Cheap Routers, Complete with Chinese Backdoors, Available Now!

Routers distribute the internet connection you receive from your modem. They allow you to form your own network of interconnected devices. Some internet service providers offer a modem/router combination so that you don’t need two separate devices. However, some people may prefer having a router to increase their WIFI signal strength and to have more control of their network. In any event, since a router is connected to your internet and your devices, it’s critical to make sure that it is secure. If it’s not, a malicious actor could take over any device on your network.

It goes without saying that the first thing you should do when you get a router is to change the default password that comes with it. (Usually, it is ‘admin’.) If you don’t do this, anyone within range of its signal will be able to hack into your router and, if they want, change its password to lock you out. Actually, once they got past the router, they could, in effect, become you. With a little help of some malware, they could, among other things, look through the files on your computer and see if there is anything there that they could use for themselves.

(For a complete list of router default credentials go here.)

Since securing a router is of such high importance, it is more than disturbing to learn that CyberNews researcher Mantas Sasnauskas in coordination with researchers James Clee and Roni Carta found what appears to be  backdoors in the Chinese-made Jetstream router. The researchers claim that this router is exclusively sold at Walmart, but, in truth, it is sold in a number of places and can be found on Amazon.  In fact, the researchers found similar backdoors in a number of routers that were manufactured in China.

If a nefarious actor is aware of a backdoor in a device, they can circumvent security architecture and take control of the device and the network it’s connected to, and they can do so remotely. This was the problem that cybersecurity experts worried about with Huawei and which led government officials to ban its 5G equipment in the U.S. They worried that the Chinese government, in cooperation with Huawei, could set up a huge information gathering network, or worse. They could, potentially, take control of vital infrastructure (power stations, electric grids, etc.) and manipulate them to their own ends.

But can the Chinese government force a private company to install a backdoor so that they can use it if they so desire? In Article 77 of the Chinese National Security Law there are two provisions that are often noted which seem to give the government power to control private companies. Companies are required to help the government by

“(4) Providing conditions to facilitate national security efforts and other assistance;

(5) Providing public security organs, state security organs or relevant military organs with necessary support and assistance.”

These seem to be general statements and it is a matter of defining what constitutes a risk to national security and what precise support must be given to attain such security. Would installing a backdoor in products sent overseas be considered as a way to support national security? I suppose it could be. That said, it would seem to be easier for the government to force smaller companies to install backdoors than larger companies, or is it…

This isn’t the first time backdoors have been found in Chinese-manufactured routers. “Vodafone asked Huawei to remove backdoors in home internet routers in 2011 and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained.” Some Chinese routers came with passwords that were part of the firmware and, therefore, could not be changed. This meant that the company had a list of every router and every password which they or the government could access whenever they felt “national security” would be improved.

There is always a standard answer that manufacturers give when accused of installing backdoors. They simply claim that these are installed for maintenance purposes. If a customer is having trouble with a device, the company can use the ‘backdoor’ to access the device and determine what the problem is. Maybe, but they should at least give the customer the right to opt out of this kind of support.

As it turned out, the router the researchers analyzed was almost immediately attacked by the Mirai Botnet. The attack, based on the IP address, came from China. The Mirai Botnet is a readily available botnet that has been used in numerous DDoS (Distributed Denial of Service) attacks. Basically, these attacks overwhelm servers with so many requests that they simply can’t handle the traffic. The result of such attacks is that entire websites have been brought down. It appeared that Mirai was primed to add the Jetstream router to its net and, in effect, control it.

The researchers traced the makers of this router to a company called Windstars Technology in China. It appears that the Jetstream brand has limited distribution, mostly through Walmart. The main brand that uses Windstars technology is Wavlink. The problem, as I see it, is that Windstars produces a wide range of products, and many of these could be built with backdoors. Some of them were investigated and, indeed, were found to have the same backdoors as the routers had. It’s clear that more of this company’s products need to be investigated.

So does this mean that the Chinese government is planning some sort of Mirai-based cyber attack? That seems like one possibility. After all, who buys cheap, Walmart routers? Probably average folks. The key to a good botnet is having the most devices possible that can be deployed in an attack. It doesn’t matter if the devices are located in a major corporation or in a 13-year-old’s bedroom. Of course, if your cheap router happens to be on a home network with connections to bigger companies, so much the better.

The argument that this router architecture is made for maintenance purposes doesn’t hold up. The researchers note, “this is not a mistake. Someone had to take the decision to make the password client-side. A human conceived this code knowing that this would be accessible from an unauthenticated user. Now, the question is why?  Why would a company which potentially knows the credentials of any of its routers, give itself the hidden ability to access anyone’s router and run commands? They are not an ISP. Why would they need that access?” Some of the routers were programmed to seek out and connect to other nearby WIFI connections. In short, these routers were designed for spying.

So what do you do if you have a China-manufactured router in your house or business? Will you even know it has a backdoor? Probably not. If it is part of a botnet, you may, occasionally, find your computer or internet connection slowing down. Remember that a backdoor gives the user a way to watch everything you are doing. All traffic to the internet must go through the router (passwords, banking credentials) and that information can be sent on to those who remotely control the device.

If you own one of these Chinese routers, the best course of action is to simply buy another router. Since it is possible that the router was used as an access point to your computer or other devices, those devices need to be cleaned and any passwords changed. Even if you buy another router, you still need to do this because a bad actor may have installed other malware on your devices which will persist even if the router is changed.

If these routers were from any other country, we could dismiss these backdoors as a bad idea. However, because of China’s long history of infiltration attempts, we can only view them as part of their cyber attack infrastructure. The Chinese government must assume that the benefits from such infiltration outweigh the risk of being detected. Besides, they probably have a denial strategy already in place and attribution is an inexact science. But, in the end, the accumulation of such actions lowers the reputation of all Chinese high tech firms, even those that try to be reputable, and once a reputation is lost, it is very hard to rebuild. And this issue of trust doesn’t end at the corporate level. It branches upward to the government itself. So if, someday, China finds itself viewed as an international pariah, they only have themselves to blame.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s