I am a security researcher currently working on checking cheap wifi routers for critical vulnerabilities. Ask me anything.
Hi Reddit! Mantas Sasnauskas here.
EDIT: Thank you guys for the interest. I'm going to take a break now. I'll make sure to come back tomorrow and answer remaining comments. So keep them coming.
EDIT2: Hey! I’m back and will slowly answer some of the remaining questions throughout this day. I see a lot of you asking about routers (you probably personally use) and their security. We tested Wavlink and Jetstream ones so far so I can’t really comment on other brands. Also, there are quite a few questions about custom router operating systems. Personally, I use pfsense with snort and run pi-hole.
I’m an information security researcher hunting for new and emerging threats. I do everything from Threat Hunting to hardware hacking.
Commercial gadgets are now cheaper and more plentiful than they’ve ever been. As security researchers, by trying to alter the technology’s behaviour and capabilities, we probe and evaluate the security of technology developed by others to see how much has been done to ensure their privacy and security.
In our recent investigation in collaboration with researchers James Clee and Roni Carta we identified hidden backdoors in cheap Chinese-manufactured Jetstream and Wavlink wifi routers sold by Walmart, Amazon and eBay, with evidence that these backdoors are being actively exploited, and there’s been an attempt to add the devices to a Mirai botnet.
- We found multiple RCE vulnerabilities, that enable bad actors to exploit them
- We identified backdoors on some of the devices
- The Wavlink routers also contain a script that lists nearby wifi and has the capability to connect to those networks
- After setting up a small, trivial honeypot that intercepts the traffic with the router, we immediately saw attempts from a Chinese IP to upload a malicious file containing the Mirai malware which was not made for the specific router, but rather just shows, that malicious attempts are being made on a mass scale, and considering the vulnerabilities and the backdoor on the routers it poses a very real risk, that these might also be exploited.
Want to know how the routers were investigated? The vulnerability identification and disclosure process? Or just discuss what such backdoors in wifi routers mean for their users?
I’ll be here 3-5 PM UK time today but will endeavour to answer follow up questions over the next couple of days.
This AMA is part of our efforts to spread the word about cheap wifi routers that allow spying on its users. Check out the full report here.
So far, we’ve managed to contact Walmart about the affected devices, and Walmart has stopped selling one affected router. However, we believe that most or all devices from this brand have the same vulnerabilities. Wavlink, one of the device makers, has released new firmware to address the security issues our research exposed. While we have not yet confirmed these modifications with our own testing, they claim to have removed unnecessary diagnostic pages, deleted tcdump tool, added code to block a CSRF attack, and improved web authentication process. If all of these can be confirmed and reflected in the firmware, it should mitigate all the vulnerabilities we discovered.