14 DAY TRIAL // Pierre Kim, a security researcher from South Korea, has identified a few major security vulnerabilities in Huawei's B260A 3G router. According to his research, the router suffers from bugs that allow XSS (Cross-Site Scripting), CSRF (Cross-Site Request Forgery), DoS (Denial of Service), and an unauthenticated firmware update.
The device is usually provided by telecommunication companies like Vodafone and Orange to 3G clients as an Internet modem in countries like Austria, Argentina, Brazil, Croatia, Denmark, Germany, Mexico, Portugal, Romania, Sweden, Tunisia, and a few others more.
It can also be bought online for prices ranging from $60 to $200 (€53 to €177), depending on the make, model, and the place you buy it from.
According to Kim's research, the B260A router stored the administrator name and password encoded in base64 inside a cookie which was easily accessible.
Despite the "faulty" password storage policy, attackers could have triggered XSS attacks which would then remotely reboot the device and even grab WiFi and PPPOE passwords without the attacker needing to authenticate.
If this were all there was to it, we would have understood, since most routers this old were not designed with the best security practices in place. But there was more.
Security researchers: CSRF everywhere (EVERYWHERE)!!!!
Kim also found numerous CSRF vulnerabilities, one of which allowed him to change upstream DNS servers without needing to authenticate on the router. In Pierre Kim's own words, "Apparently, there are CSRF everywhere (EVERYWHERE)."
There was also a DoS vulnerability which he found when trying to connect via telnet on the HTTP port (80) instead of the regular one (22), and another bug which allowed him to overwrite the router's firmware without proper credentials.
Kim's research had him study only the B260A model, but according to his blog post, 13 other models bearing a similar architecture could be affected as well.
The vulnerabilities described above were found in August 2014, were reported to Huawei in August 2015, and the company confirmed them but said that the affected products were in the End Of Service stage and would not be patched. If they did, they would have probably needed to rewrite the entire software.
