Hi Reddit! Mantas Sasnauskas here.

EDIT: Thank you guys for the interest. I'm going to take a break now. I'll make sure to come back tomorrow and answer remaining comments. So keep them coming.

EDIT2: Hey! I’m back and will slowly answer some of the remaining questions throughout this day. I see a lot of you asking about routers (you probably personally use) and their security. We tested Wavlink and Jetstream ones so far so I can’t really comment on other brands. Also, there are quite a few questions about custom router operating systems. Personally, I use pfsense with snort and run pi-hole.

I’m an information security researcher hunting for new and emerging threats. I do everything from Threat Hunting to hardware hacking.

Commercial gadgets are now cheaper and more plentiful than they’ve ever been. As security researchers, by trying to alter the technology’s behaviour and capabilities, we probe and evaluate the security of technology developed by others to see how much has been done to ensure their privacy and security.

In our recent investigation in collaboration with researchers James Clee and Roni Carta we identified hidden backdoors in cheap Chinese-manufactured Jetstream and Wavlink wifi routers sold by Walmart, Amazon and eBay, with evidence that these backdoors are being actively exploited, and there’s been an attempt to add the devices to a Mirai botnet.

  • We found multiple RCE vulnerabilities, that enable bad actors to exploit them
  • We identified backdoors on some of the devices
  • The Wavlink routers also contain a script that lists nearby wifi and has the capability to connect to those networks
  • After setting up a small, trivial honeypot that intercepts the traffic with the router, we immediately saw attempts from a Chinese IP to upload a malicious file containing the Mirai malware which was not made for the specific router, but rather just shows, that malicious attempts are being made on a mass scale, and considering the vulnerabilities and the backdoor on the routers it poses a very real risk, that these might also be exploited.

Want to know how the routers were investigated? The vulnerability identification and disclosure process? Or just discuss what such backdoors in wifi routers mean for their users?

I’ll be here 3-5 PM UK time today but will endeavour to answer follow up questions over the next couple of days.

This AMA is part of our efforts to spread the word about cheap wifi routers that allow spying on its users. Check out the full report here.

So far, we’ve managed to contact Walmart about the affected devices, and Walmart has stopped selling one affected router. However, we believe that most or all devices from this brand have the same vulnerabilities. Wavlink, one of the device makers, has released new firmware to address the security issues our research exposed. While we have not yet confirmed these modifications with our own testing, they claim to have removed unnecessary diagnostic pages, deleted tcdump tool, added code to block a CSRF attack, and improved web authentication process. If all of these can be confirmed and reflected in the firmware, it should mitigate all the vulnerabilities we discovered.


Comments: 521 • Responses: 27  • Date: 

Mesapholis287 karma

what basic steps as a private person can I take to make my router more secure - I heard about using vpn inside of your router directly?

Cybernews_com315 karma

A VPN could be used as one tool to mitigate just some of the risks, because it encrypts your traffic. But the main thing would be to change the default passwords to a secure random password. But this is a minor mitigation, but if you have an unsecure router then there's nothing much you can do. The bad actor may not be able to see the traffic, but they might still be able to take over your network.

Mesapholis36 karma

what is the most secure device you recommend for private households on the market?

Cybernews_com97 karma

For privacy and control of my network, I generally use the devices from Michael Bazzel's list: https://inteltechniques.com/links.html

AnimiLimina47 karma

What do you think about ISP’s often forcing you to use their router, however save they might be. Is there any legal base for it?

Cybernews_com69 karma

If ISPs force you to use their routers, I think that's unfair. Normally, though, from experience, I've seen that you can use your own router.

r99710643 karma

What are you opinions on Iot/smart home devices with regards to home network security?

I remember hearing cheap devices can leave backdoors open. Is there any router settings or software ie ddwrt that can negate this allowing for better cheaper devices.

Cybernews_com35 karma

From this investigation I can deduct that yes, cheaper IoT devices do sometimes contain backdoors, and flashing ddwrt could potentially negate those backdoors. But this can only be done by an advanced user and the question is wether you’d be able to keep the persistence on the router.

app4that39 karma

Seeing TP-Link is one of the most common-and most price-competitive- WiFi and cable modem manufacturer that US consumers have access to, how's their security? And how is the security of factory 'remanufactured' devices?

Cybernews_com39 karma

That's a really good question. It's in my plans to investigate more popular brands like TP-Link, Netgear and other well-known brands for vulnerabilities. That way, I'll be able to check how secure they are, as well as the remanufactured devices. But until then, i can't really comment on the security status of those devices.

lack_of_jope33 karma

What do you think of ubiquiti products? They are very cost effective, and getting into homes and small businesses.

With their remote management and monitoring features, do you see any security risks with using them?

Thank you for your insight!

Cybernews_com43 karma

I think ubiquiti products are pretty good, and they're one of my favorite products to use.

dterrones19 karma

What are your thoughts on the Google Mesh WiFi? In terms of security how would you rate it from 1 to 10

Cybernews_com3 karma

Can't comment as I did not test it yet.

monkey669918 karma

Curious if you are aware of any independent testing that is being performed on broadband cable or DSL modems distributed by internet providers?

