate surveillance and/or cyberwarfare.

It's true that China (and other world powers, notably the USA) have covertly and overtly weakened device security as part of their cyberoffense efforts. But it's also true that vendors make this kind of stupid mistake all the time, without government encouragement.

5/

Remember when Chrysler shipped millions of internet-connected Jeeps whose main security was that the connectivity came from Sprint and since no one uses Sprint, no one would be on the same network as the Jeeps?

wired.com/2015/07/hackers-remo

6/

Chinese white-label firms are notorious for building idiotically insecure devices that are sold under multiple brand names, in ways that lead to real harms to their owners, and there's no indication that this was malice - rather, it was indifference.

kerneronsec.com/2016/02/remote

7/

Which is not to say that Chinese cyberwarriors wouldn't exploit these defects - as would their US and other foreign counterparts. Indeed, a major impediment to the passage of good cybersecurity regulation is the extent to which spy agencies rely on insecure IoT devices.

And of course, that's just one form of blowback. Vulnerabilities are also useful to cybercriminals, and that's why both China and the US are under continuous, nation-scale, punishing ransomeware and Mirai attacks.

8/

It seems like there's at least one Mirai version that targets the Jetstream back-door. But then again, Mirai is an aggressive little fucker that also targets high-end, Sony equipment.

krebsonsecurity.com/2016/12/re

I think the geopolitics of this thing isn't "Chinese spies coerced a manufacturer into riddling its products with vulnerabilities." It's: "In the absence of regulation and liability, companies make insecure products."

9/

And also: "Spies do what they can to prevent regulation because they like insecure products."

And finally: "Criminals love the insecurities that reckless companies create and governments fail to punish."

Oh, and "Walmart's procurements process is garbage and you should throw away your Walmart router."

eof/

Sign in to participate in the conversation
La Quadrature du Net - Mastodon - Media Fédéré

Mamot.fr est un serveur Mastodon francophone, géré par La Quadrature du Net.