I get uncomfortable how this is probably true with all these smart TVs as well (especially the budget TVs). I set up piHole to try to prevent this but nothing stops it from phoning home via a direct IP. It sucks because all our electronics get poisoned since good brands get squashed out by these low cost alternatives that consumers love at the expense of privacy that no one cares about anymore. Also, another crazy thing is ISP provided routers. I was unable to change the DNS on my modem/router, let alone change the security settings.
The fix for this is to just never ever connect your TV to the internet. Devices like the chromecast and game consoles generally have better app support and usability than most smart tvs anyway.
It doesn't make sense to tie the lifespan of a display to the lifespan of software support when the computing hardware is so ubiquitous outside of the TV anyway.
I dislike a lot of "smart" devices, but off-brand or no-brand IoT and "smart" things are a hard no. I assume these to basically be spies or malware vectors. Even if they're not deliberately malicious I figure there's a good chance they are insecure as hell.
I tend to go with US-based companies because they would legally be liable for damages, which would in theory mean they'd be less likely to knowingly ship malware and security disasters.
What gateway is the TV using? You can put your own router in front of the ISP one, and set your computers including your TV to use your router as the gateway, not the ISP one. Relying 100% on a third party router (where you do not control the OS) is similar relying 100% on a third party DNS provider (many PiHoles are set up to use third party DNS providers). This is willingly delegating 100% control to a third party. Some of that control can be retained if desired by using own router (with OS you can fully control), or in the case of DNS by using own DNS that you can fully control.
This is also true for almost all of devices which could connect to internet. We need a portable small router with firewall feature which could physically ban the specific IPs or domains.
For example, iOS to Apple, mac to Apple, Win10 to MS, etc. These connections are much difficult to ban nowadays. What we could do might be limiting their upstream connection via physical firewall router with built-in good web-based GUI.
AT&T pushed an update that added an "Application Statistics" page to the router which keeps track of ports and sites visited and is basically hostile to privacy.
thing is - this is a rented router, so what can the customer do?
Also every time they push an update wifi turns itself back on. So I go in and disable it and then I get a giant warning email "AT&T wifi gateway settings updated".
That is precisely the reason why I want ( or I once want ) Apple to make an TV set and not a TV Box. Their Brand, software and UX could create enough value for consumer to buy and set the standard for TV industry.
Or someone to create a standard where the Panel is now working more like a Monitor and All electronics are into a separate box.
Am I the only one who thinks that Wal-Mart should be absolutely slammed for doing this? Like, they are a corporation actively participating in the material worsening of our national security. I don't even want to think about a threat model that includes undermined router hardware! If they can't be patched remotely those things need to be recalled, destroyed, and Wal-Mart fined significantly.
(When I say slammed I mostly mean "pay big fines", maybe jail time if the flaw was known, and it should result in real reputational damage to Wal-Mart and its willingness to sell anything with a network connected computer in it. At the very least, if the buy cost is even less than the china price, that difference is coming from somewhere. Wal Mart should have spotted that.)
It doesn’t sound like the back door was put in for Walmart to use. So no, Walmart shouldn’t be slammed for this vulnerability anymore than for the vulnerabilities in the PCs they sell.
> actively participating in the material worsening of our national security
It's really just a symptom of the race-to-the-bottom that Wal-Mart has been strongly championing for a couple decades. Everything must be manufactured in China at the lowest BOM cost possible. And, of course, it's us consumers that fuel this race.
Sure, find some customers and sue on their behalf; this is a product liability issue. However, you would have to show actual damages to collect much. If the router the plaintiff purchased was never compromised, it might be tough to claim significant damages. Even the purported harm to privacy would have to be demonstrated. There may be other crimes related to selling compromised hardware, but that might require actual knowledge or constructive knowledge that the products were compromised.
So for example, if you buy a defective helmet for your kid from Walmart, the kid gets into an accident, and the kid dies, you sue Walmart for damages commensurate to the death of the child. For the router, you have to show the compromise that resulted from the vulnerability and the damages that ensued. If there was no compromise and just the potential for compromise the damages may be quite limited.
So Walmart might have some good faith defenses and it might be challenging to show enough damages.
There may also be some fines that the FTC could levy related to this because of the deceptive trade practices associated with selling a fatally defective product that could pose serious risks to privacy.
