Thousands of TP-Link routers are vulnerable to a bug that can be used to remotely take control the device, but it took over a year for the company to publish the patches on its website.
The vulnerability allows any low-skilled attacker to remotely gain full access to an affected router. The exploit relies on the router’s default password to work, which many don’t change.
In the worst case scnario, an attacker could target vulnerable devices on a massive scale, using similar mechanism to how botnets like Mirai worked — by scouring the web and hijacking routers using default passwords like “admin” and “pass”.
Andrew Mabbitt, founder of U.K. cybersecurity firm Fidus Information Security, first discovered and disclosed the remote code execution bug to TP-Link in October 2017. TP-Link released a patch a few weeks later for the vulnerable WR940N router, but Mabbitt warned TP-Link again in January 2018 that another router, TP-Link’s WR740N, was also vulnerable to the same bug because the company reused vulnerable code between devices.
TP-Link said the vulnerability was quickly patched in both routers. But when we checked, the firmware for WR740N wasn’t available on the website.
When asked, a TP-Link spokesperson said the update was “currently available when requested from tech support,” but wouldn’t explain why. Only after TechCrunch reached out, TP-Link updated the firmware page to include the latest security update.
Top countries with vulnerable WR740N routers. (Image: Shodan)
Routers have long been notorious for security problems. At the heart of any network, any flaw affecting a router can have disastrous effects on every connected device. By gaining complete control over the router, Mabbitt said an attacker could wreak havoc on a network. Modifying the settings on the router affects everyone who’s connected to the same network, like altering the DNS settings to trick users into visiting a fake page to steal their login credentials.
TP-Link declined to disclose how many potentially vulnerable routers it had sold, but said that the WR740N had been discontinued a year earlier in 2017. When we checked two search engines for exposed devices and databases, Shodan and Binary Edge, each suggested there are anywhere between 129,000 and 149,000 devices on the internet — though the number of vulnerable devices is likely far lower.
Mabbitt said he believed TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.
Both the U.K. and the U.S. state of California are set to soon require companies to sell devices with unique default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to knock websites offline.
The Mirai botnet downed Dyn, a domain name service giant, which knocked dozens of major sites offline for hours — including Twitter, Spotify and SoundCloud.
At just 26, Waiz Rahim is supposed to be involved in the family business, having returned home in 2016 with an engineering degree from the University of Southern California. Instead, the young entrepreneur is plotting to build the Amazon of Bangladesh.
Deligram, Rahim’s vision of what e-commerce looks like in Bangladesh, a country of nearly 180 million, is making progress, having taken inspiration from a range of established tech giants worldwide, including Amazon, Alibaba and Go-Jek in Indonesia.
It’s a far cry from the family business. That’s Rahimafrooz, a 55-year-old conglomerate that is one of the largest companies in Bangladesh. It started out focused on garment retail, but over the years its businesses have branched out to span power and energy and automotive products while it operates a retail superstore called Agora.
During his time at school in the U.S., Rahim worked for the company as a tech consultant whilst figuring out what he wanted to do after graduation. Little could he have imagined that, fast-forward to 2019, he’d be in charge of his own startup that has scaled to two cities and raised $3 million from investors, one of which is Rahimafrooz.
Deligram CEO Waiz Rahim [Image via Deligram]
“My options after college were to stay in U.S. and do product management or analyst roles,” Rahim told TechCrunch in a recent interview. “But I visited rural areas while back in Bangladesh and realized that when you live in a city, it’s easy to exist in a bubble.”
So rather than stay in America or go to the family business, Rahim decided to pursue his vision to build “a technology company on the wave of rising economic growth, digitization and a vibrant young population.”
The youngster’s ambition was shaped by a stint working for Amazon at its Carlsbad warehouse in California as part of the final year of his degree. That proved to be eye-opening, but it was actually a Kickstarter project with a friend that truly opened his mind to the potential of building a new venture.
Rahim assisted fellow USC classmate Sam Mazumdar with Y Athletics, which raised more than $600,000 from the crowdsourcing site to develop “odor-resistant” sports attire that used silver within the fabric to repel the smell of sweat. The business has since expanded to cover underwear and socks, and it put Rahim’s mind to work on what he could do by himself.
