Walmart-exclusive router and others sold on Amazon & eBay contain hidden backdoors to control devices
Update, November 27: Wavlink responded to our research findings in a blog post on November 26, and we discuss (and refute) their statements at the end of the article.
In a collaboration between CyberNews Sr. Information Security Researcher Mantas Sasnauskas and researchers James Clee and Roni Carta, suspicious backdoors have been discovered in a Chinese-made Jetstream router, sold exclusively at Walmart as their new line of “affordable” wifi routers. This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network.
CyberNews reached out to Walmart for comment and to understand whether they were aware of the Jetstream backdoor, and what they plan to do to protect their customers. After we sent information about the affected Jetstream device, a Walmart spokesperson informed CyberNews: "Thank you for bringing this to our attention. We are looking into the issue to learn more. The item in question is currently out of stock and we do not have plans to replenish it."
Watch the video below to hear directly from Sasnauskas, Clee and Carta about how they discovered the backdoors and what it means for everyday consumers:
Besides the Walmart-exclusive Jetstream router, the cybersecurity research team also discovered that low-cost Wavlink routers, normally sold on Amazon or eBay, have similar backdoors. The Wavlink routers also contain a script that lists nearby wifi and has the capability to connect to those networks.
Read next: Are Walmart, Amazon and eBay liable for selling vulnerable devices?
We have also found evidence that these backdoors are being actively exploited, and there’s been an attempt to add the devices to a Mirai botnet. Mirai is malware that infects devices connected to a network, turns them into remotely controlled bots as part of a botnet, and uses them in large-scale attacks. The most famous of these is the 2016 Dyn DNS cyberattack, which brought down major websites like Reddit, Netflix, CNN, GitHub, Twitter, Airbnb and more.
Of the known devices affected by Mirai in the 2016 Dyn cyberattack, the majority was routers:
- Make sure your data is secure with the help of the top VPN services on the market
- Want to build your personal or business site? Website builders can make it happen in no time and provide you with the necessary security certificates
- Choose among the best web hosting services on the market - ensure your website hosting is reliable and safe
In starting the research, Clee originally wanted to see what kind of security low-cost Chinese devices like Wavlink had: “I was interested in seeing how much effort companies were putting into security. I decided it would be a great hobby to buy cheap Chinese technology off of Amazon and see what I could find out.” He then got in contact with Carta and Sasnauskas at CyberNews.
“After talking to James about his discovery,” Carta told CyberNews, “I immediately tried to look for other companies using the same firmware, and found that Jetstream's devices are also vulnerable. The research was interesting to understand where the vulnerability came from, and how a malicious actor could fully exploit it.”
While Jetstream has an exclusive deal with Walmart, and is sold under other brand names like Ematic, there is very little information available about which Chinese company actually produces these products.
Wavlink is a technology company based in Shenzhen, China, in the Guangdong province. There is more information publicly available about this company than about Jetstream.
Its LinkedIn page shows that there are approximately 1,000 people working in the “WAVLINK group, including one factory in Shenzhen, China, one business center in Hongkong, and one research facility in California, USA.” On its company page, Wavlink claims to sell its products to “China, Middle East, H.K, Australia, Norway, etc.” and its products can be bought through Amazon, eBay, and others. It is currently expanding in other markets like Indonesia.
“We have reason to believe that both Jetstream and Wavlink are subsidiaries of a Shenzhen-based company known as Winstars Technology Ltd.,” Sasnauskas stated.
"We have reason to believe that both Jetstream and Wavlink are subsidiaries of a Shenzhen-based company known as Winstars Technology Ltd."
Mantas Sasnauskas
While Clee’s original research (and follow-up) analyzed one Wavlink router, our new analysis shows that multiple Wavlink and Jetstream devices have now been shown to be affected. In fact, all of the devices that the team analyzed were found to contain backdoors.
“After my initial findings on the first router I purchased, I bought two more repeaters off Amazon,” Clee told CyberNews. “Although they are very different physically and slightly different technically, all three had almost the exact same exploit chain. It's hard to make sweeping, definitive statements, but given that all three had the same flaws I’d suspect that many more Wavlink devices are the same.”
Clee attempted to contact Wavlink in February. However, they have still not responded.
Hidden backdoors on potentially millions of devices
One of the most intriguing aspects of this research was the discovery of suspicious backdoors that were enabled on all of the devices.