No, but Walmart should begin preparing to turn over a complete list of all identifiable purchasers of these devices when the FBI asks for it, and if we had a functioning US government, they should be compelled to issue a recall with refund for them.
I can see how the backdoor allows access to the router and makes the router itself part of the botnet.
But where do they get...
> This backdoor would allow an attacker the ability to remotely control not only the routers, but also any devices connected to that network.
How do you gain "control" of a device (presumably a PC) merely by having access to the router it is connected to? Is it just that we're assuming that a typical home network will be a soft target of PC's? What about windows defender firewall, and all that stuff?
People flock to "free" services and give away all their data to do so.
People buy "cheap" printers, and sign up for extortionate ink programs to do so.
We have a car maker to "takes back" software options sold when the car was new on re-sale of that car.
No we have people buying "cheap" Wi-Fi routers which are subsidized by their ability to be used by third parties for nefarious purposes.
Caveat Emptor only goes so far. The ability to fleece people through technology has been known and exploited for a long time, I wonder if we will ever see a consensus backlash against it.
"WiFi routers always seem to make you sacrifice something, don't they?
You're either paying for speed and spending an ungodly amount of money, or opting for the budget pick and waiting forever for things to load.
You shouldn't have to make that choice. One bright spot on the WiFi landscape could come from an unlikely place: Walmart. The big box store is gearing up to save you money and headaches by launching a line of store-exclusive routers that minimize cost and maximize performance."
>No we have people buying "cheap" Wi-Fi routers which are subsidized by their ability to be used by third parties for nefarious purposes.
You're assuming a) that the router is subsidized, and b) that the flaws are intentional. Neither are necessary, and neither make a lot of sense (why add a backdoor that anyone can exploit?)
It makes way more sense to consider this just another poorly made budget product. Same as anything else where sticker price is all that matters.
It's because people often value their time more than money.
Free services win because everyone can start using it and depending on it in 5 minutes, instead of having to pay for and download a comparable product, or worse, maintain an OSS alternative on a home server. The only time a consumer chooses to pay for something is when it's as entrenched into their minds as MS Office is, or when their employer/school demands it (also MS Office).
HP's ink is so successful since you can now just have it show up at your door when you're low on ink instead of having to make a trip to best buy. The extortionate price of unit-sold cartridges is only extra motivation.
And Tesla is only big because they have an appealing product; if other car manufacturers could offer the same (EV) range, software experience, and minimalistic design, they'd blow Tesla out of the water with superior service and build quality.
Now this cheap Wi-Fi router isn't something people are buying because it's comparatively better or offers some features, it's just a cheap Chinese wifi router that some corporate Wal-Mart manager decided to stock since it would be high-margin and, as far as they know, offered basic wifi functionality. Your argument would work for any other (high end) router like Nest WiFi, Netgear, etc.
I bought a small x86 board with dual gig network cards and put openwrt on it. If you haven’t looked at openwrt lately, it’s really good, clean UI, right to the point. Best thing I’ve done for my network besides running pihole. I recommend it.
It's not the AliExpress routers that worry me (although Walmart should have negotiated for better firmware), it's all the "name brand" routers that are running a 2.6.34brcm Broadcom kernel that'll never see another firmware update.
>Low and behold, there was my super secret password in plain text, with the admin username in plain text, on a page that requires no authentication of any kind to view.
It is so fucking dumb that there is no other explanation other than an intentional backdoor. If anyone quotes Occam's Razor, you've been asleep for the past 5 years or so.
The last time I was in the market for a 'cheap' router, I settled on Mikrotik. Very cheap, and incredible features. Configuration should not be a mystery for the average HN poster. Mine is router only, no wifi, but I have heard good things about wifi versions too.
Not sure what to recommend for non tech-savvy users though. The overwhelming majority of routers in the market that are targeted to consumers are hot garbage. Some TP-Link models? Maybe... Google(if are ok with your most important device being from them)? Are Linksys still good? My last one was a WRT54G. It was ok out of the box, pretty good with custom firmware (that takes it outside the end-user territory once again).
