this router company made a HUGE mistake
This YouTube video discusses a critical vulnerability chain discovered by Team 82 in Roui Networks’ cloud-connected IoT routers. The key points are:
1. The Vulnerability Chain: The vulnerability isn’t a single bug, but a series of interconnected flaws allowing for remote code execution (RCE) on any Roui cloud-connected device.
2. Roui Networks: The company provides network infrastructure for large organizations, meaning these vulnerabilities impact potentially many locations (airports, hotels, etc.). Their cloud infrastructure centrally manages these devices.
3. Initial Access: Team 82 initially needed physical access to a device to exploit a (undisclosed) vulnerability, obtain a shell, and decrypt the firmware to find further vulnerabilities.
4. Cloud Communication: The researchers identified mqlink.elf as the binary responsible for communication between the devices and the Roui cloud, using the MQTT protocol.
5. Weak Authentication: The MQTT authentication used a reversible SHA256 hash of the device’s serial number as the password. This is critically flawed because:
* Serial numbers are often publicly accessible (e.g., broadcast in Wi-Fi management frames).
* Using the serial number as a password base is incredibly insecure.
6. Remote Code Execution (RCE): By exploiting the weak authentication, attackers can publish commands to the MQTT broker, including commands to execute arbitrary code on the target device (Dev config get module flow control UDP was identified as a command injection vulnerability).
7. The Complete Exploit: The combined vulnerabilities allow for RCE with only knowledge of the device’s serial number, readily obtained from unencrypted Wi-Fi broadcasts.
8. Malicious Intent?: The presenter raises the question of whether this chain of vulnerabilities was accidental incompetence or a deliberate backdoor, given the severity and the ease of exploitation. The potential for nation-state actors acquiring this access is highlighted.