Pierluigi Paganini August 22, 2016

A security expert analyzed a BHU Wi-Fi router and found that it is easy to hack by an unauthenticated attacker that can access sensitive information.

Tao Sauvage, an expert from IOActive, has analyzed a BHU Wi-Fi router that he purchased during a travel. The BHU Wi-Fi router appears like a surveillance box, but according to the analysis of the experts, it is affected by multiple vulnerabilities.

The network device is completely pwnable by an unauthenticated attacker that can access sensitive information.

The expert also explained that the BHU Wi-Fi router comes with hidden users, SSH enabled by default and a hardcoded root password … not so bad for an attacker, what do you think about?

Last scaring discovery about the Chinese-made router is that it injects a third-party JavaScript file into all users’ HTTP traffic.

“The BHU WiFi uRouter, manufactured and sold in China, looks great – and it contains multiple critical vulnerabilities. An unauthenticated attacker could bypass authentication, access sensitive information stored in its system logs, and in the worst case, execute OS commands on the router with root privileges.” wrote Sauvage.”

Sauvage has exploited the UART debug pins to extract the firmware and analyzed it, it has found multiple security vulnerabilities.

The expert noticed that the CGI script running everything reveals the session ID of the admin cookie, this means that it could easily hijacked by an attacker that obtains admin privileges.

The BHU Wi-Fi router includes a hard-coded SID, 700000000000000, an attacker can get access to “all authenticated features” by presenting it to the router.

Once presented the above SID to the device, it revealed the hidden user dms:3.

“So far, we have three possible ways to gain admin access to the router’s administrative web interface:

•          Provide any SID cookie value
•         Read the system logs and use the listed admin SID cookie values
•         Use the hardcoded hidden 700000000000000 SID cookie value

” explained Sauvage.

It is incredible, the BHU Wi-Fi router is full of security holes, the researchers also discovered that the device fails to perform XML address value sanitization, this allows an attacker to carry out an OS command injection. Sauvage claims that the router could be used to eavesdrop on router traffic using a command-line packet analyzer like

The router could be used by attackers to eavesdrop on the device traffic using a command-line packet analyzer like tcpdump or to hijack it for other malicious purposes.

“At this point, we can do anything:

• Eavesdrop the traffic on the router using tcpdump
• Modify the configuration to redirect traffic wherever we want
• Insert a persistent backdoor
• Brick the device by removing critical files on the router “.

I invite you to give a look to the analysis published by IOActive, it is amazing the number of issues affecting this specific device, and probably many others suffer the same problems.

Lets hope the Chinese manufactured that designed the device, the BHU Networks Technology Co., is now aware how insecure is its router.

Don’t forget that the many powerful botnets leverages on compromised SOHO devices.

[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – BHU Wi-Fi router, SOHO router)