Jetstream is the Walmart brand name for a line of cheap Chinese wifi base-station/routers; other popular, cheap brands like Wavlink and Winstars appear to come from the same manufacturer and they all share a grave security vulnerability: a powerful back-door.

A collaboration between @CyberNews_com, @jtcsec, @0xLupin and @Lexcor1 documents the back-door, attempts to connect multiple corporate identities to a common owner, and presents (very) rough estimate of the number of devices that share this defect.…

The researchers say that the back-door allows remote parties to "monitor and control all traffic coming through" affected devices, using an undocumented web-form that accepts commands and runs them as root.

This form has only the crudest security, checking to see if there's ANY user activity on the network before allowing access. The researchers claim this as evidence that this is a deliberate back-door and not a forgotten testing feature or error.

They also document a hidden feature that causes routers to enumerate nearby routers. While they say there's no reason for this to exist, I can think of at least two: first, for dynamic frequency selection to avoid interference, and second, to set up relaying services.

However, I agree with their contention that such a feature would be useful to the spread of malicious software that exploits the same back-door.

I'm more dubious of their implied claim that all of this represents some kind of Chinese state intervention in product design in order to facilitate surveillance and/or cyberwarfare.

It's true that China (and other world powers, notably the USA) have covertly and overtly weakened device security as part of their cyberoffense efforts. But it's also true that vendors make this kind of stupid mistake all the time, without government encouragement.

Remember when Chrysler shipped millions of internet-connected Jeeps whose main security was that the connectivity came from Sprint and since no one uses Sprint, no one would be on the same network as the Jeeps?…

Chinese white-label firms are notorious for building idiotically insecure devices that are sold under multiple brand names, in ways that lead to real harms to their owners, and there's no indication that this was malice - rather, it was indifference.…

Which is not to say that Chinese cyberwarriors wouldn't exploit these defects - as would their US and other foreign counterparts. Indeed, a major impediment to the passage of good cybersecurity regulation is the extent to which spy agencies rely on insecure IoT devices.

And of course, that's just one form of blowback. Vulnerabilities are also useful to cybercriminals, and that's why both China and the US are under continuous, nation-scale, punishing ransomeware and Mirai attacks.

It seems like there's at least one Mirai version that targets the Jetstream back-door. But then again, Mirai is an aggressive little fucker that also targets high-end, Sony equipment.…

I think the geopolitics of this thing isn't "Chinese spies coerced a manufacturer into riddling its products with vulnerabilities." It's: "In the absence of regulation and liability, companies make insecure products."

And also: "Spies do what they can to prevent regulation because they like insecure products."

And finally: "Criminals love the insecurities that reckless companies create and governments fail to punish."

Oh, and "Walmart's procurements process is garbage and you should throw away your Walmart router."


• • •

Missing some Tweet in this thread? You can try to force a refresh

Keep Current with Cory Doctorow #BLM

Cory Doctorow #BLM Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!


Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @doctorow

26 Nov
Follow Us to Walt Disney World (1984)…
Follow Us to Walt Disney World (1984)…
Follow Us to Walt Disney World (1984)…
Read 5 tweets
25 Nov
Today's Twitter threads (a Twitter thread).

Inside: Tech in SF; Office 365 spies on employees for bosses; A state-owned Amazon; Random Penguin to buy Simon & Schuster; and more!

Archived at:…


1/ Image
On Monday, Nov 30, I'm giving a talk based on my short book "HOW TO DESTROY SURVEILLANCE CAPITALISM" as part of McGill University's Beaverbrook Lectures; it's a counterpoint to a lecture delivered by Shoshanna Zuboff last Monday. It's free to attend:…

2/ Image
Tech in SF: Annalee Newitz and Ken Liu in the final Attack Surface Lecture.

3/ Image
Read 20 tweets
25 Nov
Publishing is dominated by just five giant players: Penguin Random House, Hachette, Simon & Schuster, Harpercollins and Macmillan.

1/ Image
Within that five-company oligarchy, one company stands out as a true monopolist: Penguin Random House, the megafirm created when Random House's owner, Bertelsmann, executed a merger-to-monopoly by buying Penguin in 2013.

Now, Penguin is about to effect another monopolistic merger, by acquiring Simon & Schuster from Viacom, which bought the company in 1994. The acquisition was always a bad fit: it was driven by a desire to create a vertical monopoly.

Read 11 tweets
25 Nov
In most of the world, the lockdown has destroyed small businesses while increasing the profits of Big Tech intermediaries like Amazon, who control access to customers on one side, and access to merchants on the other.

1/ Image
The government of Argentina is trying to avert this fate. Their postal service is launching a "state-owned Amazon" called Correo Compras, which will offer low-cost ecommerce listings to businesses, and do fulfilment through postal workers.

Correo Compras competes directly with Mercadolibre, a latinamerican ecommerce titan with a well-deserved reputation for squeezing suppliers and workers - its deliveries are made by precarious gig economy drivers.…

Read 18 tweets
25 Nov
The Shitty Tech Adoption Curve describes the process by which oppressive technology is normalized and distributed through all levels of society. The more privilege someone has, the harder it is to coerce them to use dehumanizing tech, so it starts with marginalized people.

1/ Image
Asylum seekers, prisoners and overseas sweatshop workers get the first version. Its roughest edges are sanded off against their tenderest places, and once it's been normalized a little, we inflict it on students, mental patients, and blue collar workers.

Lather, rinse, repeat: before long, everyone's been ropted in. If your meals were observed by a remote-monitored CCTV 20 years ago, it was because you were in a supermax prison. Today, it's because you bought a home video surveillance system from Google/Apple/Amazon.

Read 18 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!

Follow Us on Twitter!