Backdoors are a means for an authorized or unauthorized person to gain access to a closed system – in this case, a router – by bypassing the standard security measures and take control, which is known as root access. In fact, this type of secret backdoor access is a major reason that the US, Germany, and other governments around the world have banned Huawei when they found that the Chinese company could secretly access sensitive information for devices that it sold.
While it is common for routers that you get from your local ISP to have a type of backdoor enabled on the device – usually for admin purposes to assist you if you have any problems – there’s one thing to remember: Wavlink and Jetstream are not ISPs.
A backdoor with a user interface
The Jetstream and Wavlink routers showcase a simple GUI (or user-friendly interface) for its backdoors that is different from the interface presented to router admins.
While Wavlink does have instructions on its website for how users can access their router, the backdoor that we discovered seems to be directed at a remote code execution, or RCE, vulnerability we will discuss in follow-up research.
You see, in normal situations, whenever an attacker wants to take over control of the router, they’d need physical access to the device. As it stands right now, the Wavlink and Jetstream devices we looked at have a file that allows for remote access to the router. The only thing that the attacker would need is for a user to be connected at the time.
This is due to a lack of validation on the device’s backend, which appears to check only if there is a session active. If so, it will provide an attacker access to the page, without properly checking who owns the session.
We also discovered that the credentials needed to access the device are being checked in the Javascript. This means that, if you were to inspect the element, on a certain endpoint you can retrieve the root password and remotely access the target's computer. This endpoint will always retrieve the user password. Even if the user changes his password, the endpoint will get updated.
Do you have any further information about Jetstream, Wavlink or Winstars Technology Ltd., or the malicious Chinese IP address attempting to exploit these vulnerabilities? We'd love to hear from you. Please get in touch -- send us a tip by clicking here or email us at [email protected]
On the devices that don’t have the password in the Javascript, there are unencrypted backups that can be downloaded without authentication. These backups would allow an attacker to get the admin passwords as well.
“This is not a mistake”
For the researchers, these are not just coincidences: they point at something intentional.
“This is not a mistake,” Carta tells CyberNews. “Someone had to take the decision to make the password client-side. A human conceived this code knowing that this would be accessible from an unauthenticated user. Now, the question is why?”
Clee agrees with Carta: “The fact that there’s a GUI for RCE, and the fact that a page was established to validate a password outside of the existing authentication mechanisms, leads me to believe that neither were an accident.”
“Why would a company,” Clee wonders, “which potentially knows the credentials of any of its routers, give itself the hidden ability to access anyone’s router and run commands? They are not an ISP. Why would they need that access?”
“Why would a company, which potentially knows the credentials of any of its routers, give itself the hidden ability to access anyone’s router and run commands?”
James Clee
Scanning for other wifi networks
We also discovered that Wavlink devices have a script named getwifi.sh in a bin folder that lists all the neighboring wifi connections. The Wavlink device then has the ability to connect to the other wifi networks.
Below is a script that lists the nearby wifi networks:
And here are the results that we ran using our own test device:
“We can only speculate whether this is intentional or it’s just poor practice with no security and privacy consideration on behalf of the company,” Sasnauskas stated. “This raises a lot of questions. Why would a company need to create and leave these? With this, an attacker can compromise not only the router and the network, but neighboring networks too. This is not and should not be normal practice, not in this context.”
Mirai malware attacking our router
In order to understand the scope of the hidden backdoor “feature” and exactly what that means, we wanted to see if any bad actor was attempting to attack the device.
In order to do this, Clee set up a small, trivial honeypot that intercepts the traffic with the router and we checked for any possible malicious actions. The honeypot would be easily identifiable by any person, if the attack was done manually. However, if the attack was automated, such as with a malicious script, the honeypot would not be detected or the detection phase would simply be skipped.
Almost immediately after we turned on the honeypot, we got this request:
Basically, the first IP address you see there – 222.141.xx.xxx, which comes from China – was trying to upload a malicious file on the router using the vulnerabilities. When we checked this file, we saw that it contained the Mirai malware – a malicious script that connects the router to the Mirai botnet.
This indicates that an active exploitation is happening, and considering the critical vulnerabilities they contain and the amount of PoC (proof of concept), there is a very high chance that they are being successfully exploited – although further investigation would be needed to confirm that.
