Researching routers with "lifelong VPN" from Russian marketplaces: admin:admin, open ports and access to neighbors
Recently found ourselves an interesting offer on Russian marketplaces - routers with pre-established "life" VPN. Sounds tempting: bought, turned on and immediately get unlimited access to a virtual private network, without a subscription.
But, as it says, free cheese is only in a mousetrap. We decided to figure out what really lurks behind the beautiful promises of the sellers. Purchased three routers from different price categories - from the budget Cudy for 3000 rubles to the top Xiaomi for 7000. Spoiler: If you were expecting a happy ending, you went to the wrong blog.
During the study, we found unsegmented networks where you can access the devices of other buyers, admin passwords stored in the public form, and SSH access for sellers. And we found out that “lifelong” servers work on a cheap hosting for $2.5.
In this article, we will tell you what threats are hidden behind bright advertising and why saving on network security can be too expensive.
Control procurement
This small study involved the Cudy WR300, Keenetic Starter KN-1121 and Xiaomi AX3000T with an “eternal” VPN. All three models cost more than conventional versions without additional services. In the case of Cudy, the overpayment was half the cost of the router - this model can be found on sale for 1500 rubles.
Cards of these products on marketplaces are full of tempting phrases: “Does not require configuration”, “lifelong VPN”, “Safe network” and a dozen promises of a beautiful future for relatively little money.
We took test samples from tested sellers - hundreds of positive reviews, high scores. Comments are read as a fairy tale: routers work without complaints, technical support responds faster than ChatGPT, and VPN flies. There are also upset buyers who complain about the speed or problems with connection to remote servers, but against the background of general delight, these claims are imperceptible.
Particularly pleased with the section "question-answer" on the pages of goods. There, potential buyers with reasonable doubts receive cheerful assurances: all inclusive, servers are reliable, corporate subscriptions, channels are fast. “Buy, don’t worry, everything is set up”
However, the sellers answer technical questions evasively. That's ok, we'll figure it out by our own. we will start with the study of the information security of the cheapest router, and will finish the most expensive.
An important warning for hackers-padavanails and just curious comrades.
Do not connect the dubious network equipment directly to the home network. Such devices need to be isolated.
I used the D-Link scroll as the basis of the test stand. For each experiment, a separate port with an isolated VLAN was allocated. Traffic went only to the Internet, without access to other segments of the network.
Wi-Fi was connected via an external adapter Alpha. This creates an additional barrier between the device being tested and the main system. Worked through a virtual machine on a separate computer. On VM, it disabled all alternative ways to access the Internet: no Ethernet, second Wi-Fi or bridges. Fully closed the sharing of folders and network resources.
Gives paranoia levels “they monitor us through microwaves,” but these are standard precautions when working with suspicious devices – especially if they promise safety out of the box.
Cudy WR300 – the first patient on the table
The number one victim was the Cudy WR300. Factory seals were missing - already a good sign, right? Inside the box was a modest instruction from the seller with technical support contacts, elementary creeds from the admin and a strict warning: do not drop Cudy to factory settings.
Connected, put a login and password and got into the control panel. So far, everything is predictable: the user is met by the native firmware Cudy. We searched for the life-long VPN and found a pre-consfigured client WireGuard.
Immediately after on, the router automatically clings to a virtual private network and begins to slowly communicate with the IP address somewhere in the Philippines.
We tried to resoose the address - did not work. Punched through whois and found out interesting stuff: the IP is registered on an ordinary Moscow entrepreneur. Behind him is a whole pool of hosting addresses, some of which appeared in AbuseIPDB - an IP base with suspicious activity.
A little OSINT by name, and we found the web site of a small hosting provider from the third echelon. It provides servers in Russia, Latvia, France, Germany, Estonia and the Netherlands. Prices for VPS start with $2.5. For some reason, there were no exotic islands among the publicly available locations.
Launched traceroute to see the connection route. The first hop is the IP router, the second is the virtual network through which traffic goes.
Scanning the second IP with Nmap did not give anything at first. So we took the public and private keys with all the settings and saved the WireGuard file to further explore the connection.
Having installed WireGuard on a virtual machine, we downloaded a config and received a direct connection to the virtual network. And then the fun began: it turned out that it was not segmented. The scan bypassing the router gave the result: Nmap found 35 IP addresses and, of course, open ports - where without them. As you might have guessed, all the neighbors are the other happy owners of the “safe” routers of this seller.
Login pages are like in the palm of your hand, and since the seller forbids to reset the settings to the factory, all of them are probably “reliable” protected by the admin password. In this situation, it is enough for the hacker to purchase one router to easily get direct access to dozens of similar devices.
