Menu
Many vulnerabilities in older Huawei 3G routers won't get patched

Many vulnerabilities in older Huawei 3G routers won't get patched

Although users are at risk, the devices aren't supported by Huawei anymore

Huawei doesn't plan to patch more than a dozen models of 3G routers that have severe software vulnerabilities.

The flaws could allow an attacker to change DNS (Domain Name System) settings, upload new firmware without logging into the device and conduct a denial-of-service attack.

The models of affected routers, distributed by ISPs in 21 countries, are now considered out of Huawei's support cycle, said Pierre Kim, a security researcher who found the issues and listed the models on his blog.

Router vulnerabilities can be used by attackers to reroute people to bogus websites that appear to be legitimate, monitor web browsing and do other misdeeds.

Kim's research focused on Huawei's B260a model, which was distributed at one time by Tunisia Telecom. The same firmware, however, was used in more than a dozen other router models, he said. The firmware analyzed by Kim was last updated on Feb. 20, 2013.

ISPs that distributed Huawei's routers also modified the firmware in order to provide customized user interfaces, Kim said. He said he analyzed firmware for Huawei routers from different ISPs, and all contained the same underlying problems.

Kim found that the B260a also stores the administrator name and password in cleartext in a cookie, which could be read by attackers. He also discovered it was possible to get the password for the router's Wi-Fi without authentication.

In short, the router was "overall badly designed with a lot of vulnerabilities," he wrote.

Huawei was notified of the issues in August and quickly responded, but said it did not plan to distribute patches.

Even if the company did want to patch, it would be hard since the ISPs distribute the firmware for the routers. Huawei doesn't offer a copy of it on its website, Kim said in an email interview.

"It's why updating this kind of device is very difficult," he said.

Kim's writeup said the routers were distributed in Argentina, Armenia, Austria, Brazil, Chile, Croatia, Denmark, Ecuador, Estonia, Germany, Guatemala, Jamaica, Kenya, Mali, Mexico, Niger, Portugal, Romania, Slovakia, Sweden and Tunisia.

All of the affected models provide Internet service via a SIM card, which is inserted into the device, making them ideal for places with poor or nonexistent wired connectivity.

Huawei may have little economic incentive to update older routers as it has brought newer models to market, Kim said.

"I really thought Huawei would release security patches, and I think they should patch these routers," he said. "Now, I'm aware we are living in a capitalist world. They will not gain money by patching 'old' devices."

Huawei officials couldn't be immediately reached for comment.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Featured

Slideshows

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards

Hundreds of leaders from the New Zealand IT industry gathered at the Hilton in Auckland on 17 November to celebrate the finest female talent in the Kiwi channel and recognise the winners of the Reseller News Women in ICT Awards (WIICTA) 2020.

The Kiwi channel gathers for the 2020 Reseller News Women in ICT Awards
Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards

The leading female front runners of the New Zealand ICT industry joined together for the annual Reseller News Women in ICT Awards event at the Hilton in Auckland, during which hundreds of guests celebrated 13 outstanding individuals who won awards, chosen from more than 50 finalists representing over 30 organisations.

Leading female front runners honoured at the 2020 Reseller News Women in ICT Awards
Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners

More than 500 channel leaders gathered in Auckland on 21 October at the ​Reseller News Innovation Awards ​2020 to celebrate the achievements of the New Zealand technology industry's top partners, start-ups, vendors, distributors and individuals.

Channel gathers to celebrate the Reseller News Innovation Awards 2020 winners
Show Comments