I Want a BHU Router

Started by deanwebb, August 19, 2016, 12:24:21 PM

Previous topic - Next topic

deanwebb

https://threatpost.com/multiple-vulnerabilities-identified-in-utterly-broken-bhu-routers/120015/

Not only does it have a hardcoded admin password... if you change it, it will rewrite the password back to the hardcoded version upon reboot.

:awesome:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Otanx

My favorite line in the article

Quote
It's unclear if the router's manufacturer, Beijing-based BHU Networks Technology Co., Ltd., is aware how insecure the router is. The company's email server immediately rejected an email request for comment from Threatpost on Friday.

The router may not be secure, but their mail server is extra secure.

-Otanx

deanwebb

It has to be. Gotta keep them protected from customer complaints.
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Nerm

Wow I need to get those deployed in our DC as soon as possible lol.

deanwebb

Quote from: Nerm on August 22, 2016, 08:00:06 AM
Wow I need to get those deployed in our DC as soon as possible lol.

"So, what is your security baseline here?"
"Absolutely ZERO. Got BHU routers in, so there is zero expectation of security. We informed all our customers so that we have zero liability in this case."

:greatoffer:
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Dieselboy

This reminds me of a customer we had when I was working in London back in around 2012. They had designed their network entirely with business Netgear stuff. One of the guys on my team were working on getting it set up. But it was basically a couple of switches, a "firewall" and an access point.

My colleague needed some help getting the IPSEC branch office VPN set up as it was not coming up (the remote site was running netgear as well). My colleague raised a support case with netgear and they done a webex type thing to allow them access. My colleague watched them set up the VPN and the VPN was working in a sense that you could ping internal addresses across the tunnel. He had some doubts that the VPN was not using encryption so he set up a quick capture and discovered that it was just IPinIP and no IPSEC. Netgear said they don't support encryption on their VPN tunnels.
:barf:
This was back in 2012 though so things may have improved now.

Nerm

Quote from: Dieselboy on August 25, 2016, 11:55:53 PM
This reminds me of a customer we had when I was working in London back in around 2012. They had designed their network entirely with business Netgear stuff. One of the guys on my team were working on getting it set up. But it was basically a couple of switches, a "firewall" and an access point.

My colleague needed some help getting the IPSEC branch office VPN set up as it was not coming up (the remote site was running netgear as well). My colleague raised a support case with netgear and they done a webex type thing to allow them access. My colleague watched them set up the VPN and the VPN was working in a sense that you could ping internal addresses across the tunnel. He had some doubts that the VPN was not using encryption so he set up a quick capture and discovered that it was just IPinIP and no IPSEC. Netgear said they don't support encryption on their VPN tunnels.
:barf:
This was back in 2012 though so things may have improved now.

Here is the progression of my thoughts as I read this story.

:kramer:
:facepalm2:
:hankhill:
:no:

deanwebb

I think you left out a :zomgwtfbbq: and a  :wha?: and a  :jackie-chan: and a  :shock: ...

But, at the end of the day, I bet the boss was all like

:notbad:

Amirite or amirite?
Take a baseball bat and trash all the routers, shout out "IT'S A NETWORK PROBLEM NOW, SUCKERS!" and then peel out of the parking lot in your Ferrari.
"The world could perish if people only worked on things that were easy to handle." -- Vladimir Savchenko
Вопросы есть? Вопросов нет! | BCEB: Belkin Certified Expert Baffler | "Plan B is Plan A with an element of panic." -- John Clarke
Accounting is architecture, remember that!
Air gaps are high-latency Internet connections.

Nerm