Huawei routers riddled with security flaws won't be patched

Many of the routers are no longer supported by Huawei and won't be fixed, according to the security researcher who found the flaws.
Written by Zack Whittaker, Contributor

Huawei will not patch a series of severe security flaws in more than a dozen commonly-used routers.

The Chinese networking giant reportedly told security researcher Pierre Kim that it will not provide patches for its B260a router -- widely used by internet providers across Europe and Africa -- because the device is no longer supported by the company.

The affected router is still provided to customers of numerous internet companies in dozens of countries, including Argentina, Ecuador, Kenya, Mali, and Tunisia -- all of which have mixed human rights records at best, or where government surveillance is commonplace at worst.

Kim, who discovered the flaws, said an attacker can launch a number of attacks against the router, including remote code execution and cross-site scripting attacks which can be used to deliver malware to target machines. Other attacks -- denial-of-service and site forgery attacks -- are also possible.

Those attacks can allow an attacker access to other devices on the network, or steal user credentials.

These attacks can be done with authentication, or without -- in part thanks to the router storing the administrator's account name and password without encryption.

"It is possible to overwrite the default firmware with a custom one without authentication," said Kim in a public disclosure, weeks after privately informing Huawei of the flaws.

Huawei confirmed the flaws exist in the router, as well as in other devices in the B-series and E-series product lines manufactured in the past five years, but said its newer routers are not affected.

A Huawei spokesperson did not immediately return a request for comment.

How to lock down an insecure wireless network router

Editorial standards