Thousands of TP-Link routers are vulnerable to a bug that can be used to remotely take control the device, but it took over a year for the company to publish the patches on its website.
The vulnerability allows any low-skilled attacker to remotely gain full access to an affected router. The exploit relies on the router’s default password to work, which many don’t change.
In the worst case scnario, an attacker could target vulnerable devices on a massive scale, using similar mechanism to how botnets like Mirai worked — by scouring the web and hijacking routers using default passwords like “admin” and “pass”.
Andrew Mabbitt, founder of U.K. cybersecurity firm Fidus Information Security, first discovered and disclosed the remote code execution bug to TP-Link in October 2017. TP-Link released a patch a few weeks later for the vulnerable WR940N router, but Mabbitt warned TP-Link again in January 2018 that another router, TP-Link’s WR740N, was also vulnerable to the same bug because the company reused vulnerable code between devices.
TP-Link said the vulnerability was quickly patched in both routers. But when we checked, the firmware for WR740N wasn’t available on the website.
When asked, a TP-Link spokesperson said the update was “currently available when requested from tech support,” but wouldn’t explain why. Only after TechCrunch reached out, TP-Link updated the firmware page to include the latest security update.
Top countries with vulnerable WR740N routers. (Image: Shodan)
Routers have long been notorious for security problems. At the heart of any network, any flaw affecting a router can have disastrous effects on every connected device. By gaining complete control over the router, Mabbitt said an attacker could wreak havoc on a network. Modifying the settings on the router affects everyone who’s connected to the same network, like altering the DNS settings to trick users into visiting a fake page to steal their login credentials.
TP-Link declined to disclose how many potentially vulnerable routers it had sold, but said that the WR740N had been discontinued a year earlier in 2017. When we checked two search engines for exposed devices and databases, Shodan and Binary Edge, each suggested there are anywhere between 129,000 and 149,000 devices on the internet — though the number of vulnerable devices is likely far lower.
Mabbitt said he believed TP-Link still had a duty of care to alert customers of the update if thousands of devices are still vulnerable, rather than hoping they will contact the company’s tech support.
Both the U.K. and the U.S. state of California are set to soon require companies to sell devices with unique default passwords to prevent botnets from hijacking internet-connected devices at scale and using their collective internet bandwidth to knock websites offline.
The Mirai botnet downed Dyn, a domain name service giant, which knocked dozens of major sites offline for hours — including Twitter, Spotify and SoundCloud.
At just 26, Waiz Rahim is supposed to be involved in the family business, having returned home in 2016 with an engineering degree from the University of Southern California. Instead, the young entrepreneur is plotting to build the Amazon of Bangladesh.
Deligram, Rahim’s vision of what e-commerce looks like in Bangladesh, a country of nearly 180 million, is making progress, having taken inspiration from a range of established tech giants worldwide, including Amazon, Alibaba and Go-Jek in Indonesia.
It’s a far cry from the family business. That’s Rahimafrooz, a 55-year-old conglomerate that is one of the largest companies in Bangladesh. It started out focused on garment retail, but over the years its businesses have branched out to span power and energy and automotive products while it operates a retail superstore called Agora.
During his time at school in the U.S., Rahim worked for the company as a tech consultant whilst figuring out what he wanted to do after graduation. Little could he have imagined that, fast-forward to 2019, he’d be in charge of his own startup that has scaled to two cities and raised $3 million from investors, one of which is Rahimafrooz.
Deligram CEO Waiz Rahim [Image via Deligram]
“My options after college were to stay in U.S. and do product management or analyst roles,” Rahim told TechCrunch in a recent interview. “But I visited rural areas while back in Bangladesh and realized that when you live in a city, it’s easy to exist in a bubble.”
So rather than stay in America or go to the family business, Rahim decided to pursue his vision to build “a technology company on the wave of rising economic growth, digitization and a vibrant young population.”
The youngster’s ambition was shaped by a stint working for Amazon at its Carlsbad warehouse in California as part of the final year of his degree. That proved to be eye-opening, but it was actually a Kickstarter project with a friend that truly opened his mind to the potential of building a new venture.