Even before seeing live exploitation attempts, this was not unexpected. “It’s like having a city as big as New York, and all those millions of doors are wide open,” Sasnauskas stated. “Someone is definitely going to try to get into those houses and those apartments and try to steal whatever they can.”
We will continue to investigate the Mirai botnet, including assessing the scope of the infection and the bad actor or group behind it.
The precarious position of Chinese tech companies
It is near impossible to discuss vulnerabilities in Chinese hardware or software without acknowledging the Chinese government’s position on national and international surveillance. In essence, the current Chinese government, under Xi Jinping, has turned its resources heavily towards gathering as much data as it can about its citizens locally and globally, and its competitors – both in terms of corporations and governments.
Chinese data retention laws, for example, force Chinese companies, or companies operating in China, to keep data on servers located inside the country – and to provide practically unfettered access to that data to law enforcement. This includes even encrypted data, with the Chinese government requiring access to decryption keys.
This puts Chinese companies in a precarious position: they must serve their customers, and they must also provide access to the Chinese government.
Taking all of those factors into consideration, it becomes especially concerning that the Jetstream and Wavlink devices we looked at have such gaping security holes.
In effect, there’s one important question that arises then:
Would the Chinese government, having the legal authority to access all Chinese companies’ data held within the country, now have the ability to control and see all the traffic flowing through these Jetstream/Wavlink devices, and the devices connected to those networks?
This is a very uncomfortable question.
Is it Wavlink, Jetstream or Winstars?
Another interesting aspect about Jetstream and Wavlink is the attempt to find out anything real about the companies.
Wavlink and Winstars
When we visited Wavlink’s LinkedIn page, we discovered that some of their employees listed their workplace as Winstars Technology Ltd:
Navigating to that website, we see that Winstars Technology Ltd, whose logo claims it is an “ISP & Operator Specialist,” has a similar history to Wavlink. This company’s listed address:
is the same as Wavlink’s:
Beyond that, some of their products also seem to be the same. Compare Winstars’ Thunderbolt 3 8K docking station:
To Wavlink’s Thunderbolt 3 8K docking station:
The connection seems to be pretty solid – but, when it comes to Chinese corporate structures, it’s more a matter of which company owns which. According to this filing, Wavlink is a registered trademark of Winstars Technology Ltd – which would put Winstars as the parent or at least superseding company.
Is “Jetstream” Winstar’s American brand?
When it comes to Jetstream, although it appears to have signed an exclusive deal with Walmart, where its products are listed as “affordable” wifi routers exclusive to the retail giant, there is no clear information about the brand’s ownership or Chinese base.
However, the products offered by Jetstream on Walmart share similar features to Wavlink and Winstar products. This includes the Jetstream (on left) and Wavlink (right) mesh routers:
And the gaming routers (Jetstream on left, Winstars on right):
Beyond that, the login pages for both Wavlink and Jetstream routers look the same:
We also noticed that Wavlink’s router login page had “Jetstream” in the source code:
The connection between Wavlink/Winstars and Jetstream grows even stronger the further we investigated. We discovered files within the routers that link Jetstream and Wavlink in multiple URLs:
We also discovered that the information disclosure page, downloadable config file, and backup file were all the same as Wavlink’s. This leads us to believe that Winstars is the owner of both Jetstream and Wavlink brands. “Jetstream” may simply be the Winstar product for the US market.
What is Winstars?
Luckily, Winstars has a lot more publicly available information online about it, including its staff and management. This eventually led us to someone named “Mr. Lee John” whose very terse Facebook page lists him as the CEO & Founder of both Wavlink and Winstars. Facebook is blocked in China. However, another listing puts “Johnson Huang” as the General Manager of Winstars.
While little information is available for Jetstream’s or Wavlink’s exports or revenue, this company profile shows that Winstars exports 95%-99% of its products, for an annual revenue of between $40-$45 million.
It’s also not clear how many products Winstars exports: its capacity is listed as between 1-2 million pieces per month:
If the company sells at 100% of its capacity, that means that yearly there are 12-24 million various Winstar/Jetstream/Wavlink products being shipped around the world. If the sales are actually at 75% capacity, that would put the number at around 9-18 million Winstar/Jetstream/Wavlink pieces sold per year.
Winstars’ company page indicates that it is involved in multiple “government fully-funded projects.” Other company names connected to Winstars/Jetstream/Wavlink are Rui Yin and Shenzhen Xinboyue Electronics Co., Ltd.
