I Hacked This Temu Router. What I Found Should Be Illegal.

Low Level

2 Mar 202615:45

Summary

TLDRIn this video, the creator demonstrates a thrilling bug-hunting adventure by testing a $5 device from Teimu, which had over 100,000 sales. They uncover serious security flaws in the device's firmware, including a simple reboot vulnerability, which leads to deeper discoveries. By extracting the firmware and reverse-engineering it, the creator identifies several potential exploits, including a command injection and the ability to gain shell access via TNETD. The video concludes with a discussion on responsible disclosure, as the device's manufacturer remains unidentified.

Takeaways

😀 A popular hobby is buying cheap, often insecure devices to explore their vulnerabilities and improve security.
😀 Command injection is a common vulnerability in embedded devices, and it can be exploited to trigger system actions like a reboot.
😀 Soft-bricking a device can be used as a tactic to identify hidden vulnerabilities in the device’s firmware or web interface.
😀 Firmware extraction can be an unexpected but crucial step when reversing embedded devices, especially when a factory reset reveals hidden functionality.
😀 Decompiling the firmware with tools like Ghidra helps reverse engineers identify critical vulnerabilities in device binaries and web servers.
😀 The presence of hardcoded strings in the firmware, such as ‘wizard_config,’ can indicate potential entry points for further exploitation.
😀 Time configuration vulnerabilities can be exploited through simple input manipulation, allowing for arbitrary code execution on the device.
😀 Using tools like TNETD can facilitate remote command execution on vulnerable devices by creating reverse shells.
😀 Responsible disclosure of vulnerabilities is important, but finding the manufacturer of a cheap, no-name device can be difficult, leaving no clear path for reporting the issues.
😀 Ethical hacking can help uncover security issues in everyday devices, raising awareness of potential risks in consumer electronics and IoT products.

Q & A

What motivated the speaker to test this particular embedded device?
-The speaker enjoys buying inexpensive and unusual devices to discover security vulnerabilities, particularly because embedded devices often have poor security.
How did the speaker initially identify a vulnerability in the device?
-The speaker suspected that the device passed the Wi-Fi password directly to a system call without sanitization, so they attempted a command injection using a simple system command (reboot) to test for this vulnerability.
What happened when the speaker successfully executed the reboot command injection?
-The device entered a loop where it continuously rebooted from a password stored in NVRAM, effectively soft-bricking the device.
How did the speaker recover from the soft-bricked state?
-They held the reset button for 60 seconds to trigger a factory reset, which led to access to the low-level diagnostic 'breed web interface,' allowing further investigation.
What method did the speaker use to extract the device firmware?
-The speaker used the firmware download feature in the breed web interface to obtain the full firmware (`full.bin`), then used `binwalk` to recursively extract the filesystem.
Which tools were used for reverse engineering the device firmware?
-The speaker used Ghidra to decompile and analyze the web server binary (`comm`) to locate vulnerable functions and understand how user input was processed.
What specific vulnerability did the 'time config' function have?
-It used a statically defined buffer to store user input without proper sanitization, allowing command injection through the 'time' parameter.
Why was the `tnetd` binary not immediately useful for gaining a shell?
-The speaker encountered issues with running `tnetd` due to the way HTTP spaces were encoded (IFS issues) and possible restrictions in the binary, preventing a successful bind shell initially.
How did the speaker ultimately gain root shell access on the device?
-They used the device's `upload.cgi` endpoint to upload a custom script that launched a telnet server running as root on port 4444, which could then be accessed via netcat.
What challenges did the speaker face in attempting responsible disclosure?
-They were unable to identify the device manufacturer, making it impossible to report the vulnerabilities directly, highlighting a common issue with anonymous or generic IoT devices.
What educational insights does this video offer to viewers?
-The video demonstrates the full workflow of embedded device security research, including vulnerability discovery, firmware extraction, reverse engineering, command execution, and gaining shell access, emphasizing ethical experimentation and learning in a controlled environment.
Why is it significant that the device was a best-selling, inexpensive product?
-Because it indicates that thousands of consumers could be using a device with serious security flaws, making these vulnerabilities high-impact from a real-world security perspective.