Rahim assisted fellow USC classmate Sam Mazumdar with Y Athletics, which raised more than $600,000 from the crowdsourcing site to develop “odor-resistant” sports attire that used silver within the fabric to repel the smell of sweat. The business has since expanded to cover underwear and socks, and it put Rahim’s mind to work on what he could do by himself.
“It blew my mind that you can build a brand from scratch,” he said. “If you are good at product design and branding, you could connect to a manufacturer, raise money from backers and get it to market.”
On his return to Bangladesh, he got Deligram off the ground in January 2017, although it didn’t open its doors to retailers and consumers until March 2018.
E-commerce through local stores
Deligram is an effort to emulate the achievements of Amazon in the U.S. and Alibaba in China. Both companies pioneered online commerce and turned the internet into a major channel for sales, but the young Bangladeshi startup’s early approach is very different from the way those now hundred-billion-dollar companies got started.
Offline retail is the norm in Bangladesh and, with that, it’s the long chain of mom and pop stores that account for the majority of spending.
That’s particularly true outside of urban areas, where such local stores almost become community gathering points, where neighbors, friends and families run into each other and socialize.
Instead of disruption, working with what is part of the social fabric is more logical. Thus, Deligram has taken a hybrid approach that marries its regular e-commerce website and app with offline retail through mom and pop stores, which are known as “mudir dokan” in Bangladesh’s Bengali language.
A customer can order their product through the Deligram app on their phone and have it delivered to their home or office, but a more popular — and oftentimes logical — option is to have it sent to the local mudir dokan store, where it can be collected at any time. But beyond simply taking deliveries, mudir dokans can also operate as Deligram retailers by selling through an agent model.
That’s to say that they enable their customers to order products through Deligram even if they don’t have the app, or even a smartphone — although the latter is increasingly unlikely with smartphone ownership booming. Deligram is proactively recruiting mudir dokan partners to act as agents. It provides them with a tablet and a physical catalog that their customers can use to order via the e-commerce service. Delivery is then taken at the store, making it easy to pick up, and maintaining the local network.
“We’ll tell them: ‘Right now, you offer a few hundred products, now you have access to 15,000,’ ” the Deligram CEO said.
Indeed, Rahim sees this new digital storefront as a key driver of revenue for mudir dokan owners. For Deligram, it is potentially also a major customer acquisition channel, particularly among those who are new to the internet and the world of smartphone apps.
This offline-online model — known by the often-buzzy industry term “omnichannel” — isn’t new, but in a world where apps and messaging is prevalent, reaching and retaining users is challenging, particularly in emerging markets.
“It’s not easy to direct people to a website today, and the app-first approach has made it hard,” Rahim said. “We looked at how companies in Indonesia and India overcame these challenges.”
In particular, he studied the work of Go-Jek in Indonesia, which uses an agent model to push its services to nascent internet users, and Amazon India, which leans heavily on India’s local “kirana” stores for orders and deliveries.
In Deligram’s case, the mudir dokan picks up sales commission as well as money for every delivery that is sent to their store. Home deliveries are possible, but the lack of local infrastructure — “turn right at the blue house, left at the white one, and my place is third from the left,” is a common type of direction — makes finding exact locations difficult and inefficient, so an additional cost is charged for such requests.
E-commerce startups often struggle with last-mile because they rely on a clutch of logistics companies to fulfill orders. In a rare move for an early-stage company, Deligram has opted to run its entire logistics process in-house. That obviously necessitates cost and likely provides significant growing pains and stress, but, in the long term, Rahim is betting that a focus on quality control will pay out through higher customer service and repeat buyers.
A prospective Deligram customer flips through a hard copy of the company’s product brochure in a local store [Image via Deligram]
Startups on the rise in Bangladesh
Rahim’s timing is impeccable. He returned to Bangladesh just as technology was beginning to show the potential to impact daily life. Bangladesh has posted a 7% rise in GDP annually every year since 2016, and with an estimated 80 million internet users, it has the fifth-largest online population on the planet.
“We are riding on a lot of macro trends; we’re among the top five based on GDP growth and have the world’s eighth-largest population,” Rahim told TechCrunch. “There are 11 million people in middle income — that’s growing — and our country has 90 million people aged under 30.”
“An index to track the growth of young people would be [capital city] Dhaka… you can just see the vibrancy with young people using smartphones,” he added.
