Many vulnerabilities in older Huawei 3G routers won't get patched

Although users are at risk, the devices aren't supported by Huawei anymore

Huawei doesn't plan to patch more than a dozen models of 3G routers that have severe software vulnerabilities.

The flaws could allow an attacker to change DNS (Domain Name System) settings, upload new firmware without logging into the device and conduct a denial-of-service attack.

The models of affected routers, distributed by ISPs in 21 countries, are now considered out of Huawei's support cycle, said Pierre Kim, a security researcher who found the issues and listed the models on his blog.

Router vulnerabilities can be used by attackers to reroute people to bogus websites that appear to be legitimate, monitor web browsing and do other misdeeds.

Kim's research focused on Huawei's B260a model, which was distributed at one time by Tunisia Telecom. The same firmware, however, was used in more than a dozen other router models, he said. The firmware analyzed by Kim was last updated on Feb. 20, 2013.

ISPs that distributed Huawei's routers also modified the firmware in order to provide customized user interfaces, Kim said. He said he analyzed firmware for Huawei routers from different ISPs, and all contained the same underlying problems.

Kim found that the B260a also stores the administrator name and password in cleartext in a cookie, which could be read by attackers. He also discovered it was possible to get the password for the router's Wi-Fi without authentication.

In short, the router was "overall badly designed with a lot of vulnerabilities," he wrote.

Huawei was notified of the issues in August and quickly responded, but said it did not plan to distribute patches.

Even if the company did want to patch, it would be hard since the ISPs distribute the firmware for the routers. Huawei doesn't offer a copy of it on its website, Kim said in an email interview.

"It's why updating this kind of device is very difficult," he said.

Kim's writeup said the routers were distributed in Argentina, Armenia, Austria, Brazil, Chile, Croatia, Denmark, Ecuador, Estonia, Germany, Guatemala, Jamaica, Kenya, Mali, Mexico, Niger, Portugal, Romania, Slovakia, Sweden and Tunisia.

All of the affected models provide Internet service via a SIM card, which is inserted into the device, making them ideal for places with poor or nonexistent wired connectivity.

Huawei may have little economic incentive to update older routers as it has brought newer models to market, Kim said.

"I really thought Huawei would release security patches, and I think they should patch these routers," he said. "Now, I'm aware we are living in a capitalist world. They will not gain money by patching 'old' devices."

Huawei officials couldn't be immediately reached for comment.

Join the CSO newsletter!

Error: Please check your email address.

More about Huawei

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jeremy Kirk

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts

Market Place