Huawei routers are full of holes, according to a German security expert. Built by a Chinese firm, Huawei routers are currently being used by many Internet service providers in the United States and other parts of the world because of their affordable price. The vulnerabilities discovered by a German researcher would allow hackers to take control of the devices and eavesdrop on user’s traffic.
Felix Lindner, head of security firm Recurity Labs, said that Huawei routers are easy targets for cyber attacks due to their usage of an older set of codes formulated in the 90s. The weaknesses–a heap overflow, stack overflow, and a session hijack–were all discovered by hackers during the last Defcon convention last Sunday. Obsolete coding of the firmware of both Huawei AR18 and AR29 routers can be exploited over the Internet. According to Lindner and his colleague Gregor Kopf, the two routers have more than 10,000 calls in the firmware’s code to sprintf, a term to denote a certain function known in the security world to be insecure. An attacker can easily get access to the systems, change admin passwords, reconfigure the systems, or log in as administrator, making it easier to intercept all traffic running through the routers.
The researchers said they have not tested the bigger routers from Huawei like the NE series used for telecom data communication networks because they cannot secure one. Huawei equipment is being used by about half of the world’s internet infrastructure.
The result of the research is a valuable feedback not just for Internet Service Providers using these insecure routers, but also for millions of people around the world who do not realize their internet activities can be spied on.
According to Huawei website, the AR series routers are marketed for home and office use. The worst part is the company itself does not have a firm protection for their customers like a security contact to report any vulnerabilities. The company does not also put out security advisories or any information what their firmware updates fix in their products.