For those thinking Walmart/Cheap router customers are more gullible, the Asus routers which are highly rated and used by tech savvy users (flashing custom ROM's) require accepting Trend Micro(TM) EULA's for most of the features on the box. Even QOS settings require user to accept specific EULA to share data with TM). Traffic monitor of your LAN also requires EULA.
The app that comes with Asus router is littered with button which if you accidentally click will make you accept EULA.
Im not sure why but reading this article raises my internal BS skepto-meter.
The story explains that the companies in question have access to RPC functions similar to those that an ISP might use but that they are not ISPs. Then later on the article states that one of the companies described itself as an ISP.
The story also questions why there is a GUI for running remote commands and why a device would need to scan for nearby networks. I can think of a few legitimate reasons for both but no reason a decent backdoor would have a server side backdoor GUI.
Just my opinion but I get the feeling this whole situation was created by IP theft in the form of firmware duplication. It seems these companies have used a very insecure firmware possibly made intentionally bad to trap or setup these Chinese manufacturers.
If these are in fact intentional backdoors they were made with an incredible amount of effort to look like sloppy 0day exploits.
I should add that I don't doubt that these vulnerabilities are real, just the intent behind them.
If I was having my products manufactured in China, I might provide a similar bad firmware for the factory too, then patch the devices before providing them to my customers to prevent IP theft.
Hey there - author of the article here. The research team behind this has a lot of unanswered questions as well, and a lot of...(like you) conjectures about how this may have arisen.
Normally, one should not attribute to malice what can simply be attributed to stupidity or probably laziness here.
Even then, however, it's a bit too suspicious though. Of course, we asked the manufacturers behind these devices for comment and -- surprise! -- no comment. In past experience with Chinese vendors, we've had similar results.
Of course, we'll update with any information we get.
While Wavlink bears a lot of responsibility for these problems, I bet this is a Mediatek or Ralink board support package that is security swiss cheese.
All the (three?) articles about this gloss over whether/how this is remotely exploitable or whether you need to be on the local network. This would seem to be evidence that it is:
> Basically, the first IP address you see there – 222.141.xx.xxx, which comes from China – was trying to upload a malicious file on the router using the vulnerabilities.
Since when does a router respond to the whole world on port 80 by default?
Overall its a good idea to avoid buying electronics from walmart unless its something simple like a cable
I've also heard that products such as TV's are usually lower quality compared to sold elsewhere; usually the manufacturer creates a model speficially for walmart, using lower quality parts, display panels which don't pass QA and are binned, SoC's which may have issues, etc
Can someone explain what the actual backdoor is without me having to wade through pounds and pounds of narrative text that doesn't actually explain anything?
I started watching the video, but it just looks like self-congratulatory nonsense.
It's kind of a pain in the ass but a solution is to set these devices all in their own L2/L3 network segment with separate routing (via a different VPN) out to public.
Just spitballing here but would it be possible to write more secure firmware for these routers, wipe the firmware, install your own, and the sell the routers under your own brand?
[+] [-] syntaxing|5 years ago|reply
[+] [-] p1necone|5 years ago|reply
It doesn't make sense to tie the lifespan of a display to the lifespan of software support when the computing hardware is so ubiquitous outside of the TV anyway.
[+] [-] api|5 years ago|reply
I tend to go with US-based companies because they would legally be liable for damages, which would in theory mean they'd be less likely to knowingly ship malware and security disasters.
[+] [-] 1vuio0pswjnm7|5 years ago|reply
[+] [-] hvaoc|5 years ago|reply
[+] [-] merb|5 years ago|reply
what exactly do you mean? I tought piHole sits "between" the tv and your modem? I mean it probably can easily firewall those ips.
Edit: nvm PiHole is only a dns thingy.
[+] [-] LdSGSgvupDV|5 years ago|reply
For example, iOS to Apple, mac to Apple, Win10 to MS, etc. These connections are much difficult to ban nowadays. What we could do might be limiting their upstream connection via physical firewall router with built-in good web-based GUI.
[+] [-] m463|5 years ago|reply
AT&T pushed an update that added an "Application Statistics" page to the router which keeps track of ports and sites visited and is basically hostile to privacy.
thing is - this is a rented router, so what can the customer do?
Also every time they push an update wifi turns itself back on. So I go in and disable it and then I get a giant warning email "AT&T wifi gateway settings updated".