“It blew my mind that you can build a brand from scratch,” he said. “If you are good at product design and branding, you could connect to a manufacturer, raise money from backers and get it to market.”
On his return to Bangladesh, he got Deligram off the ground in January 2017, although it didn’t open its doors to retailers and consumers until March 2018.
E-commerce through local stores
Deligram is an effort to emulate the achievements of Amazon in the U.S. and Alibaba in China. Both companies pioneered online commerce and turned the internet into a major channel for sales, but the young Bangladeshi startup’s early approach is very different from the way those now hundred-billion-dollar companies got started.
Offline retail is the norm in Bangladesh and, with that, it’s the long chain of mom and pop stores that account for the majority of spending.
That’s particularly true outside of urban areas, where such local stores almost become community gathering points, where neighbors, friends and families run into each other and socialize.
Instead of disruption, working with what is part of the social fabric is more logical. Thus, Deligram has taken a hybrid approach that marries its regular e-commerce website and app with offline retail through mom and pop stores, which are known as “mudir dokan” in Bangladesh’s Bengali language.
A customer can order their product through the Deligram app on their phone and have it delivered to their home or office, but a more popular — and oftentimes logical — option is to have it sent to the local mudir dokan store, where it can be collected at any time. But beyond simply taking deliveries, mudir dokans can also operate as Deligram retailers by selling through an agent model.
That’s to say that they enable their customers to order products through Deligram even if they don’t have the app, or even a smartphone — although the latter is increasingly unlikely with smartphone ownership booming. Deligram is proactively recruiting mudir dokan partners to act as agents. It provides them with a tablet and a physical catalog that their customers can use to order via the e-commerce service. Delivery is then taken at the store, making it easy to pick up, and maintaining the local network.
“We’ll tell them: ‘Right now, you offer a few hundred products, now you have access to 15,000,’ ” the Deligram CEO said.
Indeed, Rahim sees this new digital storefront as a key driver of revenue for mudir dokan owners. For Deligram, it is potentially also a major customer acquisition channel, particularly among those who are new to the internet and the world of smartphone apps.
This offline-online model — known by the often-buzzy industry term “omnichannel” — isn’t new, but in a world where apps and messaging is prevalent, reaching and retaining users is challenging, particularly in emerging markets.
“It’s not easy to direct people to a website today, and the app-first approach has made it hard,” Rahim said. “We looked at how companies in Indonesia and India overcame these challenges.”
In particular, he studied the work of Go-Jek in Indonesia, which uses an agent model to push its services to nascent internet users, and Amazon India, which leans heavily on India’s local “kirana” stores for orders and deliveries.
In Deligram’s case, the mudir dokan picks up sales commission as well as money for every delivery that is sent to their store. Home deliveries are possible, but the lack of local infrastructure — “turn right at the blue house, left at the white one, and my place is third from the left,” is a common type of direction — makes finding exact locations difficult and inefficient, so an additional cost is charged for such requests.
E-commerce startups often struggle with last-mile because they rely on a clutch of logistics companies to fulfill orders. In a rare move for an early-stage company, Deligram has opted to run its entire logistics process in-house. That obviously necessitates cost and likely provides significant growing pains and stress, but, in the long term, Rahim is betting that a focus on quality control will pay out through higher customer service and repeat buyers.
A prospective Deligram customer flips through a hard copy of the company’s product brochure in a local store [Image via Deligram]
Startups on the rise in Bangladesh
Rahim’s timing is impeccable. He returned to Bangladesh just as technology was beginning to show the potential to impact daily life. Bangladesh has posted a 7% rise in GDP annually every year since 2016, and with an estimated 80 million internet users, it has the fifth-largest online population on the planet.
“We are riding on a lot of macro trends; we’re among the top five based on GDP growth and have the world’s eighth-largest population,” Rahim told TechCrunch. “There are 11 million people in middle income — that’s growing — and our country has 90 million people aged under 30.”
“An index to track the growth of young people would be [capital city] Dhaka… you can just see the vibrancy with young people using smartphones,” he added.