That’s an ideal storm for startups, and the country has seen a mix of overseas entrants and local ventures pick up speed. Alibaba last year acquired Daraz, the Rocket Internet-founded e-commerce service that covers Pakistan, Bangladesh, Myanmar, Sri Lanka and Nepal, while the Chinese giant also snapped up 20% of bKash, a fintech venture started from Brac Bank as part of the regional expansion of its Ant Financial affiliate.
Uber, too, is present, but it is up against tough local opposition, as is the norm in Asian markets.
Pathao is one of two local companies that competes alongside Uber in Bangladesh [Image via Pathao]
Its chief rival is Shohoz, a startup that began in ticketing but expanded to rides and services on-demand. Shohoz raised $15 million in a round led by Singapore’s Golden Gate Ventures, which was announced last year.
Deligram has also pulled in impressive funding numbers, too.
The startup announced a $2.5 million Series A raise at the end of March, which Rahim wrote came from “a network of institutional and angel investors;” such is the challenge of finding a large check for a tech play in Bangladesh. The investors involved included Skycatcher, Everblue Management and Microsoft executive Sonia Bashir Kabir. A delighted Rahim also won a check from Rahimafrooz, the family business.
That’s not a given, he said, admitting that his family did initially want him to go to work with their business rather than pursuing his own startup. In that context, contributing to the round is a major endorsement, he said.
Rahimafrooz could be a crucial ally in future fundraising, too. Despite an improving climate for tech companies, Bangladesh’s top startups are still finding it tough to raise money, especially with overseas investors that can write the larger checks that are required to scale.
“I think the biggest challenge is branding. Every time I speak with new investors, I have to start by explaining where Bangladesh is, or the national metrics, not even our business,” Pathao CEO Hussain Elius told TechCrunch.
“There’s a legacy issue. Bangladesh seems like a country which floods all the time and the garment sector going down — that’s a part of the story but not the full story. It’s also an incredible country that’s growing despite those challenges,” he added.
Pathao is reportedly on track to raise a $50 million Series B this year, according to Deal Street Asia. Elius didn’t address that directly, but he did admit that raising growth funding is a bigger challenge than seed-based financing, where the Bangladesh government helps with its own fund and entrepreneurial programs.
“It’s hard for us as we’re the first ones out there, but it’ll be easier for the ones who’ll follow on,” he explained.
Still, there are some optimistic overseas watchers.
“We remain enthusiastic about the rapidly expanding set of opportunities in Bangladesh,” said Hian Goh, founding partner of Singapore-based VC firm Openspace — which invested in Pathao.
“The country continues to be one of the fastest-growing economies in the world, underpinned by additional growth in its garments manufacturing sector. This has blossomed into an expanding middle class with very active consumption behavior,” Goh added.
With the pain of fundraising put to the side for now, the new money is being put to work growing the Deligram business and its network into more parts of Bangladesh, and the more challenging urban areas.
Geographically, the service is expanding its agent reach into five more cities to give it a total of seven locations nationwide. That necessitates an increase in logistics and operations to keep up with, and prepare for, that new demand.
Deligram workers in one of the company’s warehouses [Image via Deligram]
Rahim said the company had handled 12,000 orders to date as of the end of March, but that has now grown past 20,000 indicating that order volumes are rising. He declined to provide financial figures, but said that the company is on track to increase its monthly GMV volume by six-fold by the end of this year. Electronics, phones and accessories are among its most popular items, but Deligram also sells apparel, daily items and more.
Interestingly, and perhaps counter to assumptions, Deligram started in rural areas, where Rahim saw there was less competition but also potentially more to learn through a more early-adopter customer base. That’s obviously one major challenge when it comes to growth, and now the company is looking at urban expansion points.
On the product side, Deligram is in the early stages of piloting consumer financing using its local store agents as the interface, while Rahim teased “exciting IOT R&D projects” that he said are in the planning stage.
Ultimately, however, he concedes that the road is likely to be a long one.
“Over the last 18-20 years, modern retail hasn’t made much progress here,” Rahim said. “It accounts for around 2.5% of total retail, e-commerce is below 1% and the long tail local stores are the rest.”
“People will eventually shift, but I think it’ll take five to eight years, which is why we provide the convenience via mom and pop shops,” he added.