[+] [-] ksec|5 years ago|reply
Or someone to create a standard where the Panel is now working more like a Monitor and All electronics are into a separate box.
[+] [-] m-p-3|5 years ago|reply
[+] [-] zdware|5 years ago|reply
[+] [-] chaostheory|5 years ago|reply
[+] [-] mrfusion|5 years ago|reply
By a stand-alone Roku for apps?
[+] [-] DEADBEEFC0FFEE|5 years ago|reply
[+] [-] javajosh|5 years ago|reply
(When I say slammed I mostly mean "pay big fines", maybe jail time if the flaw was known, and it should result in real reputational damage to Wal-Mart and its willingness to sell anything with a network connected computer in it. At the very least, if the buy cost is even less than the china price, that difference is coming from somewhere. Wal Mart should have spotted that.)
[+] [-] kortilla|5 years ago|reply
[+] [-] canada_dry|5 years ago|reply
It's really just a symptom of the race-to-the-bottom that Wal-Mart has been strongly championing for a couple decades. Everything must be manufactured in China at the lowest BOM cost possible. And, of course, it's us consumers that fuel this race.
[+] [-] mountainb|5 years ago|reply
So for example, if you buy a defective helmet for your kid from Walmart, the kid gets into an accident, and the kid dies, you sue Walmart for damages commensurate to the death of the child. For the router, you have to show the compromise that resulted from the vulnerability and the damages that ensued. If there was no compromise and just the potential for compromise the damages may be quite limited.
So Walmart might have some good faith defenses and it might be challenging to show enough damages.
There may also be some fines that the FTC could levy related to this because of the deceptive trade practices associated with selling a fatally defective product that could pose serious risks to privacy.
[+] [-] floatingatoll|5 years ago|reply
[+] [-] crispyambulance|5 years ago|reply
But where do they get...
How do you gain "control" of a device (presumably a PC) merely by having access to the router it is connected to? Is it just that we're assuming that a typical home network will be a soft target of PC's? What about windows defender firewall, and all that stuff?[+] [-] ChuckMcM|5 years ago|reply
People flock to "free" services and give away all their data to do so.
People buy "cheap" printers, and sign up for extortionate ink programs to do so.
We have a car maker to "takes back" software options sold when the car was new on re-sale of that car.
No we have people buying "cheap" Wi-Fi routers which are subsidized by their ability to be used by third parties for nefarious purposes.
Caveat Emptor only goes so far. The ability to fleece people through technology has been known and exploited for a long time, I wonder if we will ever see a consensus backlash against it.
[+] [-] iso1631|5 years ago|reply
"WiFi routers always seem to make you sacrifice something, don't they?
You're either paying for speed and spending an ungodly amount of money, or opting for the budget pick and waiting forever for things to load.
You shouldn't have to make that choice. One bright spot on the WiFi landscape could come from an unlikely place: Walmart. The big box store is gearing up to save you money and headaches by launching a line of store-exclusive routers that minimize cost and maximize performance."
The cheap end were $35.
[+] [-] deeeeplearning|5 years ago|reply
This is key. The general public has a very basic understanding of tech generally and even less about what can be done with their data.
[+] [-] jml7c5|5 years ago|reply
You're assuming a) that the router is subsidized, and b) that the flaws are intentional. Neither are necessary, and neither make a lot of sense (why add a backdoor that anyone can exploit?)
It makes way more sense to consider this just another poorly made budget product. Same as anything else where sticker price is all that matters.
[+] [-] judge2020|5 years ago|reply
Free services win because everyone can start using it and depending on it in 5 minutes, instead of having to pay for and download a comparable product, or worse, maintain an OSS alternative on a home server. The only time a consumer chooses to pay for something is when it's as entrenched into their minds as MS Office is, or when their employer/school demands it (also MS Office).
HP's ink is so successful since you can now just have it show up at your door when you're low on ink instead of having to make a trip to best buy. The extortionate price of unit-sold cartridges is only extra motivation.
And Tesla is only big because they have an appealing product; if other car manufacturers could offer the same (EV) range, software experience, and minimalistic design, they'd blow Tesla out of the water with superior service and build quality.
