As ZDNet reports, the flaws were found by security researcher Pierre Kim. He publicly wrote of his discovery yesterday but informed Huawei over a month ago. Over several weeks, dialogue between the parties failed to reach a resolution, with Huawei saying it will not fix the bugs because all the affected devices are classed as “End of Service.”
The issues lie in numerous vulnerabilities in Huawei’s user authentication system. The affected software is used in 14 different B and E-series Huawei routers built since 2010. Newer routers are not at risk.
The impacted devices allow attackers to remotely login and upload their own firmware to the device. Hackers could also change critical settings without any authentication, making it possible to redirect all traffic through their own servers to force the download of malware.
The routers provide the username and password of their administrator account in plain text when exchanging data with devices. In many cases, the hacker wouldn’t even need these details. No authentication is required to remotely grab the Wi-Fi password, reboot the device and obtain data on the current network status.
When upgrading the firmware, the router continues to proceed with the install even if the supplied password does not match that of the administrator user account. Attackers could install their own malicious software at a hardware-level so the only way for a user to restore the device would be to restore Huawei’s own firmware in a highly-technical procedure.
Routers built by Huawei aren’t ubiquitous in most Western households but the affected series are popular in developing nations. They are often supplied as standard routers by Internet service providers, including companies in Argentina, Brazil, Croatia, Mali, Romania and Tunisia. They support using a 3G signal as an Internet connection, hence their popularity in regions where broadband access isn’t always easy to obtain.
Elsewhere in the world, European operators also feature on the list of affected countries. ISPs based in Germany, Sweden and Portugal all supply Huawei-built routers that are vulnerable to the flaws. In total, over 32 variants are at risk with big-name ISPs including Orange, Vodafone, Tele2, VIVO, Digicel and Telcel affected.
Huawei has confirmed that the issues Kim identified are present in the routers. Unfortunately for owners, their status as end of life devices means the company, the world’s largest telecommunications firm, won’t be releasing a patch to fix the serious flaws. Instead, it recommends people stop using the routers and buy a new model instead. The Huawei B68L or B310 are suggested alternatives.
With the news in the wild and the potential to impact thousands of people, it seems as though it’ll only be a matter of time before hackers start targeting the affected devices. With no way to avoid potentially crippling attacks, the only real option for owners who, in many cases, got these routers free is to follow Huawei’s “advice” and buy an entirely new one.