A Wi-Fi router manufactured and sold only in China by BHU contains so many security holes that you're looking for trouble every time you plug it in and exposing it to the Internet.

The BHU router, whose name translates to "Tiger Will Power," has a long list of security weaknesses, which when all put together, might lead someone to think that this router is as broken as any router they'll ever see in their entire lifetime.

Router fails miserably at authentication

First and foremost, the router's creators don't know to implement a proper user authentication system.

An attacker doesn't need to search for an authentication bypass for long, but if you take IOActive's word, he only has to choose from four methods, which all grant him access to the router's admin account.

An attacker authenticating on the router can use a hardcoded session ID (SID) value of 700000000000000 to gain admin privileges.

If he misspells the SID and drops a zero, that's no problem. The BHU router will accept any value and still grant the user admin rights.

Even worse, the router's system logs containing sensitive data can be accessed via a special URL from the local network. An attacker can look at the login logs and just pluck the admin's SID from there. In fact, this is how the IOActive researcher discovered the hardcoded SID value, which amounts to a hidden backdoor.

Even, even worse, if the user forgets to enter a valid SID, but tries to access the admin account anyway, the router will insist on generating a random SID value, and still allow the user access as the admin account.

Router is coded to open the door for third-party authentication

Furthermore, researchers discovered that the router opens the SSH port for WAN connections on each boot, meaning any attacker can access the SSH console from the Internet.

In case the attacker needs an account, "Tiger Will Power" won't let him down. Also at boot, the router rewrites the previous password for a built-in backdoor account named bhuroot, making sure to change any password the user might have set up for that account in a previous session. This account is created at every boot, meaning the user won't be able to disable it.

If this wasn't bad enough, another hardcoded URL lets attackers go one level above the admin user, and automatically authenticate as the root user.

Router also injects ads into web traffic

At this point, an attacker with root-level privileges can do anything he likes, from sniffing on traffic, to overwriting firmware, or altering the user's traffic, delivering ads or malware.

But if you thought only an attacker would do this, then you underestimated the BHU router. According to IOActive, the router's firmware contains a built-in version of the Privoxy proxy software.

The router diverts all the user's Web traffic through this proxy, which appends a JavaScript file at the end of each page from the URL: http://chdadd.100msh.com/ad.js.

At the time of writing, this URL can be accessed only from China, but using a Chinese proxy the URL serves a 404 dead page error. That's not a problem because the "thoughtful" BHU router also includes a copy of that ad.js file on its disk, at /usr/share/ad/ad.js.

Ironically, Privoxy is a proxy server designed to help users remove ads from Web traffic on private networks. BHU uses it to insert ads.

All of this was revealed after a simple firmware analysis from IOActive researcher Alex Barnsbee, who goes on to say that "further analysis of the suspicious BHU WiFi kernel modules loaded on the uRouter at startup could reveal even more issues."

Since we already know that Chinese vendors often rent out their firmware to Western companies who then slap their fancy logo on top, you're now in the unique position of not knowing under which brand this product is also sold.