At the same time, the firmware is Powered by Remote Access, and the router has pre-installed diagnostic applications. So, with the help of traceroute, you can get a real user IP address. we checked it on our IP and made sure that the buyer who is with you on the same network can be calculated in this way. And there is also an update of the firmware through the web-interface, which means you can remotely pour a modified image - skating or zombifying the device, for example, making it part of the botnet.
However, even if you forget about the network component, the Cudy WR300 can not be called well-protected.
Anatomy of the router
After graduating with the net, I switched to iron levels. To do this, he disassembled the device and began to study its architecture at a low level.
The first thing that catches the eye when you look at the board is the UART-interface. With it, you can control the device directly. Nearby is a flash chip - XMC 250H64DHIQ.
According to the best practices, the chip needs to be unsoldered before reading the firmware, so it does not receive power from the board, and nothing affects the contents of the chip. But for a quick study, the clip is an acceptable solution. However, in this case, it is better to get the firmware several times and compare MD5 hashen-sums to make sure that there are no distortions from the working board.
Armed with a firmware reader based on CH341 chip, we got... nothing, because this chip is not in the flashrom application. However, Xgecu recognized the chip and allowed to remove the firmware from the memory of the device.
Then, with the help of binwalk, we disassembled the contents of the downloaded firmware.
A simple search by passwd found a storage place of credentials. Also found a shadow file with a hashed root password.
The first thing we googled the hash, and on the first page there was a link to the hacker forum. In early 2025, someone asked to help picking up a password for him.
In general, deciphering hash is not a difficult task in the presence of tools like Hashcat or John the Ripper. Our check confirmed that the factory password for the router was really an admin.
Sellers and attackers can access the device not only through standard passwords. The seller can modify the system before the sale - to embed backdoors or spyware to steal confidential data. And now think: why they so persistently ask not to drop the router to the factory settings? Is it just for a VPN?
Keenetic Starter – the second candidate
Next on the queue was Keenique KN-1121. It was an open box with a curved cut instruction, simple default passwords and "please do not use Wi-Fi with more than two connected devices" note.
A quick inspection showed that the router is fine and works on a standard firmware from December 2024, but this time we got a non-working VPN. Ping of 8.8.8.8 did not work at all - 0 packets out of 27 received.
Based on the control panel, the seller used OpenVPN. In the settings, all the permissions required for the connection were affixed from the box.
In the "Other Connections" subsection, we found a configuration file, and it had an IP address and a port where the router was knocking out.
It turned out that this IP belonged to another small hosting company, which is mainly known for cheap promotional tariffs on VPS in Amsterdam.
In the section with "System types of router files", you can unload the firmware, startup-config and other useful files without fuss with chips.
Based on the logs, the server to which the router is accessed was turned off, or my key was removed from the settings. Everything indicated that the problem was not from the user.
Support in the case
We contacted the customer service, the phone number of which was indicated in the instructions. The answering bot asked what marketplace we bought the router, and asked the specialist to wait, but we did not sit idly by. In another file - startup-config - we found passwords and, as in the previous case, hashes, which are easily decrypted. The situation is about the same as with Cudy.
In the process of scanning we found five open ports: 23, 53, 80, 443 and 1900. Port 23 is telnet, tried to connect to it with admin:admin, and it worked. Through the telnet we tap the Tab button and the entire available list of commands appeared.
Without wasting any time, we used "ls" to see all the files in this directory. The eye caught running-config, where we also found the login and encrypted password admin:admin, Wi-Fi keys with a SSID and system settings.
By this point, the support service had finally responded and we were sent instructions to provide remote access to the router.
That's when we paid attention to a small detail: the option with access permission from the Internet was enabled by default. It turns out that the seller of these devices had round-the-clock access to them, at least if you do not guess to remove this tick.
Basically, nothing unusual. Many telecom operators do this, but this creates risks. Even federal-level companies have unpleasant incidents with unauthorized access to subscriber devices. And here we are dealing with no-names with a marketplace whose reputation is reviews such as: “the device came quickly, I recommend.”
New connection – old issues
When the support service carried out the remote setup, we returned to "Other Connections" and saw a freshly installed WireGuard client and the appropriate configuration file. As in the first case, we immediately scanned this private network and found there another 33 hosts - a friendly team of happy owners of leaky routers.
We saw the same 23, 80 and 443 open ports. Dejavu: using port 80, you can connect to one of the IP subnets, enter a system login and password from the paper and get remote access to the device of the other buyer.
And you can also try to explore the central proxy server. After scanning it with nmap, we found the ports 22 and 443. We tried to connect to 443 (HTTPS), but there were problems with the certificate: the port was open, but the service actually did not work.
