The Chinese telecommunications equipment maker advised users to discard the affected devices, some of which are still on sale
Huawei has confirmed it does not plan to release patches for vulnerabilities uncovered in a number of its WiMax routers, some of which are still on sale in a number of countries.
Huawei said the models in question are no longer supported by the company and will not receive patches. Security researcher Pierre Kim, who disclosed the flaws in an advisory published on Tuesday, tested the models’ latest firmware, which dates from 2013.
“Huawei… confirmed that the products mentioned in the report have reached End of Service,” the company stated. “Huawei suggests that users replace old Huawei routers with later products.”
The company said its product lifecycle management programme is “in accordance with industry practices”.
Such devices are used to provide an Internet connection using the WiMax wireless technology to link between the user’s premises and the service provider.
Kim, a South Korea-based security specialist, initially tested the Huawei BM626e router/access point, but Huawei confirmed that the security bugs he found are also in a list of similar devices that use the same firmware.
The devices in question are sold by access providers in countries including Cote d’Ivoire, Iran, Iraq, Libya, the Philippines, Bahrain and the Ukraine, Kim said in hisadvisory.
Affected models include the BM635, BM632, BM631a, BM632w and BM652, Huawei confirmed.
Because the devices are provided and configured by access providers, there is no way of users applying a workaround, Kim said.
The vulnerabilities include disclosure of device configuration information without authentication, admin session hijacking, and performing administration tasks without valid credentials, including modifying device configuration.
Kim initially discovered the flaws in July and worked with Huawei to confirm the bugs before making them public.
In November Kim identified severe security flaws in more than a dozen Huawei 3G routers, also now out of support.
Routers are a particular target for hackers since their firmware is rarely updated by users, and they tend to continue in use until they fail or become obsolete.
Attackers may take over the devices and link them to botnets used in launching denial-of-service attacks, according to security researchers. The danger extends to other connected devices, collectively known as the “Internet of Things”, which are becoming increasingly common and which are often poorly protected.
In October researchers disclosed that “vigilante” malware had been discovered that infects routers and other connected devices, but only acts to improve their security.
Also in October, researchers said they found Internet-connected security cameras were being taken over en masse and used to launch attacks.
Are you a security pro? Try our quiz!