What Jetstream-Wavlink backdoors mean for consumers
The impact of these backdoors is particularly concerning.
“With this backdoor,” Clee told CyberNews, “the malicious actor can monitor and control all traffic coming through that router.”
This is pretty dangerous: at this very moment, malicious actors may have the ability to see all the traffic – all the activity, the visited websites, messages, audio and video – that’s passing through a user’s Jetstream/Wavlink router. “It's like having an omniscient entity in your house, watching all of your activities, stealing all your information and spreading everywhere,” Carta tells CyberNews.
An attacker can also potentially control the entire network, seeing as they’d be able to control the access point to that network. That would allow them to perform lateral movement on the devices connected to the network and compromise those devices.
This is also a very threatening possibility: given the Jetstream/Wavlink router backdoors here, an attacker can take control of not only the router, but also all the devices connected to that network.
Addressing Wavlink's response
On November 26, Wavlink responded to our research by publishing an article on their website [archived]. We'll walk through their response and address certain points.
First of all, however, we'd like to point out two important things: firstly, Clee originally attempted to contact Wavlink in February 2020 and CyberNews attempted to contact them from October 19 (with multiple follow-ups) -- and received no response. Secondly, Wavlink published their response on their website without getting in contact with us -- we only found it by actively looking for it.
Now, to the claims made in their response. Generally, Wavlink responded by saying that "we officially clarify that our products DO NOT have any such codes that either obtain customer information or remotely control devices."
The confirmed vulnerabilities CVE-2020-10971 and CVE-2020-10972 in the affected Wavlink routers are critical and confirmed by the NIST. They allow for remote unauthenticated communication with the router. These vulnerabilities alone allow for bad actors to abuse the router and the network. Beyond that:
- webcmd.shtml is the backdoor that appeared to be placed there intentionally, but which we hoped to clarify with Wavlink
- webcmd can be hacked using CSRF (Cross Side Request Forgery), and therefore opening a link makes your router hackable
However, in response to their specific points:
- While it is common practice "for router companies to receive customer reports to make analysis and give feedback to customers," it is irresponsible to leave these kinds of vulnerabilities so bad actors can exploit them.
- While local management pages are fine, again -- given the confirmed vulnerabilities, it opens the router up to exploitation from bad actors.
- While wifi repeaters would have the wifi signal scanning function, this does not address why routers would have the same capability and, again -- given the confirmed vulnerabilities, this provides for pivoting and later movement capabilities that a bad actor can exploit.
- We wonder how many routers were sold since the Telnet function was removed. Further, while it is common for telecom operators to have this function -- Wavlink is not a telecom operator.
- We never claimed that the Chinese IP address attempting to exploit the backdoors and vulnerabilities was related to Wavlink. That was simply to confirm that the vulnerabilities were being actively exploited, which we observed on our test device. Given the confirmed vulnerabilities, and that there are hundreds or thousands of these routers exposed to the internet, the risk of exploitation is high. Further, given the webcmd and the vulnerabilities, the backdoor can be exploited by bad actors remotely.
- We never said that Jetstream is part of Wavlink. We said that Jetstream and Wavlink are both part, in one form or another, of Winstars, which Wavlink's response does not address.
We have submitted these responses to Wavlink as well, and hope that they will get in contact with us for clarification or assistance in fixing these issues.
What you should do next
If you have any Jetstream or Wavlink routers or connected devices, unfortunately there isn’t much you can do about it. The devices, as they are right now, have these backdoors. It is possible to mitigate the risks of these backdoors and related vulnerabilities with such popular solutions as a VPN, but this would be a minor mitigation.
Increase your online security and privacy by encrypting your internet connection and hiding your IP address.
Protect your data nowAlthough reported in February, the company has not responded to our notification attempts.
The best thing to do then, if you have one of these vulnerable Jetstream/Wavlink devices, is to stop using them and buy a router from a reputable company. “After just a small amount of testing,” Clee said, “the main thought I have about my Wavlink devices is that I'm looking forward to never plugging them in again.”
"I’m looking forward to never plugging [these Wavlink devices] in again.”
James Clee
Carta also advised further steps if you’ve been using these Jetstream or Wavlink routers, whether you choose to keep them or not: “It might be a good idea to temporarily shut down the network, clean your computers, reset the passwords of the computers and online accounts, and so on.”