That’s an ideal storm for startups, and the country has seen a mix of overseas entrants and local ventures pick up speed. Alibaba last year acquired Daraz, the Rocket Internet-founded e-commerce service that covers Pakistan, Bangladesh, Myanmar, Sri Lanka and Nepal, while the Chinese giant also snapped up 20% of bKash, a fintech venture started from Brac Bank as part of the regional expansion of its Ant Financial affiliate.
Uber, too, is present, but it is up against tough local opposition, as is the norm in Asian markets.
Pathao is one of two local companies that competes alongside Uber in Bangladesh [Image via Pathao]
Its chief rival is Shohoz, a startup that began in ticketing but expanded to rides and services on-demand. Shohoz raised $15 million in a round led by Singapore’s Golden Gate Ventures, which was announced last year.
Deligram has also pulled in impressive funding numbers, too.
The startup announced a $2.5 million Series A raise at the end of March, which Rahim wrote came from “a network of institutional and angel investors;” such is the challenge of finding a large check for a tech play in Bangladesh. The investors involved included Skycatcher, Everblue Management and Microsoft executive Sonia Bashir Kabir. A delighted Rahim also won a check from Rahimafrooz, the family business.
That’s not a given, he said, admitting that his family did initially want him to go to work with their business rather than pursuing his own startup. In that context, contributing to the round is a major endorsement, he said.
Rahimafrooz could be a crucial ally in future fundraising, too. Despite an improving climate for tech companies, Bangladesh’s top startups are still finding it tough to raise money, especially with overseas investors that can write the larger checks that are required to scale.
“I think the biggest challenge is branding. Every time I speak with new investors, I have to start by explaining where Bangladesh is, or the national metrics, not even our business,” Pathao CEO Hussain Elius told TechCrunch.
“There’s a legacy issue. Bangladesh seems like a country which floods all the time and the garment sector going down — that’s a part of the story but not the full story. It’s also an incredible country that’s growing despite those challenges,” he added.
Pathao is reportedly on track to raise a $50 million Series B this year, according to Deal Street Asia. Elius didn’t address that directly, but he did admit that raising growth funding is a bigger challenge than seed-based financing, where the Bangladesh government helps with its own fund and entrepreneurial programs.
“It’s hard for us as we’re the first ones out there, but it’ll be easier for the ones who’ll follow on,” he explained.
Still, there are some optimistic overseas watchers.
“We remain enthusiastic about the rapidly expanding set of opportunities in Bangladesh,” said Hian Goh, founding partner of Singapore-based VC firm Openspace — which invested in Pathao.
“The country continues to be one of the fastest-growing economies in the world, underpinned by additional growth in its garments manufacturing sector. This has blossomed into an expanding middle class with very active consumption behavior,” Goh added.
With the pain of fundraising put to the side for now, the new money is being put to work growing the Deligram business and its network into more parts of Bangladesh, and the more challenging urban areas.
Geographically, the service is expanding its agent reach into five more cities to give it a total of seven locations nationwide. That necessitates an increase in logistics and operations to keep up with, and prepare for, that new demand.
Deligram workers in one of the company’s warehouses [Image via Deligram]
Rahim said the company had handled 12,000 orders to date as of the end of March, but that has now grown past 20,000 indicating that order volumes are rising. He declined to provide financial figures, but said that the company is on track to increase its monthly GMV volume by six-fold by the end of this year. Electronics, phones and accessories are among its most popular items, but Deligram also sells apparel, daily items and more.
Interestingly, and perhaps counter to assumptions, Deligram started in rural areas, where Rahim saw there was less competition but also potentially more to learn through a more early-adopter customer base. That’s obviously one major challenge when it comes to growth, and now the company is looking at urban expansion points.
On the product side, Deligram is in the early stages of piloting consumer financing using its local store agents as the interface, while Rahim teased “exciting IOT R&D projects” that he said are in the planning stage.
Ultimately, however, he concedes that the road is likely to be a long one.
“Over the last 18-20 years, modern retail hasn’t made much progress here,” Rahim said. “It accounts for around 2.5% of total retail, e-commerce is below 1% and the long tail local stores are the rest.”
“People will eventually shift, but I think it’ll take five to eight years, which is why we provide the convenience via mom and pop shops,” he added.
Every once in a while someone will ask me what is the best security advice.
