How to enable privacy on your WifiRanger

[redbaron]

For those that may not have been following the events of the past week, I have been pushing for Winegard to allow users to turn of Telemetrics in their system. This includes their ability to remotely access your network.

Initially they insisted it wasn't possible.

Today, the information has been shared informally with the promise of an official statement soon.

Here is a cut and paste from @docj

As long as you trust me to post accurate WFR information you can follow these directions until they are posted on the WiFiRanger website.

1. Make sure you are on current firmware (version 7.1.0b11) and that your Ranger is online

2. Click on the Check for Updates/Cloud Disconnected link in the upper right corner of every WiFiRanger control panel page until blue bars start to scroll. They will scroll for a couple of minutes; you may have to click twice.

3. Login in to admin page at control panel IP with /admin; Default password is admin/wfradmin (you will need to use the numeric address for the control panel, not mywifiranger.com)

4. click on the SETUP tab

5. Turn off "Sync Data"

6. Select "Admin" profile dropdown; Load the "WFR Disable Remote Assistance"

I fully expect that WiFiRanger will post a technical service bulletin in the next few days to formally document this feature.

I appreciate your assistance in helping to identify and resolve this issue.

However, anyone contemplating using this feature should understand that your Ranger will no long automatically indicate the presence of firmware updates as long as it is in effect. Nor will you be able to download any such updates until you reverse your actions and re-enable Remote Assistance.

Similarly, the WiFiRanger Customer Service team will not be able to perform many diagnostic functions in the event of a problem with your Ranger. If you have a problem with your Ranger, please re-enable Remote Support before contacting Customer Service.

 

[docj]

For those that may not have been following the events of the past week, I have been pushing for Winegard to allow users to turn of Telemetrics in their system. This includes their ability to remotely access your network.

Initially they insisted it wasn't possible.

Today, the information has been shared informally with the promise of an official statement soon.

Here is a cut and paste from @docj

I just noticed that I should have put a SAVE as the final step in the process. It's probably obvious to most people that when you make changes you should save them, but I wanted to make sure everyone was aware.

 

[redbaron]

I just noticed that I should have put a SAVE as the final step in the process. It's probably obvious to most people that when you make changes you should save them, but I wanted to make sure everyone was aware.

Thanks again.

 

[redbaron]

Update:

After running the secure profile it is very evident that Winegard did not actually make any privacy changes. This is actively being discussed on another site as we go thru the issues. I will post back once we have a final determination.

I am hoping that the rush job to enable privacy is to blame and that a more complete action will be forth coming from Winegard. It is very clear they did ever think about privacy for end users prior to me raising the issue.

 

[docj]

After running the secure profile it is very evident that Winegard did not actually make any privacy changes. This is actively being discussed on another site as we go thru the issues. I will post back once we have a final determination.

Over the past 10 years, I’ve been able to earn the trust of many people in the online RV community, and I hope that you will accept this post in the spirit in which it is offered.

WiFiRanger’s position is that using the “fix” posted yesterday disables all access to a customer’s WiFiRanger router.

Some members of the IRV2 community are concerned that even with this fix in use WiFiRanger continues to maintain access to customers’ routers. I can tell you that this is simply incorrect.

Even though we would normally prefer not to “reverse engineer” our products in public, we can state unequivocally that the pings noted by Red Baron 73 in his post don’t exist with any nefarious intent.

The WFR checks whytemesh.com/success 204.php, admin.wifiranger.com/shaper_post.php and wifiranger.com/success 204.php every now and again to make sure it's still up and running. The "Online" / "Offline" indication can be seen on the Main tab. These domains are used by this service. We use ICMP and ping 66.162.142.31 to reduce overhead between HTTP header checks (searching for a 204 header from success 204.php) ( admin.wifiranger.com ).

Any other packets transferred to any WiFiRanger servers are only for the purpose of the router being able to insure it is online and can take over routing needs for upstream clients.

As for pinging an AWS/ADUPS server that statement is somewhat correct but the blame is misdirected.; our Quectel modems ping AWS/ADUPS sites in order to obtain FOTA ( firmware over the air updates ). WiFiRanger doesn’t control Quectel firmware ( https://quectel.com/ ), you're more than welcome to read more about these LTE modules on their web-site. Anyone who doubts this is free to remove the modems from their routers to verify that those pings are no longer present.

As for the whytemesh.com domain being registered so as to avoid identification, its name originated with the last name of one of the people involved with its registration to which the term was affixed as a joke.

For proprietary reasons, I don’t intend to reveal any additional aspects of our design.

Those of you in the community who have read my posts can either believe me or not.

I will make the absolute statement that when the “disable remote assistance” feature is enabled, WiFiRanger has no access to your router! I have verified this information with WiFiRanger’s lead design engineer, who is well known to some of you.

Joel (AKA docj)

 

[redbaron]

Joel:

We know that in 2018 wifi ranger had an exploit and private keys where leaked.

The ports open at the time where common ports. The answer was to move to non common ports and command control to open those.

I am asserting that a single ping is all that is necessary for your team to gain access. That packet of data includes the unique Id of the unit, time stamp, and ip address. Further the unit has the ability to receive a command from the multiple command servers it talks to.

As far as the suggestion that the modem is to blame..that is incorrect. The modem was not physically installed.

This activity was collected in the same manner that all forensic data is collected in a controlled environment.

Until the router stops calling home, it is insecure and not trust worthy.

I too have credibility.

I also do not financially benefit from either course of action taken. I am doing this as a volunteer to aid those that cannot defend themselves.

I am not alone in this effort.

The packet captures speak for themselves.

 

[redbaron]

@Suburbazine has been working with me on this research. All of the data captures so far have been his work.

Welcome to RV Forums!

 

[docj]

The “random pings” that have been observed coming from WiFiRanger routers are time synchronization pings generated as part of the Network Time Protocol (NTP) all of which are on port 123.

Servers from all over the world are involved in providing time synchronization references to millions of devices. Some of these servers are, in fact, in China, as well as in many other countries.

Even though there’s clearly nothing nefarious about the use of these NPT servers, in our next firmware update we plan to restrict the server pool to US-only servers.

I hope this will put an end to this discussion.

 

[redbaron]

These are not UDP 123 connections we are talking about. These are HTTP Post / HTTP Get messages.

These are actual data logging packets as clearly shown in the packets we captured. Please review these again. You will clearly see that these are data packets sending and receiving data.

Joel -- I know you are reading from a company script, and I don't fault you personally, but that script is full of inaccurate information. It would be best for Winegard and Wifi Ranger if you all took time to review our data and make a decision on your official stance.

If you intend to provide real privacy, feel free to reach out to myself and the others here to validate your claims. You will find that we will be just as willing to provide positive feedback once it happens.

If you do not intend to provide real privacy, then I humbly suggest you stop trying to act like you are. There are many IT security professionals involved in this effort right now, and you will not be able to trick us or hide your actions. It would be best to make a statement that you are not going to make any changes, and then let the consumer decide for themselves if they are comfortable with your product.


All -- ignore the various misinformation about NTP data. We show that in our connections as well. We are focused on the command and control and other data connnections not related to DNS and NTP.

Here is one example.

There are many more, including the china connections.

The company is playing games with smoke and mirrors. Any professional can read our public posted data logs to see the claims we are making are accurate.

Further, and professional can replicate these claims on their devices.