Security Experts:

Connect with us

Hi, what are you looking for?


Network Security

BHU Wi-Fi Router Inundated With Security Holes: Researchers

Security researchers at IOActive have discovered multiple security vulnerabilities in the BHU Wi-Fi “uRouter,” a device that is manufactured and sold in China.

Security researchers at IOActive have discovered multiple security vulnerabilities in the BHU Wi-Fi “uRouter,” a device that is manufactured and sold in China.

According to the security testing firm, an unauthenticated attacker looking to compromise these devices could bypass authentication, access sensitive information stored in the router’s system logs, and even execute OS commands with root privileges. Moreover, the device was found to ship with hidden users, with SSH enabled by default, and with a hardcoded root password, in addition to injecting a third-party JavaScript file into all users’ HTTP traffic.

Although it is a nice looking device, the router is a nightmare when it comes to security, IOActive’s Tao Sauvage explains. Built specifically for the Chinese market, the router’s web interface was no use for an English speaker, and the researcher decided to attempt to extract the firmware instead and analyze it.

After gaining access to the firmware, the researchers took a closer look at the handler for GET requests and discovered the first security flaw, a path traversal, though restricted to .html files. Next, there’s the lack of authentication when accessing the router’s system logs, despite the fact that the logs do contain sensitive information.

Among these sensitive details, the researchers discovered the session ID (SID) value of the admin cookie, which allows an attacker to hijack the admin session and reboot the device. What’s more, even if the admin never logged in, an attacker could still use the hardcoded SID: 700000000000000 for this nefarious operation. Even worse, the SID is constant across reboots and the admin has no way of changing it, which means that an attacker has access to all authenticated features.

But things go further downhill, the researchers reveal: the router also includes a hidden user called dms:3, which could be a backdoor account. Moreover, the router was found to accept whatever SID cookie value is provided to it as proof that the user is authenticated.

Once the researchers determined that the router could be accessed as administrator, they attempted to gain root privileges and discovered that OS command injection was indeed possible. According to IOActive, the command runs with root privileges but needs to be HTML encoded so that the XML parsing is successful.

“The security of this router is so broken than an unauthenticated attacker can execute OS commands on the device with root privileges! It was not even necessary to find the authentication bypass in the first place, since the router uses 700000000000000 by default when no SID cookie value is provided,” the security researchers explain.

An attacker successfully compromising the router could eavesdrop the traffic on the router using tcpdump, modify the configuration to redirect traffic wherever they would want, insert a persistent backdoor, or brick the device by removing critical files from it. Moreover, there’s no default firewall rules to prevent attackers from accessing the feature from the WAN if the router is connected to the Internet.

Not only was the security of the router broken, but the researchers also discovered that the BHU WiFi uRouter enables SSH by default at boot and that it rewrites its hardcoded root-user password every time it boots up. The admin cannot modify or remove the hardcoded password, but anyone “who knows the bhuroot password can SSH to the router and gain root privileges,” the researcher says.

BHU WiFi uRouter also has Privoxy installed on it, a non-caching web proxy with “advanced filtering capabilities for enhancing privacy.” The router uses Privoxy to process all HTTP requests with the filter named ad-insert, which appends a script tag at the end of the body. This script includes a JavaScript file hosted on a server accessible only from China.

“The BHU WiFi uRouter I brought back from China is a specimen of great physical design. Unfortunately, on the inside it demonstrates an extremely poor level of security and questionable behaviors. In addition, the BHU WiFi uRouter injects a third-party JavaScript file into its users’ HTTP traffic. While it was not possible to access the online JavaScript file, injection of arbitrary JavaScript content could be abused to execute malicious code into the user’s browser. Further analysis of the suspicious BHU WiFi kernel modules loaded on the uRouter at startup could reveal even more issues,” the researchers conclude.

Related: Apple Patches RCE Flaw in AirPort Routers

Related: Quanta Routers Plagued by Many Unpatched Flaws

Written By

Click to comment

Expert Insights

Related Content

Network Security

NSA publishes guidance to help system administrators identify and mitigate cyber risks associated with transitioning to IPv6.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.


Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.


Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.