It must be crowded on these devices by now - it may be a bit misleading to think of it as a single botnet when there are multiple unrelated entities controlling the same devices via the same methods.
How is it not obvious to everyone reading HN that janky Android "TV" boxes (like the article references) are a by-default threat?
Like seriously, many of them are sold for stupid cheap prices like $5/ea. Or advertise unlimited movies/shows/etc for similarly unbelievable prices.
Putting aside the copyright infringement aspect of it, to me it's extremely obvious "wait... _why_ am I paying so little here?".
No, it's not because movies and shows are 99.9999% profit (spoiler: they aren't), it's because you're _paying_ to install a backdoor that will rip and tear everything on your network it can.
You like having a credit card? That's precious, it's mine now.
> it's because you're _paying_ to install a backdoor that will rip and tear everything on your network it can.
I mean, maybe. More likely imo you're paying for the absolute cheapest hardware and fastest never-updated software someone could throw together and make _any_ profit on. Someone probably had 100k shitty little chips sitting in a warehouse and this was a way to do something with them.
The outcome is really the same, it's just the steps to get there are more human nature.
Even many TVs with "reputable" western brand names, on the shelf at major US retailers, are often sold at a loss on the hardware and the difference is made up by collecting advertising data.
Brand damage; The big players have more to loose from being caught installing backdoors on devices sold to the general public, and will probably put in something in the T&Cs to deflect their responsibilities.
> Or advertise unlimited movies/shows/etc for similarly unbelievable prices.
I mean, it's pretty obvious the services are paid piracy. But it's got to cost something to pull VOD movies from wherever and serve them with an http server limited at 8 mbps even for content that exceeds that. Obviously someone doesn't want the content they stole to be easy to steal... too bad you can't reasonably play it either. :P
Shit man my Pet Feeder setup a back door to my network.. ended up reverse engineering the entire tuya piece of shit just so I could keep the automatic feeder running.
Fucking everyone is spying. I started downloading and decrypting apps from the App Store. It’s a god damn nightmare. Random apps are storing keys in the keychain (thanks expo!) that never leave our apple account. They follow us forever. You can’t delete them. Well.. there’s one way but it involves backing up your phone, putting it in recovery mode, and restoring from backup.
usually lan devices do not talk to the router unless they need a resource outside your lan network
you can however isolate with vlans and a vlan capable switch, then it would be on the router to isolate traffic between lans (I do exactly this for my less trusted virtual machines)
Heads up that even if you block local forwarding in the router, it won't always be enough to prevent devices talking to each other over, say, an unmanaged switch or a wifi link.
Some (even cheap) unmanaged switches have a "vlan" or "isolation" switch that does exactly that, where only one or two "uplink" or "wan" ports can talk to the rest. If you have a managed switch, vlans is what most people would use for isolation.
On the software side you could also assign /32 IPv4 addresses only and add explicit ip route for the router only.
Sometimes; I've seen it called client isolation or something like that. Or, yeah, if you can get under the hood it's probably as easy as one or two iptables rules (or nftables or whatever).
> to relay malicious and abusive Internet traffic — such as ad fraud, account takeover attempts and mass content scraping
Oh no, let me get my tiny violin! Really hard to feel bad here. For most home users (that don’t expose anything sensitive on their LAN) these boxes are not a threat, seem to be doing a useful service in providing a superior streaming service that the balkanized official ones, and also shits on internet spammers/advertisers and frees up loginwalled content - sounds like a pretty good box really.
You can buy a better one that does not have malware installed. So these are complete and total garbage and no sane person should run them under any circumstance. Sounds like you have a bias which has prevented you from thinking about this clearly.
> However, shipping these devices with ADB turned on creates a security nightmare because in this state they constantly listen for and accept unauthenticated connection requests.
I'm confused. I intentionally use ADB over the network sometimes, and I have to explicitly interactively allow each adb client by its key. Are they shipping boxes with adb configured to just allow any connection without any verification?