If you choose to keep your Wavlink or Jetstream routers, Carta states: “In case malicious actors achieved persistence on another machine by spreading on the network, it is important to expulse them.” However, he still advises users to change these affected routers as soon as possible.
On the other hand, if you were thinking of buying one of these vulnerable Jetstream/Wavlink devices, the best thing to do is to stop that thought, and instead buy a router from a reputable company.
Unfortunately, the affected devices go beyond just routers: we discovered that Wavlink’s wifi repeaters have the same backdoors.
Watch the interview with the cybersecurity researchers and Zahid Sabih from ZSecurity for an in-depth interview into how the entire investigation went down:
Comments
The vulnerabilities in router chipsets are not in the silicon or metal interconnect, or even in the PCB (hardware vulnerabilities are possible, though very rare)
They are in the firmware that runs the router.
The firmware is typically written by the chipset provider at first, and possibly with updates. (US)
This exploitable firmware was modified and/or written by the Chinese company that designed and sold this product, meaning all potential malicious motivations and/or gross incompetence are universally exclusively theirs to answer for
Thanks for talking about this! People must know.
Your investigation, analysis, and presentation were excellent. Thank you for sharing. In this case, boredom breeds good things.
Thanks, Bob
After doing some digging on these inexpensive routers/devices originating from Chinese-based firms, I suspect there is some kind of ecosystem of large companies and smaller subsidiaries all selling these similar, vulnerable devices under various brand names (to include Winstar, Wavlink, Jetstream, Tenda, Cudy, and more) around the world.
The difficulties in finding information on Winstars (and their Wavlink and Jetstream subsidiaries) applies to other China-based brands as well. I want to highlight here the inexpensive “Cudy” brand routers sold on Amazon. You can view one of their devices here: https://www.amazon.com/Cudy-1200Mbps-Customized-pre-Installed-WR1300/dp/B085RLFRH3/
Cudy’s official website doesn’t reveal much, beyond them being based in Shenzhen (as is Winstars), a city known for being a technology/IT hub. After looking up Cudy’s trademark information (https://trademarks.justia.com/880/12/cudy-88012642.html), you can see that the point of contact for Cudy (“DENG XIU FANG; SHENZHEN TENGFEI INTELLEC”) is a person affiliated with the Shenzhen-based Tengfei manufacturing/technology company, which is associated with the trademark “Tenda”. Here is the company profile on Alibaba showing the Tenda connection: https://tengfeibx.en.alibaba.com/company_profile.html?spm=a2700.icbuShop.88.42.985c3052j3R9uc Also note the similarity in font/style between the Tengfei and Tenda logos. As was disclosed earlier this year, Tenda brand routers suffer from two critical vulnerabilities that allow for Mirai botnet exploitation and for attackers to obtain root access.
Also to note, Winstars is listed as an original equipment manufacturer (OEM) of Cudy devices on this website: https://deviwiki.com/wiki/Cudy_WR1000_V1 This is anecdotal but, I have used a Cudy brand router before, and the interface (blue/white colors, layout, etc.) looks very similar to the screenshots of the Wavlink/Jetstream interfaces shared in this article. If Winstar is indeed the manufacturer, the similarities make sense, and given Cybernews’ research, I would also worry about the security of Cudy devices.
It is interesting that Cudy is possibly tied to Winstars, while also having trademark information tied to the same manufacturing company (Tengfei) that trademarks Tenda brand routers. Even though some simple Googling can help identify the connections between these firms, why do these companies make it so hard to find information about them? As the Cybernews researchers pointed out in the article: Winstars, Wavlink, and Jetstream did not reply to requests for more information. Given the serious backdoors/vulnerabilities associated these various devices, all this murkiness definitely raises questions about the supply chain and these devices’ origins.
My takeaway is that I will be avoiding all Chinese-based brand routers and devices like the plague.
If you can’t live without a router, then search information “how to install openwrt”. Buy purism devise or other open hardware/soft
Could this also be a push from the bigger brand names to discourage buying cheaper routers?
BTW, Poor design is not always a sign of bad intentions as the tone on the article implies.
Please do not see conspiracies everywhere. Haven’t we had enough lately ?
https://www.walmart.com/pac?id=f7850717-3dc6-44f1-b419-9e4f87c8f17e&quantity=1&cv=1
Yall slow.
Your email address will not be published. Required fields are markedmarked