I Want a BHU Router

deanwebb · August 19, 2016, 12:24:21 PM

https://threatpost.com/multiple-vulnerabilities-identified-in-utterly-broken-bhu-routers/120015/

Not only does it have a hardcoded admin password... if you change it, it will rewrite the password back to the hardcoded version upon reboot.

Otanx · August 19, 2016, 12:46:51 PM

My favorite line in the article

Quote
It's unclear if the router's manufacturer, Beijing-based BHU Networks Technology Co., Ltd., is aware how insecure the router is. The company's email server immediately rejected an email request for comment from Threatpost on Friday.

The router may not be secure, but their mail server is extra secure.

-Otanx

deanwebb · August 19, 2016, 01:33:52 PM

It has to be. Gotta keep them protected from customer complaints.

Nerm · August 22, 2016, 08:00:06 AM

Wow I need to get those deployed in our DC as soon as possible lol.

deanwebb · August 22, 2016, 10:01:57 AM

Quote from: Nerm on August 22, 2016, 08:00:06 AM
Wow I need to get those deployed in our DC as soon as possible lol.

"So, what is your security baseline here?"
"Absolutely ZERO. Got BHU routers in, so there is zero expectation of security. We informed all our customers so that we have zero liability in this case."

Dieselboy · August 25, 2016, 11:55:53 PM

This reminds me of a customer we had when I was working in London back in around 2012. They had designed their network entirely with business Netgear stuff. One of the guys on my team were working on getting it set up. But it was basically a couple of switches, a "firewall" and an access point.

My colleague needed some help getting the IPSEC branch office VPN set up as it was not coming up (the remote site was running netgear as well). My colleague raised a support case with netgear and they done a webex type thing to allow them access. My colleague watched them set up the VPN and the VPN was working in a sense that you could ping internal addresses across the tunnel. He had some doubts that the VPN was not using encryption so he set up a quick capture and discovered that it was just IPinIP and no IPSEC. Netgear said they don't support encryption on their VPN tunnels.

This was back in 2012 though so things may have improved now.

Nerm · August 26, 2016, 08:02:03 AM

Quote from: Dieselboy on August 25, 2016, 11:55:53 PM
This reminds me of a customer we had when I was working in London back in around 2012. They had designed their network entirely with business Netgear stuff. One of the guys on my team were working on getting it set up. But it was basically a couple of switches, a "firewall" and an access point.

My colleague needed some help getting the IPSEC branch office VPN set up as it was not coming up (the remote site was running netgear as well). My colleague raised a support case with netgear and they done a webex type thing to allow them access. My colleague watched them set up the VPN and the VPN was working in a sense that you could ping internal addresses across the tunnel. He had some doubts that the VPN was not using encryption so he set up a quick capture and discovered that it was just IPinIP and no IPSEC. Netgear said they don't support encryption on their VPN tunnels.

This was back in 2012 though so things may have improved now.

Here is the progression of my thoughts as I read this story.

deanwebb · August 26, 2016, 10:52:09 AM

I think you left out a

and a

...

But, at the end of the day, I bet the boss was all like

Amirite or amirite?

Nerm · August 29, 2016, 08:09:33 AM

LOL