That article has a more technical lens. It focuses primarily on the size and detection evasion methods of Kimwolf, rather than some notable (and definitely not unique) method of spreading.
Without looking too deeply, I'm going to assume that this is a successful botnet because it managed to get into product supply lines at big box stores and in app store games, rather than some clever virus that is spreading across the world.
29 comments
[ 2.9 ms ] story [ 63.9 ms ] threadIt must be crowded on these devices by now - it may be a bit misleading to think of it as a single botnet when there are multiple unrelated entities controlling the same devices via the same methods.
Like seriously, many of them are sold for stupid cheap prices like $5/ea. Or advertise unlimited movies/shows/etc for similarly unbelievable prices.
Putting aside the copyright infringement aspect of it, to me it's extremely obvious "wait... _why_ am I paying so little here?".
No, it's not because movies and shows are 99.9999% profit (spoiler: they aren't), it's because you're _paying_ to install a backdoor that will rip and tear everything on your network it can.
You like having a credit card? That's precious, it's mine now.
Look at me, I'm the network now.
I mean, maybe. More likely imo you're paying for the absolute cheapest hardware and fastest never-updated software someone could throw together and make _any_ profit on. Someone probably had 100k shitty little chips sitting in a warehouse and this was a way to do something with them.
The outcome is really the same, it's just the steps to get there are more human nature.
https://www.broadbandtvnews.com/2024/11/18/tv-companies-sell...
> you just have to look at the finances of Vizio or Roku to see they’re selling TVs at somewhere between -3 and -7% margin
How is this different from buying hardware and software from big market players?
Why it's not obvious to every Senator and Representative in our Government is frustrating to an extreme.
We really do need to end our enhance our trade protections one way or another.
Why? How does this impact your life enough to be that frustrating?
I mean, it's pretty obvious the services are paid piracy. But it's got to cost something to pull VOD movies from wherever and serve them with an http server limited at 8 mbps even for content that exceeds that. Obviously someone doesn't want the content they stole to be easy to steal... too bad you can't reasonably play it either. :P
Fucking everyone is spying. I started downloading and decrypting apps from the App Store. It’s a god damn nightmare. Random apps are storing keys in the keychain (thanks expo!) that never leave our apple account. They follow us forever. You can’t delete them. Well.. there’s one way but it involves backing up your phone, putting it in recovery mode, and restoring from backup.
you can however isolate with vlans and a vlan capable switch, then it would be on the router to isolate traffic between lans (I do exactly this for my less trusted virtual machines)
Some (even cheap) unmanaged switches have a "vlan" or "isolation" switch that does exactly that, where only one or two "uplink" or "wan" ports can talk to the rest. If you have a managed switch, vlans is what most people would use for isolation.
On the software side you could also assign /32 IPv4 addresses only and add explicit ip route for the router only.
Oh no, let me get my tiny violin! Really hard to feel bad here. For most home users (that don’t expose anything sensitive on their LAN) these boxes are not a threat, seem to be doing a useful service in providing a superior streaming service that the balkanized official ones, and also shits on internet spammers/advertisers and frees up loginwalled content - sounds like a pretty good box really.
You can buy a better one that does not have malware installed. So these are complete and total garbage and no sane person should run them under any circumstance. Sounds like you have a bias which has prevented you from thinking about this clearly.
I'm confused. I intentionally use ADB over the network sometimes, and I have to explicitly interactively allow each adb client by its key. Are they shipping boxes with adb configured to just allow any connection without any verification?
https://blog.xlab.qianxin.com/kimwolf-botnet-en/#network-pro...
That article has a more technical lens. It focuses primarily on the size and detection evasion methods of Kimwolf, rather than some notable (and definitely not unique) method of spreading.
Without looking too deeply, I'm going to assume that this is a successful botnet because it managed to get into product supply lines at big box stores and in app store games, rather than some clever virus that is spreading across the world.
I hope someone will correct me if I am mistaken!
14 emelia terrace west roxbury ma 02132 . su
As for your assumption the OP talks about how it uses residential proxies to get into lans, I don’t think it is a supply chain attack.