The long answer is “it depends on your threat model,” which is just a fancy way of saying what’s good security advice for the vast majority isn’t necessarily what nuclear scientists and government spies require.
My short answer is, “turn on two-factor.” Yet, nobody believes me.
Ask almost any cybersecurity professional and it’ll likely rank as more important as using unique or strong passwords. Two-factor, which adds an additional step in your usual log-in process by sending a unique code to a device you own, is the greatest defense between a hacker and your online account data.
But don’t take my word for it. Google data out this week shows how valuable even the weakest, simplest form of two-factor can be against attacks.
The research, with help from New York University and the University of California, San Diego, shows that any device-based challenge — such as a text message or an on-device prompt — can in nearly every case prevent the most common kind of mass-scale attacks.
Google’s data showed having a text message sent to a person’s phone prevented 100 percent of automated bot attacks that use stolen lists of passwords against login pages and 96 percent of phishing attacks that try to steal your password.
Account takeover preventing rates by challenge type. (Image: Google)
Not all two-factor options are created equal. We’ve explained before that two-factor codes sent by text message can be intercepted by semi-skilled hackers, but it’s still better than not using two-factor at all. Its next best replacement, getting a two-factor code through an authenticator app on your phone, is far more secure.
Only a security key, designed to protect the most sensitive accounts, prevented both automated bot and phishing attacks but also highly targeted attackers, typically associated with nation states. Just one in a million users face targeted attackers, Google said.
For everyone else, adding a phone number to your account and getting even the most basic two-factor set up is better than nothing. Better yet, go all in and shoot for the app.
Over 2 million women were diagnosed with breast cancer in 2018. And while the diagnosis doesn’t have to be a death sentence for women in countries like the United States, in developing countries three times as many women die from the disease.
And the WHO blames these low survival rates in less developed countries on the lack of early detection programs, which result in a higher proporation of women presenting with late-stage disease. The problem is exacerbated by a lack of adequate diagnostic technologies and treatment facilities, according to the WHO.
A group of Johns Hopkins University undergraduates believe they have found a solution. The four women, none of whom are over 21-years-old, have developed a new, low-cost, disposable core needle biopsy technology for physicians and nurses that could dramatically reduce cost and waste, thereby increasing the availability of screening technologies in emerging markets.
They’ve taken the technology they developed at Johns Hopkins University and created a new startup called Ithemba, which means “hope” in Swahili, to commercialize their device. While the company is still in its early days, the women recently won the undergraduate Lemelson-MIT Student Prize competition, and has received $60,000 in non-dilutive grant funding and a $10,000 prize associated with the Lemelson award.
Students at Johns Hopkins had been working through the problem of developing low-cost diagnostic tools for breast cancer for the past three years, spurred on by Dr. Susan Harvey, the head of Johns Hopkins Section of Breast Imaging.
While Dr. Harvey presented the problem, and several students tried to tackle it, Ithemba’s co-founders — the biomedical engineering undergrads Laura Hinson, Madeline Lee, Sophia Triantis, and Valerie Zawicki — were the first to bring a solution to market.
Ithemba co-founders Laura Hinson, Madeline Lee, Valerie Zawicki and Sophia Triantis
The 21-year-old Zawicki, who grew up in Long Beach, Calif., has a personal connection to the work the team is doing. When she was just five years old her mother was diagnosed with breast cancer, and the cost of treatment and toll it took on the family forced the family to separate. “My sister moved in with my grandparents,” Zawicki says, while her mother underwent treatment. “When I came to college I was looking for a way to make an impact in the healthcare space and was really inspired by the care my mom received.”
The same is true for Zawicki’s co-founder, Triantis.
“We have an opportunity to solve problems that really need solving,” says Triantis, a 20-year-old undergraduate. “Breast cancer has affected so many people close to me… It is the most common cancer among women [and] the fact that women in low resource settings do not have the same standard of diagnostic care really inspired me to work on a solution.”
What the four women have made is a version of a core-needled biopsy that has a lower risk of contamination than the reusable devices that are currently on the market and is cheaper than the expensive disposable needles that are the only other option, the founders say.