Biofourmis, a Singapore-based startup pioneering a distinctly tech-based approach to the treatment of chronic conditions, has raised a $35 million Series B round for expansion.
The round was led by Sequoia India and MassMutual Ventures, the VC fund from Massachusetts Mutual Life Insurance Company. Other investors who put in include EDBI, the corporate investment arm of Singapore’s Economic Development Board, China-based healthcare platform Jianke and existing investors Openspace Ventures, Aviva Ventures and SGInnovate, a Singapore government initiative for deep tech startups. The round takes Biofourmis to $41.6 million raised to date, according to Crunchbase.
Biofourmis CEO Kuldeep Singh Rajput moved to Singapore to start a PhD, but he dropped out to start the business with co-founder Wendou Niu in 2015 because he saw the potential to “predict disease before it happens,” he told TechCrunch in an interview.
AI-powered specialist post-discharge care
There are a number of layers to Biofourmis’ work, but essentially it uses a combination of data collected from patients and an AI-based system to customize treatments for post-discharge patients. The company is focused on a range of therapeutics, but its most advanced is cardiac, so patients who have been discharged after heart failure or other heart-related conditions.
With that segment of patients, the Biofourmis platform uses a combination of data from sensors — medical sensors rather than consumer wearables, which are worn 24/7 — and its tech to monitor patient health, detect problems ahead of time and prescribe an optimum treatment course. That information is disseminated through companion mobile apps for patients and caregivers.
Bioformis uses a mobile app as a touch point to give patients tailored care and drug prescriptions after they are discharged from hospital
That’s to say that medicine works differently on different people, so by collecting and monitoring data and crunching numbers, Biofourmis can provide the best drug to help optimize a patient’s health through what it calls a ‘digital pill.’ That’s not Matrix-style futurology, it’s more like a digital prescription that evolves based on the needs of a patient in real-time. It plans to use a network of medical delivery platforms, including Amazon-owned PillPack, to get the drugs to patients within hours.
Yes, that’s future tense because Biofourmis is waiting on FDA approval to commercialize its service. That’s expected to come by the end of this year, Singh Rajput told TechCrunch. But he’s optimistic given clinical trials, which have covered some 5,000 patients across 20 different sites.
On the tech side, Singh Rajput said Biofourmis has seen impressive results with its predictions. He cited tests in the U.S. which enabled the company to “predict heart failure 14 days in advance” with around 90 percent sensitivity. That was achieved using standard medical wearables at the cost of hundreds of dollars, rather than thousands with advanced kit such as Heartlogic from Boston Scientific — although the latter has a longer window for predictions.
The type of disruption that Biofourmis might appear to upset the applecart for pharma companies, but Singh Rajput maintains that the industry is moving towards a more qualitative approach to healthcare because it has been hard to evaluate the performance of drugs and price them accordingly.
“Today, insurance companies are blinded not having transparency on how to price drugs,” he said. “But there are already 50 drugs in the market paying based on outcomes so the market is moving in that direction.”
Outcome-based payments mean insurance firms reimburse all outcomes based on the performance of the drugs, in other words how well patients recover. The rates vary, but a lack of reduction in remission rates can see insurers lower their payouts because drugs aren’t working as well as expected.
Singh Rajput believes Biofourmis can level the playing field and added more granular transparency in terms of drug performance. He believes pharma companies are keen to show their products perform better than others, so over the long-term that’s the model Biofourmis wants to encourage.
Indeed, the confidence is such that Biofourmis intends to initially go to market via pharma companies, who will sell the package into clinics bundled with their drugs, before moving to work with insurance firms once traction is gained. While the Biofourmis is likely to be bundled with initial medication, the company will take a commission of 5-10 percent on the recommended drugs sold through its digital pill.
Biofourmis CEO and co-founder Kuldeep Singh Rajput dropped out of his PhD course to start the company in 2015
Doubling down on the US
With its new money, Biofourmis is doubling down on that imminent commercialization by relocating its headquarters to Boston. It will retain its presence in Singapore, where it has 45 people who handle software and product development, but the new U.S. office is slated to grow from 14 staff right now to up to 120 by the end of the year.
“The U.S. has been a major market focus since day one,” Singh Rajput said. “Being closer to customers and attracting the clinical data science pool is critical.”