Cybernews_com33 karma

Actually, I do -- there was research done on a major ISP in North Europe called Telia, and the researchers found multiple vulnerabilities and backdoors [link]. This is one of the recent investigations, and there may very well be more ISPs that may not have invested in their router security.

sephstorm17 karma

Are you working with the RouterSploit project or anything similar to enable individuals or organizations to scan their own devices for these vulnerabilities? If not, are you willing to do so?

Cybernews_com17 karma

I'm not working with RouterSploit project, but I definitely know about it and think they're doing amazing work. Actually, it's a pretty good idea to include these vulnerabilities in RouterSploit

Cybernews_com8 karma

By the way, the other researchers James Clee and Roni Carta developed this tool to check for these vulnerabilities.

SevnPlanets17 karma

Anything I can do to make my TP-Link AC1750 safer?

Cybernews_com24 karma

Sure, you can put it in a Faraday cage :)

But in reality, this device is a wifi extender, so there isn't much we can suggest to make it safer. We haven't analyzed it, so we can't comment on its security.

shartoberfest13 karma

What are your thoughts on chinese brand routers like those made by xiaomi or huawei?

Cybernews_com34 karma

The only thing I can say is that I personally would not buy any Xiaomi or Huawei devices, and let's leave it at that :)

cficare11 karma

Do you have links to resources we can read up on from others in your field? Are there any cut and dry methods to secure a router you havent investigated, yet? I.e. Changing the firmware, blocking certain ports or protocols, monitoring certain channels, etc?

Cybernews_com16 karma

There are a lot of things you can do, and it depends on the router. I’m not going to list them all, here’s a good resource on that https://routersecurity.org/#StartHere

Imafork8 karma

Do you think the recent surge of cheap Chinese smart home products (bulbs, smart sockets, cameras, etc) could have similar vulnerabilities? I've tried to keep my smart home tech to the major vendors like Philips, but the Chinese competitors often offer features you can't find elsewhere plus at a much lower cost

Cybernews_com2 karma

These devices are made so quickly and so cheaply it is possible security is compromised for the price. But it's only speculation.

DrJawn7 karma

Is a mesh system more vulnerable than a standard wifi system?

Cybernews_com10 karma

From my perspective, I can’t say that mesh systems are more/or less vulnerable than stand-alone wifi systems. It all boils down to a particular system or device. Unless you have something specific in mind. I don’t like to generalise things.

blue_villain5 karma

After all of your investigations, are you able to provide recommendations on specific routers or brands?

Cybernews_com6 karma

As of today, we've investigated Wavlink and Jetstream routers. Of the routers we investigated Wavlink has already issued an updated firmware [link] that apparently fixes the vulnerabilities. So if you have a Wavlink router, I'd recommend going to their website and updating.

petawmakria4 karma

Do you miss Lithuania?

Cybernews_com3 karma

I do!:)

ramdomdoge27724 karma

What is the worse vulnerability you encountered? Do they seem intentional?

Cybernews_com7 karma

In this research, the worst vulnerability was the CSRF and hardcoded password. In general, though, in my career one of the worst thing I've seen is just the default username:password that are still used on so many devices

badabing8883 karma

how’d you get your start? sounds like interesting work. Being 15 yrs into IT career on the infrastructure side this kind of work always interested me

Cybernews_com5 karma

Honestly, with your 15 yrs of experience, just start your first project. It involves a lot of YouTube and Googling, and just learning by experimenting and you will understand how things work on the hardware and software side

billy_teats2 karma

Is your research limited to cheap wifi routers? Why? What are the differences between cheap routers and more expensive routers? If they're all Linux, do they prevent source code viewing/manipulation, or are the expensive ones just more complex?

Have you thought about including IoT devices? Vacuums, doorbells, lightbulbs, street cameras, refrigerators, TV's are all internet connected and none of these devices gives 2 shakes about building in security to their device.

Is bad press our only real defense against non-existent security?

Cybernews_com2 karma

One step at a time :) We are planning to look into more routers and IoT devices. And I think awareness is a better defense.

billy_teats2 karma

Another question - Where do you stand on hacktivism, legally and ethically?
If you have found these exploits, you can potentially build protections against them. For example, you find a series of routers that have a backdoor. You prepare a new firmware version that resolves the problem (maybe it also 'worms' to protect future devices that come online later). You've definitely hacked the device, but your intentions were good. You have prevented malicious behavior, through questionable means.

Cybernews_com2 karma

I think hacktivism can bring positive impact to society, but there is a very thin line between hacktivism and legality.

Doyenne8172 karma

Is the Nighthawk router a good buy? Does it help protect more than a standard router? And also this thread is amazing!

Cybernews_com2 karma

I didn't test this router.

JoJoUp2 karma

Are the Comcast routers apart of this?

Cybernews_com2 karma

Not that I'm aware of.