A security expert analyzed a BHU Wi-Fi router and found that it is easy to hack by an unauthenticated attacker that can access sensitive information.
Tao Sauvage, an expert from IOActive, has analyzed a BHU Wi-Fi router that he purchased during a travel. The BHU Wi-Fi router appears like a surveillance box, but according to the analysis of the experts, it is affected by multiple vulnerabilities.
The network device is completely pwnable by an unauthenticated attacker that can access sensitive information.
The expert also explained that the BHU Wi-Fi router comes with hidden users, SSH enabled by default and a hardcoded root password … not so bad for an attacker, what do you think about?
“The BHU WiFi uRouter, manufactured and sold in China, looks great – and it contains multiple critical vulnerabilities. An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges.”wrote Sauvage.”
Sauvage has exploited the UART debug pins to extract the firmware and analyzed it, it has found multiple security vulnerabilities.
The expert noticed that the CGI script running everything reveals the session ID of the admin cookie, this means that it could easily hijacked by an attacker that obtains admin privileges.
The BHU Wi-Fi router includes a hard-coded SID, 700000000000000, an attacker can get access to “all authenticated features” by presenting it to the router.
Once presented the above SID to the device, it revealed the hidden user dms:3.
“So far, we have three possible ways to gain admin access to the router’s administrative web interface:
Provide any SID cookie value
Read the system logs and use the listed admin SID cookie values
Use thehardcodedhidden 700000000000000 SID cookie value
” explained Sauvage.
It is incredible, the BHU Wi-Fi router is full of security holes, the researchers also discovered that the device fails to perform XML address value sanitization, this allows an attacker to carry out an OS command injection. Sauvage claims that the router could be used to eavesdrop on router traffic using a command-line packet analyzer like
The router could be used by attackers to eavesdrop on the device traffic using a command-line packet analyzer like tcpdump or to hijack it for other malicious purposes.
“At this point, we can do anything:
Eavesdrop the traffic on the router usingtcpdump
Modify the configuration to redirect traffic wherever we want
Insert a persistent backdoor
Brick the device by removing critical files on the router “.
I invite you to give a look to the analysis published by IOActive, it is amazing the number of issues affecting this specific device, and probably many others suffer the same problems.
Lets hope the Chinese manufactured that designed the device, the BHU Networks Technology Co., is now aware how insecure is its router.
Don’t forget that the many powerful botnets leverages on compromised SOHO devices.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.