Huawei ‘Will Not Fix Vulnerable WiMax Routers’

Huawei has confirmed it does not plan to release patches for vulnerabilities uncovered in a number of its WiMax routers, some of which are still on sale in a number of countries.

Huawei said the models in question are no longer supported by the company and will not receive patches. Security researcher Pierre Kim, who disclosed the flaws in an advisory published on Tuesday, tested the models’ latest firmware, which dates from 2013.

No workaround

“Huawei… confirmed that the products mentioned in the report have reached End of Service,” the company stated. “Huawei suggests that users replace old Huawei routers with later products.”

The company said its product lifecycle management programme is “in accordance with industry practices”.

Such devices are used to provide an Internet connection using the WiMax wireless technology to link between the user’s premises and the service provider.

Kim, a South Korea-based security specialist, initially tested the Huawei BM626e router/access point, but Huawei confirmed that the security bugs he found are also in a list of similar devices that use the same firmware.

The devices in question are sold by access providers in countries including Cote d’Ivoire, Iran, Iraq, Libya, the Philippines, Bahrain and the Ukraine, Kim said in hisadvisory.

Affected models include the BM635, BM632, BM631a, BM632w and BM652, Huawei confirmed.

Because the devices are provided and configured by access providers, there is no way of users applying a workaround, Kim said.

Router attacks

The vulnerabilities include disclosure of device configuration information without authentication, admin session hijacking, and performing administration tasks without valid credentials, including modifying device configuration.

Kim initially discovered the flaws in July and worked with Huawei to confirm the bugs before making them public.

In November Kim identified severe security flaws in more than a dozen Huawei 3G routers, also now out of support.

Routers are a particular target for hackers since their firmware is rarely updated by users, and they tend to continue in use until they fail or become obsolete.

Attackers may take over the devices and link them to botnets used in launching denial-of-service attacks, according to security researchers. The danger extends to other connected devices, collectively known as the “Internet of Things”, which are becoming increasingly common and which are often poorly protected.

In October researchers disclosed that “vigilante” malware had been discovered that infects routers and other connected devices, but only acts to improve their security.

Also in October, researchers said they found Internet-connected security cameras were being taken over en masse and used to launch attacks.

Are you a security pro? Try our quiz!

Matthew Broersma

Matt Broersma is a long standing tech freelance, who has worked for Ziff-Davis, ZDnet and other leading publications

Recent Posts

Craig Wright Sentenced For Contempt Of Court

Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…

2 days ago

El Salvador To Sell Or Discontinue Bitcoin Wallet, After IMF Deal

Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…

2 days ago

UK’s ICO Labels Google ‘Irresponsible’ For Tracking Change

Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…

2 days ago

EU Publishes iOS Interoperability Plans

European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…

3 days ago

Momeni Convicted In Bob Lee Murder

San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…

3 days ago