Menu
Many vulnerabilities in older Huawei 3G routers won't get patched

Many vulnerabilities in older Huawei 3G routers won't get patched

Although users are at risk, the devices aren't supported by Huawei anymore

Huawei doesn't plan to patch more than a dozen models of 3G routers that have severe software vulnerabilities.

The flaws could allow an attacker to change DNS (Domain Name System) settings, upload new firmware without logging into the device and conduct a denial-of-service attack.

The models of affected routers, distributed by ISPs in 21 countries, are now considered out of Huawei's support cycle, said Pierre Kim, a security researcher who found the issues and listed the models on his blog.

Router vulnerabilities can be used by attackers to reroute people to bogus websites that appear to be legitimate, monitor web browsing and do other misdeeds.

Kim's research focused on Huawei's B260a model, which was distributed at one time by Tunisia Telecom. The same firmware, however, was used in more than a dozen other router models, he said. The firmware analyzed by Kim was last updated on Feb. 20, 2013.

ISPs that distributed Huawei's routers also modified the firmware in order to provide customized user interfaces, Kim said. He said he analyzed firmware for Huawei routers from different ISPs, and all contained the same underlying problems.

Kim found that the B260a also stores the administrator name and password in cleartext in a cookie, which could be read by attackers. He also discovered it was possible to get the password for the router's Wi-Fi without authentication.

In short, the router was "overall badly designed with a lot of vulnerabilities," he wrote.

Huawei was notified of the issues in August and quickly responded, but said it did not plan to distribute patches.

Even if the company did want to patch, it would be hard since the ISPs distribute the firmware for the routers. Huawei doesn't offer a copy of it on its website, Kim said in an email interview.

"It's why updating this kind of device is very difficult," he said.

Kim's writeup said the routers were distributed in Argentina, Armenia, Austria, Brazil, Chile, Croatia, Denmark, Ecuador, Estonia, Germany, Guatemala, Jamaica, Kenya, Mali, Mexico, Niger, Portugal, Romania, Slovakia, Sweden and Tunisia.

All of the affected models provide Internet service via a SIM card, which is inserted into the device, making them ideal for places with poor or nonexistent wired connectivity.

Huawei may have little economic incentive to update older routers as it has brought newer models to market, Kim said.

"I really thought Huawei would release security patches, and I think they should patch these routers," he said. "Now, I'm aware we are living in a capitalist world. They will not gain money by patching 'old' devices."

Huawei officials couldn't be immediately reached for comment.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The making of an MSSP: a blueprint for growth in NZ

The making of an MSSP: a blueprint for growth in NZ

Partners are actively building out security practices and services to match, yet remain challenged by a lack of guidance in the market. This exclusive Reseller News Roundtable - in association with Sophos - assessed the making of an MSSP, outlining the blueprint for growth and how partners can differentiate in New Zealand.

The making of an MSSP: a blueprint for growth in NZ
Reseller News Platinum Club celebrates leading partners in 2018

Reseller News Platinum Club celebrates leading partners in 2018

The leading players of the New Zealand channel came together to celebrate a year of achievement at the inaugural Reseller News Platinum Club lunch in Auckland. Following the Reseller News Innovation Awards, Platinum Club provides a platform to showcase the top performing partners and start-ups of the past 12 months, with more than ​​50 organisations in the spotlight.​​​

Reseller News Platinum Club celebrates leading partners in 2018
Meet the top performing HP partners in NZ

Meet the top performing HP partners in NZ

HP has honoured its leading partners in New Zealand during 2018, following 12 months of growth through the local channel. Unveiled during the fourth running of the ceremony in Auckland, the awards recognise and celebrate excellence, growth, consistency and engagement of standout Kiwi partners.

Meet the top performing HP partners in NZ
Show Comments