While he praised Singapore and said the company remains committed to the country — adding EDBI to its investors is certainly a sign — he admitted that Boston, where he once studied, is a key market for finding “data scientists with core clinical capabilities.”
That expansion is not only to bring the cardio product to market, but also to prepare products to cover other therapeutics. Right now, it has six trials in place that cover pain, orthopedics and oncology. There are also plans to expand in other markets outside of the U.S, and in particular Singapore and China, where Biofourmis plans to lead on Jianke.
Not lacking in confidence, Singh Rajput told TechCrunch that the company is on course to reach a $1 billion valuation when it next raises funding, that’s estimated as 18 months away and the company isn’t saying how much it is worth today.
Singh Rajput did confirm, however, that the round was heavily oversubscribed, and that the startup rebuffed investment offers from pharma companies in order to “avoid a conflict of interest and stay neutral.”
He is also eying a future IPO, which is tentatively set for 2023 — although by then, Singh Rajput said, Biofourmis would need at least two products in the market.
There’s a long way to go before then, but this round has certainly put Biofourmis and its digital pill approach on the map within the tech industry.
This week could mark a significant setback for Amazon’s facial recognition business if privacy and civil liberties advocates — and some shareholders — get their way.
Months earlier, shareholders tabled a resolution to limit the sale of Amazon’s facial recognition tech giant calls Rekognition to law enforcement and government agencies. It followed accusations of bias and inaccuracies with the technology, which they say can be used to racially discriminate against minorities. Rekognition, which runs image and video analysis of faces, has been sold to two states so far and Amazon has pitched Immigrations & Customs Enforcement. A second resolution will require an independent human and civil rights review of the technology.
Now the ACLU is backing the measures and calling on shareholders to pass the the resolutions.
“Amazon has stayed the course,” said Shankar Narayan, director of the Technology and Liberty Project at the ACLU Washington, in a call Friday. “Amazon has heard repeatedly about the dangers to our democracy and vulnerable communities about this technology but they have refused to acknowledge those dangers let alone address them,” he said.
“Amazon has been so non-responsive to these concerns,” said Narayan, “even Amazon’s own shareholders have been forced to resort to putting these proposals addressing those concerns on the ballot.”
It’s the latest move in a concerted effort by dozens of shareholders and investment firms, tech experts and academics, and privacy and rights groups and organizations who have decried the use of the technology.
Critics say Amazon Rekognition has accuracy and bias issues. (Image: TechCrunch)
In a letter to be presented at Amazon’s annual shareholder meeting Wednesday, the ACLU will accuse Amazon of “failing to act responsibly” by refusing to stop the sale of the technology to the government.
“This technology fundamentally alters the balance of power between government and individuals, arming governments with unprecedented power to track, control, and harm people,” said the letter, shared with TechCrunch. “It would enable police to instantaneously and automatically determine the identities and locations of people going about their daily lives, allowing government agencies to routinely track their own residents. Associated software may even display dangerous and likely inaccurate information to police about a person’s emotions or state of mind.”
“As shown by a long history of other surveillance technologies, face surveillance is certain to be disproportionately aimed at immigrants, religious minorities, people of color, activists, and other vulnerable communities,” the letter added.
“Without shareholder action, Amazon may soon become known more for its role in facilitating pervasive government surveillance than for its consumer retail operations,” it read.
Facial recognition has become one of the most hot button topics in privacy in years. Amazon Rekognition, its cloud-based facial recognition system, remains in its infancy yet one of the most prominent and available systems available. But critics say the technology is flawed. Exactly a year prior to this week’s shareholder meeting, the ALCU first raised “profound” concerns with Rekognition and its installation at airports, public places and by police. Since then, the technology was shown to struggle to detect people of color. In its tests, the system struggled to match 28 congresspeople who were falsely matched in a mugshot database who had been previously arrested.
But there has been pushback — even from government. Several municipalities have rolled out surveillance-curtailing laws and ordnances in the past year. San Francisco last week became the first major U.S. city government to ban the use of facial recognition.
“Amazon leadership has failed to recognize these issues,” said the ACLU’s letter to be presented Wednesday. “This failure will lead to real-life harm.”
The ACLU said shareholders “have the power to protect Amazon from its own failed judgment.”