However, port 22 (SSH) was available. When you try to connect to the SSH, it turned out that SSH is not configured to authenticate by the key, but uses password authentication. This means that anyone can arrange a brute force attack and try to guess a password by dictionary.
As a result, the situation with Keenetic is generally reminiscent of Cudy: an unsegmented network, low protection against hacking, plus round-the-clock access to the device from the seller and a weakly protected central server.
By this point, we had no longer been particularly hopeful that the third router would be safer. But hope dies last, and curiosity never.
Xiaomi AX3000T – final boss
The third router - the most expensive of the tested - colored instruction in the kit and surpasses its predecessors in terms of characteristics.
The default password is a little more complicated than the previous ones, but the connection procedure is almost the same.
Routher started on the first try, and we immediately went to the admin. Xiaomi AX3000T has its own proprietary firmware, but we were met by the OpenWrt interface. The seller could use RCE vulnerability to hack the router and install alternative sortware. Nothing criminal, but no one guarantees the authenticity of the image - there could be built in the backdoors.
Running through the settings and logs, we found active SSH access. It turns out that the seller has access to the device by default, and without the buyer’s knowledge.
OpenWrt, by the way, allows you to execute commands directly on the router. We created an "ls" command and launched it successfully. Similarly, you can implement any other commands: scan the network, set up the tunnel into the internal infrastructure and so on. Add to this SSH-access - it turns out a great entry point for the attacker.
The V2rayA server is installed to redirect traffic on the router. Learning the IP address of the end server, we have already reached a larger host with a legal address in Dubai. Solid! This is no longer a basement in the suburbs. The entire range of IP addresses were related to Amsterdam.
The server settings use the VLESS protocol. This is not a VPN in the classic sense, but an L4-proxy running on top of TCP or UDP and often encapsulated in transport like WebSocket or gRPC with TLS. Unlike VPN, VLESS does not create a routed subnet between customers. Therefore, the traceroute 8.8.8.8 does not work, and we could not reach the buyers of similar routers, as in previous cases.
During the scan of the server we found a whole banch of open ports. In most cases, when trying to connect, the answer was the resource did not exist. But the port 443 shows Yahoo. This is a feature of the VLESS protocol, which makes the connection resistant to external interventions.
Also, the port 22 is blocked. The proxy server requires an access key, so it is definitely not possible to guess or brute force the password, as in the case of Keenetic. The setting are made more competently - apparently, these guys at least know something about cyber.
The autopsy of the router confirmed the existence of administrative rights by default. For an inexperienced user, this is a noticeable security threat. Even worse, the password is stored in files unencrypted.
Thus, at first glance with a Xiaomi router, things are better than with previous ones – largely due to the choice of a more complex secure data transfer protocol. But the use of such a device without full flashing and setting remains a high risk.
First, the active SSH gives the seller constant access to the device and the local network. Secondly, proxying through someone else's server also does not inspire confidence - who knows what is logged and where it is sent. Thirdly, this router, flashed by unknown people - the malicious code could be hidden deeper than can be checked in the basic analysis. As a result, for your money, you get another source of concern for your own cybersecurity.
Conclusions: Convenience is too expensive
After checking three routers with a pre-installed VPN, we can conclude that behind beautiful promises hide serious security problems. None of the devices can be recommended for use as it is sold.
What exactly is wrong
The Cudy WR300 was vulnerable. The unsubstituted WireGuard network allows you to access dozens of other routers via admin:admin passwords.
Keenetic KN-1121 showed similar problems plus the seller’s constant access to the device via the Internet.
Xiaomi AX3000T looks more solid, but active SSH, unencrypted passwords and custom firmware of unknown origin make it no less risky.
In all of these cases, the end user has neither access to the server settings, nor the ability to change its configuration, nor the confidence that the traffic is not mirrored.
Why this happens
To make business profitable, sellers save on infrastructure and security. Instead of isolated VPN connections, common networks are used, where all customers see each other. Servers are rented from cheap hosters, and devices are customized for remote control to simplify technical support. Unfortunately, the vulnerability of such devices is inherent in the sales model.
What to do
There is no free cheese in the cyber. If you are promised a lifetime VPN for an additional payment of 1500 rubles, ask what the seller saves on, and what he gets in return. Security costs the time spent on properly setting up your network equipment, especially when it comes to protecting the entire home network.
P.S.
The material is intended for information security specialists. This article is purely research and educational in nature and does not call for the use of specific services and technologies.
Actions aimed at violating Russian legislation in the field of communication and information can lead to administrative and criminal liability.
Original article: https://habr.com/ru/companies/bastion/articles/917522/