Menu
Many vulnerabilities in older Huawei 3G routers won't get patched

Many vulnerabilities in older Huawei 3G routers won't get patched

Although users are at risk, the devices aren't supported by Huawei anymore

Huawei doesn't plan to patch more than a dozen models of 3G routers that have severe software vulnerabilities.

The flaws could allow an attacker to change DNS (Domain Name System) settings, upload new firmware without logging into the device and conduct a denial-of-service attack.

The models of affected routers, distributed by ISPs in 21 countries, are now considered out of Huawei's support cycle, said Pierre Kim, a security researcher who found the issues and listed the models on his blog.

Router vulnerabilities can be used by attackers to reroute people to bogus websites that appear to be legitimate, monitor web browsing and do other misdeeds.

Kim's research focused on Huawei's B260a model, which was distributed at one time by Tunisia Telecom. The same firmware, however, was used in more than a dozen other router models, he said. The firmware analyzed by Kim was last updated on Feb. 20, 2013.

ISPs that distributed Huawei's routers also modified the firmware in order to provide customized user interfaces, Kim said. He said he analyzed firmware for Huawei routers from different ISPs, and all contained the same underlying problems.

Kim found that the B260a also stores the administrator name and password in cleartext in a cookie, which could be read by attackers. He also discovered it was possible to get the password for the router's Wi-Fi without authentication.

In short, the router was "overall badly designed with a lot of vulnerabilities," he wrote.

Huawei was notified of the issues in August and quickly responded, but said it did not plan to distribute patches.

Even if the company did want to patch, it would be hard since the ISPs distribute the firmware for the routers. Huawei doesn't offer a copy of it on its website, Kim said in an email interview.

"It's why updating this kind of device is very difficult," he said.

Kim's writeup said the routers were distributed in Argentina, Armenia, Austria, Brazil, Chile, Croatia, Denmark, Ecuador, Estonia, Germany, Guatemala, Jamaica, Kenya, Mali, Mexico, Niger, Portugal, Romania, Slovakia, Sweden and Tunisia.

All of the affected models provide Internet service via a SIM card, which is inserted into the device, making them ideal for places with poor or nonexistent wired connectivity.

Huawei may have little economic incentive to update older routers as it has brought newer models to market, Kim said.

"I really thought Huawei would release security patches, and I think they should patch these routers," he said. "Now, I'm aware we are living in a capitalist world. They will not gain money by patching 'old' devices."

Huawei officials couldn't be immediately reached for comment.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments