Ematic, Wavlink, Winstars, and Jetstream Wi-Fi Routers Have Hidden Backdoor

Key Takeaways

• All devices tested from Ematic, Wavlink, Winstars, and Jetstream contain a separate GUI accessible from the internet.
• Accessible GUI is easy to abuse by attackers to gain root access for routers, Wi-Fi devices.
• Built-in router firmware automatically scans nearby Wi-Fi networks and logs results to a locally saved file: getwifi.sh
• During testing with traffic capture, an attack was successfully carried out using the backdoor against the test device from Chinese IP within minutes of coming online, loading a script to join the Mirai Botnet.
• Devices are commonly sold as “affordable” options through Walmart, Ebay, and Amazon.

Security Researchers Discover Web-Accessible Backdoor in Popular Wi-Fi Routers

Researchers have discovered a hidden web-accessible backdoor within routers from companies including Jetstream, Wavlink, and Ematic. This particular backdoor would give an attacker remote access to the routers, and any devices connected to the network. These routers are marketed as an affordable option for Wi-Fi routers and sold at Walmart, on eBay, and on Amazon. While marketed under different names, the router companies share a similar, though difficult to track down, manufacturer “Winstars Technology”.

The devices display a GUI (graphical user interface) from an external WAN IP address that appears specifically designed for remote code execution. From the external GUI, there are three ways attackers can gain access: inspect element for root password in the JavaScript, login attempt when a user is active on the router (firmware does not check credentials, only looks for an existing session), or by downloading an unencrypted firmware backup which contains the set password. These three methods are difficult for the user to bypass because even if the end-user updates the password, each of these methods allows the attacker to retrieve the master password to access the target’s computer. Similarly, if the user updates their password, the endpoint will continue to receive the updated credentials.

Not only are the routers accessible from the Internet, but they can also log every Wi-Fi network in the area to a locally saved file in the bin directory named getwifi.sh. This hidden feature raises a lot of concern because now attackers can compromise the network and router and utilize it to access neighboring networks.

Investigating the Routers’ Backdoor Vulnerability

To further understand the hidden backdoor, researchers tested multiple devices that were part of the Winstars Technology family and found backdoors on every device. Part of the testing included setting up a network capture to look for active attacks. Within minutes, an attempt was made by a Chinese IP address, using the backdoor and now known vulnerability, to successfully upload a file containing a script to connect the device to the Mirai botnet. Mirai is malware that remotely infects devices connected to a network and abuses them the complete large-scale attacks. The Mirai malware was involved in the 2016 Dyn DNS cyberattack that took down large websites, including Netflix, Github, Twitter, CNN, and others. This type of activity indicates that cybercriminals are actively exploiting the critical vulnerability.

It could be code added to the firmware by a singular employee targeting user devices for a botnet. It could be a state-sponsored attack aimed at utilizing existing resources to further an agenda through data collection. No matter where the exploit originates, it is important to remember that once someone can gain root access to a router or gateway, they can view and control all of your network traffic.

Exploit Prevention and Mitigation Advice

This vulnerability is concerning to organizations due to the proliferation of home networks in use for enterprise activities due to COVID-19 and the lack of enterprise security controls on these adjacent networks. It is important to point out that there is a current, ongoing attack happening on these devices. When researchers tested one of the faulty routers, the test device was successfully compromised from the Internet within a few minutes of being plugged in. Every device tested was found to contain the backdoor, leading researchers to believe that potentially millions of devices could be or will be compromised using this method.

With 2020 coming to an end and IT departments looking for ways to finish out their 2020 budgets, we recommend you do not purchase routers, Wi-Fi extenders, or IoT devices from these companies and manufacturers. If your network has previously contained any of these devices, it is highly recommended to remove them, clean your machines, and change your passwords. If your employees work remotely, VerSprite recommends organizations send a company-wide email asking people to check for this list of devices in their home and to contact the IT department if they are using any of the listed brands. IT departments should work with their security leadership and partners to determine the best course of action to take if these devices are in use.

VerSprite’s Cybersecurity Threat Intelligence

VerSprite’s Threat Intelligence Group provides organizations with real-time threat monitoring, analysis, prevention recommendations, and mitigation. Our elite team works with companies across all industries and security maturity levels to defend against threats. For more information on Versprite’s Threat Intel Group or their managed monitoring tool, CTIP, contact one of our security advisers today.
Contact VerSprite →