Many vulnerabilities in older Huawei 3G routers won't get patched

08.10.2015
Huawei doesn't plan to patch more than a dozen models of 3G routers that have severe software vulnerabilities.

The flaws could allow an attacker to change DNS (Domain Name System) settings, upload new firmware without logging into the device and conduct a denial-of-service attack.

The models of affected routers, distributed by ISPs in 21 countries, are now considered out of Huawei's support cycle, said Pierre Kim, a security researcher who found the issues and listed the models on his blog.

Router vulnerabilities can be used by attackers to reroute people to bogus websites that appear to be legitimate, monitor web browsing and do other misdeeds.

Kim's research focused on Huawei's B260a model, which was distributed at one time by Tunisia Telecom. The same firmware, however, was used in more than a dozen other router models, he said. The firmware analyzed by Kim was last updated on Feb. 20, 2013.

ISPs that distributed Huawei's routers also modified the firmware in order to provide customized user interfaces, Kim said. He said he analyzed firmware for Huawei routers from different ISPs, and all contained the same underlying problems.

Kim found that the B260a also stores the administrator name and password in cleartext in a cookie, which could be read by attackers. He also discovered it was possible to get the password for the router's Wi-Fi without authentication.

In short, the router was "overall badly designed with a lot of vulnerabilities," he wrote.

Huawei was notified of the issues in August and quickly responded, but said it did not plan to distribute patches.

Even if the company did want to patch, it would be hard since the ISPs distribute the firmware for the routers. Huawei doesn't offer a copy of it on its website, Kim said in an email interview.

"It's why updating this kind of device is very difficult," he said.

Kim's writeup said the routers were distributed in Argentina, Armenia, Austria, Brazil, Chile, Croatia, Denmark, Ecuador, Estonia, Germany, Guatemala, Jamaica, Kenya, Mali, Mexico, Niger, Portugal, Romania, Slovakia, Sweden and Tunisia.

All of the affected models provide Internet service via a SIM card, which is inserted into the device, making them ideal for places with poor or nonexistent wired connectivity.

Huawei may have little economic incentive to update older routers as it has brought newer models to market, Kim said.

"I really thought Huawei would release security patches, and I think they should patch these routers," he said. "Now, I'm aware we are living in a capitalist world. They will not gain money by patching 'old' devices."

Huawei officials couldn't be immediately reached for comment.

Jeremy Kirk