Now this cheap Wi-Fi router isn't something people are buying because it's comparatively better or offers some features, it's just a cheap Chinese wifi router that some corporate Wal-Mart manager decided to stock since it would be high-margin and, as far as they know, offered basic wifi functionality. Your argument would work for any other (high end) router like Nest WiFi, Netgear, etc.
[+] [-] choward|5 years ago|reply
[+] [-] cortesoft|5 years ago|reply
The article seems to imply this is a malicious tool, but it seems more likely to me that this is just another poorly designed router instead.
[+] [-] vsareto|5 years ago|reply
[+] [-] ronnier|5 years ago|reply
[+] [-] heavyset_go|5 years ago|reply
I won't buy home networking equipment if I can't put OpenWRT on it.
[+] [-] nicolaslem|5 years ago|reply
[+] [-] voltagex_|5 years ago|reply
[+] [-] dsr_|5 years ago|reply
[+] [-] mmaunder|5 years ago|reply
[+] [-] vsareto|5 years ago|reply
>Low and behold, there was my super secret password in plain text, with the admin username in plain text, on a page that requires no authentication of any kind to view.
It is so fucking dumb that there is no other explanation other than an intentional backdoor. If anyone quotes Occam's Razor, you've been asleep for the past 5 years or so.
[+] [-] yumraj|5 years ago|reply
Someone would have to try hard to make a case that that is not the case.
[+] [-] xapata|5 years ago|reply
[+] [-] mlindner|5 years ago|reply
[+] [-] outworlder|5 years ago|reply
Not sure what to recommend for non tech-savvy users though. The overwhelming majority of routers in the market that are targeted to consumers are hot garbage. Some TP-Link models? Maybe... Google(if are ok with your most important device being from them)? Are Linksys still good? My last one was a WRT54G. It was ok out of the box, pretty good with custom firmware (that takes it outside the end-user territory once again).
[+] [-] djanogo|5 years ago|reply
The app that comes with Asus router is littered with button which if you accidentally click will make you accept EULA.
[+] [-] sigmaprimus|5 years ago|reply
The story explains that the companies in question have access to RPC functions similar to those that an ISP might use but that they are not ISPs. Then later on the article states that one of the companies described itself as an ISP.
The story also questions why there is a GUI for running remote commands and why a device would need to scan for nearby networks. I can think of a few legitimate reasons for both but no reason a decent backdoor would have a server side backdoor GUI.
Just my opinion but I get the feeling this whole situation was created by IP theft in the form of firmware duplication. It seems these companies have used a very insecure firmware possibly made intentionally bad to trap or setup these Chinese manufacturers.
If these are in fact intentional backdoors they were made with an incredible amount of effort to look like sloppy 0day exploits.
I should add that I don't doubt that these vulnerabilities are real, just the intent behind them.
If I was having my products manufactured in China, I might provide a similar bad firmware for the factory too, then patch the devices before providing them to my customers to prevent IP theft.
[+] [-] bmcn2020|5 years ago|reply
Normally, one should not attribute to malice what can simply be attributed to stupidity or probably laziness here.
Even then, however, it's a bit too suspicious though. Of course, we asked the manufacturers behind these devices for comment and -- surprise! -- no comment. In past experience with Chinese vendors, we've had similar results.
Of course, we'll update with any information we get.
Thanks for reading!
[+] [-] kburman|5 years ago|reply
And there were no devices attached to it and nor anyone use any of these sites.
I was really concerned at this in time what other that it might be doing I'm not even aware of.
[+] [-] voltagex_|5 years ago|reply
[+] [-] ksec|5 years ago|reply
[+] [-] nojs|5 years ago|reply
> Basically, the first IP address you see there – 222.141.xx.xxx, which comes from China – was trying to upload a malicious file on the router using the vulnerabilities.
Since when does a router respond to the whole world on port 80 by default?
[+] [-] robotnikman|5 years ago|reply
I've also heard that products such as TV's are usually lower quality compared to sold elsewhere; usually the manufacturer creates a model speficially for walmart, using lower quality parts, display panels which don't pass QA and are binned, SoC's which may have issues, etc
[+] [-] AndyMcConachie|5 years ago|reply
I started watching the video, but it just looks like self-congratulatory nonsense.
[+] [-] solotronics|5 years ago|reply
[+] [-] jimbob45|5 years ago|reply