Amazon has pushed back against the claims by arguing that the technology is accurate — largely by criticizing how the ACLU conducted its tests using Rekognition.
Amazon did not comment when reached prior to publication.
Over 2 million women were diagnosed with breast cancer in 2018. And while the diagnosis doesn’t have to be a death sentence for women in countries like the United States, in developing countries three times as many women die from the disease.
And the WHO blames these low survival rates in less developed countries on the lack of early detection programs, which result in a higher proporation of women presenting with late-stage disease. The problem is exacerbated by a lack of adequate diagnostic technologies and treatment facilities, according to the WHO.
A group of Johns Hopkins University undergraduates believe they have found a solution. The four women, none of whom are over 21-years-old, have developed a new, low-cost, disposable core needle biopsy technology for physicians and nurses that could dramatically reduce cost and waste, thereby increasing the availability of screening technologies in emerging markets.
They’ve taken the technology they developed at Johns Hopkins University and created a new startup called Ithemba, which means “hope” in Swahili, to commercialize their device. While the company is still in its early days, the women recently won the undergraduate Lemelson-MIT Student Prize competition, and has received $60,000 in non-dilutive grant funding and a $10,000 prize associated with the Lemelson award.
Students at Johns Hopkins had been working through the problem of developing low-cost diagnostic tools for breast cancer for the past three years, spurred on by Dr. Susan Harvey, the head of Johns Hopkins Section of Breast Imaging.
While Dr. Harvey presented the problem, and several students tried to tackle it, Ithemba’s co-founders — the biomedical engineering undergrads Laura Hinson, Madeline Lee, Sophia Triantis, and Valerie Zawicki — were the first to bring a solution to market.
Ithemba co-founders Laura Hinson, Madeline Lee, Valerie Zawicki and Sophia Triantis
The 21-year-old Zawicki, who grew up in Long Beach, Calif., has a personal connection to the work the team is doing. When she was just five years old her mother was diagnosed with breast cancer, and the cost of treatment and toll it took on the family forced the family to separate. “My sister moved in with my grandparents,” Zawicki says, while her mother underwent treatment. “When I came to college I was looking for a way to make an impact in the healthcare space and was really inspired by the care my mom received.”
The same is true for Zawicki’s co-founder, Triantis.
“We have an opportunity to solve problems that really need solving,” says Triantis, a 20-year-old undergraduate. “Breast cancer has affected so many people close to me… It is the most common cancer among women [and] the fact that women in low resource settings do not have the same standard of diagnostic care really inspired me to work on a solution.”
What the four women have made is a version of a core-needled biopsy that has a lower risk of contamination than the reusable devices that are currently on the market and is cheaper than the expensive disposable needles that are the only other option, the founders say.
“We’ve designed a novel, disposable portion that attaches to the reusable device and the disposable portion has an ability to trap contaminants that would come back through the needle into the device,” says Triantis. “What we’ve created is a way to trap that and have that full portion be disposable and making the device as easy to clean as possible… with a bleach wipe.”
The company is currently in the process of doing benchtop tests on the device, and will look to file a 510K to be certified as a Class 2 medical device. Already a clinic in South Africa and a hospital in Peru are on board as early customers for the new biopsy tool.
At the heart of the new tool is a mechanism which prevents blood from being drawn back into a needle. The team argues it makes reusable needles much less susceptible to contamination and can replace the disposable needles that are too expensive for many emerging market clinics and hospitals.
Zawicki had been working on the problem for a while when Hinson, Lee, and Triantis joined up. “I joined the team when the problem was presented,” says Zawicki. “The project began with this problem that was pitched three years ago, but the four of us are really those that have brought this to life in terms of a device.”
Crucially for the team, Johns Hopkins was fully supportive of the women taking their intellectual property and owning it themselves. “We received written approval from the tech transfer office to file independently,” says Zawicki. “That is really unique.”
Coupled with the Lemelson award, Ithemba sees a clear path to ownership of the intellectual property and is filing patents on its device.
Zawicki says that it could be anywhere from three to five years before the device makes it on to the market, but there’s the potential for partnerships with big companies in the biopsy space that could accelerate that time to market.
“Once we get that process solidified and finalize our design we will wrap up our benchtop testing so we can move toward clinical trials by next summer, in 2020,” Zawicki says.