“We’ve designed a novel, disposable portion that attaches to the reusable device and the disposable portion has an ability to trap contaminants that would come back through the needle into the device,” says Triantis. “What we’ve created is a way to trap that and have that full portion be disposable and making the device as easy to clean as possible… with a bleach wipe.”
The company is currently in the process of doing benchtop tests on the device, and will look to file a 510K to be certified as a Class 2 medical device. Already a clinic in South Africa and a hospital in Peru are on board as early customers for the new biopsy tool.
At the heart of the new tool is a mechanism which prevents blood from being drawn back into a needle. The team argues it makes reusable needles much less susceptible to contamination and can replace the disposable needles that are too expensive for many emerging market clinics and hospitals.
Zawicki had been working on the problem for a while when Hinson, Lee, and Triantis joined up. “I joined the team when the problem was presented,” says Zawicki. “The project began with this problem that was pitched three years ago, but the four of us are really those that have brought this to life in terms of a device.”
Crucially for the team, Johns Hopkins was fully supportive of the women taking their intellectual property and owning it themselves. “We received written approval from the tech transfer office to file independently,” says Zawicki. “That is really unique.”
Coupled with the Lemelson award, Ithemba sees a clear path to ownership of the intellectual property and is filing patents on its device.
Zawicki says that it could be anywhere from three to five years before the device makes it on to the market, but there’s the potential for partnerships with big companies in the biopsy space that could accelerate that time to market.
“Once we get that process solidified and finalize our design we will wrap up our benchtop testing so we can move toward clinical trials by next summer, in 2020,” Zawicki says.
Contrary Capital, a soon-to-be San Francisco-based operation led by Eric Tarczynski, is raising $35 million to invest between $50,000 and $200,000 in students and recent college dropouts. The firm, which operates a summer accelerator program for its portfolio companies, closed on $2.2 million for its debut, proof-of-concept fund in 2018.
“We really care about the founders building a great company who don’t have the proverbial rich uncle,” Tarczynski, a former founder and startup employee, told TechCrunch. “We thought, ‘What if there was a fund that could democratize access to both world-class capital and mentorship, and really increase the probability of success for bright university-based founders wherever they are?’ “
Contrary launched in 2016 with backing from Tesla co-founder Martin Eberhard, Reddit co-founder Steve Huffman, SoFi co-founder Dan Macklin, Twitch co-founder Emmett Shear, founding Facebook engineer Jeff Rothschild and MuleSoft founder Ross Mason. The firm has more than 100 “venture partners,” or entrepreneurial students at dozens of college campuses that help fill Contrary’s pipeline of deals.
Contrary Capital celebrating its Demo Day event last year
Last year, Contrary kicked off its summer accelerator, tapping 10 university-started companies to complete a Y Combinator -style program that culminates with a small, GP-only demo day. Admittedly, the roughly $100,000 investment Contrary deploys to its companies wouldn’t get your average Silicon Valley startup very far, but for students based in college towns across the U.S., it’s a game-changing deal.
“It gives you a tremendous amount of time to figure things out,” Tarczynski said, noting his own experience building a company while still in school. “We are trying to push them. This is the first time in many cases that these people are working on their companies full-time. This is the first time they are going all in.”
Contrary invests a good amount of its capital in Berkeley, Stanford, Harvard and MIT students, but has made a concerted effort to provide capital to students at underrepresented universities, too. To date, the team has completed three investments in teams out of Stanford, two out of MIT, two out of University of California San Diego and one each at Berekely, BYU, University of Texas-Austin, University of Pennsylvania, Columbia University and University of California Santa Cruz.
“We wanted to have more come from the 40 to 50 schools across the U.S. that have comparable if not better tech curriculums but are underserviced,” Tarczynski explained. “The only difference between Stanford and these others universities is just the volume. The caliber is just as high.”
Contrary’s portfolio includes Memora Health, the provider of productivity software for clinics; Arc, which is building metal 3D-printing technologies to deliver rocket engines; and Deal Engine, a platform for facilitating corporate travel.
“We are one giant talent scout with all these different nodes across the country,” Tarczynski added. “I’ve spent every waking moment of my life the last eight years living and breathing university entrepreneurship … it’s pretty clear to me who is an exceptional university-based founder and who is just caught up in the hype.”