中英对照：路由器中的后门会给你带来怎样的伤害？

 

 

 

当网络安全技术专家在沃尔玛，亚马逊和Ebay出售的中国制造的Jetstream，Ematic和Wavlink路由器中发现可疑的后门后，他们向制造商提供了证据文件。当然，他们从未收到过任何答复或反驳。

 

When security researchers discovered suspicious backdoors in Chinese-made Jetstream, Ematic, and Wavlink routers sold in WalMart, Amazon, and Ebay, they confronted the manufacturers with their evidence. Of course, they never received any replies or rebuttal to their questions.

 

随后，研究人员从亚马逊上购买了那些中国制造商的转发器。这些转发器外观上看起来区别很大，但技术上都大同小异。这些转发器里都有可以走后门的软件。虽然很难对这些设备全面搜索，但可以肯定的是，这些设备都存在相同的后门缺陷，他们的应用软件和硬件都出自同一公司。

 

The researchers then purchased some repeater devices from these companies off Amazon. The devices are very different physically and slightly different technically yet they had almost the exact same exploit chain of software embedded. While it is difficult to make sweeping, definitive statements, having the same flaws in multiple types of devices will point to the existence of a generic condition with other devices manufactured by the same company.

 

Jetstream和Wavlink路由器的漏洞显示其用户使用界面（GUI）与路由器管理员（用户或授权的网络供应商）的界面不同。换句话说，有两种可以进入路由器并对其进行控制的方法：即一种是授权的，另一种是未授权的。未经授权的后门似乎可以遥控路由器。

 

The Jetstream and Wavlink routers showcase a simple Graphical User Interface (GUI) for its backdoor that is different from the interface presented to router administrator (the user or the authorized Internet Service provider ). In other words, there are two ways to enter into the router and control it – one authorized and the other unauthorized. The unauthorized backdoor seems to be controlled by a remote code execution (RCE) vulnerability.

 

通常，当网络黑客想要接管路由器的控制权时，他们需要跑到设备存放处对设备做手脚。 但Wavlink和Jetstream设备具有允许远程访问路由器的软件。黑客唯一需要的是被攻击的用户正在上网。

 

Normally, when cyberattackers want to take over control of the router, they’d need physical access to the device. The Wavlink and Jetstream devices have a file that allows for remote access to the router. The only thing that the attackers would need is for a user to be connected at the time.

 

造成漏洞的原因是设备的后端缺乏验证机制，这些设备只有在人们上网时才会启动验证。如果是这样，那将给黑客开放访问权限，而无需用户验证。专家们用Javascript来测试这些设备的访问权限，结果发现，黑客可以在访问代码末端检索根密码，然后远程访问想要攻击的电脑。即使用户更改了密码，端点也将得到更新。对于那些未用Javascript写密码的设备上，他们有加密的备份，且无需身份验证即可下载。这些备份会让黑客获取管理员密码。

 

The cause is a lack of validation on the device’s backend, which appears to check only if there is a session active. If so, it will provide an attacker access to the page, without properly checking who owns the session. The credentials needed to access the device are being checked in the Javascript. The attacker can retrieve the root password at an endpoint in the access code and remotely access the target’s computer. Even if the user changes his password, the endpoint will get updated. On other tested devices that don’t have the password in the Javascript, there are unencrypted backups that can be downloaded without authentication. These backups would allow an attacker to get the administrator passwords as well.

分享不同信息/观点，做明智判断/决策！请点击096.ca！

 

研究人员认为，这些问题不只是巧合，认为这是有意在这些设备上设置的。他们推测，有人做了在这些设备上可以让外人拿到客户密码的决定。编制此软件的人知道，未经身份验证的用户可以访问这些设备。这意味着当初为这些设备写软件时留有后门并非偶然。

 

The researchers feel that these are not just coincidences: they point at something intentional. It is surmised that someone had to take the decision to make the password appearing on the client (visitor) side. A human who conceived this code clear knows that this would be accessible from an unauthenticated user. This means that it is not an accident when designing the code.

 

研究人员还发现，Wavlink设备里有一个脚本。脚本列出了附近所有wifi信号并可以连接到它们。专家们不能确定这是故意的，还是写软件人的失误。显然，厂家对安全和隐私根本不重视。由于这一漏洞，黑客不仅可以攻击路由器和网络，还可以攻击邻近的网络用户。这不是，也不应该是正常的做法。

 

Researchers also discovered that Wavlink devices have a script that lists all the neighbouring wifi connections and has the ability to connect to them. Whether this is intentional or it’s just poor practice with no security and privacy consideration on behalf of the company cannot be ascertained. An attacker can thus compromise not only the router and the network, but neighbouring networks too. This is not and should not be normal practice.

 

研究人员设了一个网络“陷阱”来确定是否有人会利用这些后门。结果发现一个来自中国的IP地址（222.141.xx.xxx）试图用该漏洞将恶意文件上传到路由器上。该软件为Mirai，是一种将路由器连接到僵尸网络的恶意软件。

 

When a cyber “trap” was set to reveal the identity of the tested device, an IP address (222.141.xx.xxx, which comes from China – was trying to upload a malicious file on the router using the vulnerabilities. When this file was checked, it was found to contain the Mirai malware – a malicious script that connects the router to the Mirai botnet.


 

习近平领导下的中国政府已投入大量资源，在全球收集百姓及其竞争对手的数据，包括公司和政府。例如，中国数据保存法迫使中国公司或在中国做生意的公司将数据保存中国国内的服务器上，且执法部门几乎不受限制就可以差看这些数据。很明显，中国政府有能力控制和查看Jetstream / Wavlink设备以及连接到这些网络的所有其他设备的数据。研究人员相信位于深圳的Winstars Technology Limited是Jetstream和Wavlink品牌的所有者。 “ Jetstream”可能只是Winstar在美国市场的产品。

 

The current Chinese government, under President Xi, has turned its resources heavily towards gathering as much data as it can about its citizens locally and globally, and its competitors – both in terms of corporations and governments. Chinese data retention laws, for example, force Chinese companies, or companies operating in China, to keep data on servers located inside the country – and to provide practically unfettered access to that data to law enforcement. It is now clear that the Chinese government has the ability to control and see all the traffic flowing through these Jetstream/Wavlink devices, and all other devices connected to those networks. It is believed that Winstars Technology Limited located in Shenzhen is the owner of both Jetstream and Wavlink brands. “Jetstream” may simply be the Winstar product for the US market.

 

如果你使用Jetstream或Wavlink路由器，最好停止使用它们，改用信誉良好的路由器。研究人员还建议：如果你一直在使用Jetstream或Wavlink路由器，你应暂时关闭网络，清理电脑中的所有恶意软件和病毒，重置电脑和在线帐户密码。采取这些步骤可以防止你的身份被盗用，让你高枕无忧。

 

If you have any Jetstream or Wavlink routers or connected devices, it is best to stop using them and replace them with routers from a reputable company. The researchers also advised further steps: if you’ve been using these Jetstream or Wavlink routers, whether you choose to keep them or not, you should temporarily shut down the network, clean your computers of all malware and viruses, reset the passwords of the computers and online accounts. Taking these steps may prevent identity theft from happening and give you the peace of mind.