October 2, 2015

Positive Technologies Experts Detect Critical Vulnerability in Huawei LTE Modems

Huawei thanked the Positive Technologies experts Timur Yunusov and Kirill Nesterov and the information security specialist Alexey Osipov, who detected a harmful vulnerability in Huawei 4G USB modems (E3272s) and helped to fix it.


Upon the research, the Chinese telecommunications equipment company issued a software update for the device.

According to the Huawei PSIRT bulletin, a potential intruder can block the device by sending a malicious packet. The Positive Technologies researchers claim that the vulnerability may lead to a DOS attack and remote arbitrary code execution via an XSS attack or stack overflow.

In late 2014, Positive Technologies specialists carried out a large-scale research on vulnerabilities in 4G USB modems, which included investigation of six different series of devices (including Huawei E3272s) with 30 various types of firmware.

By exploiting detected flaws, an intruder can gain rights on a remote modem, take control over the computer connected to the vulnerable modem, and obtain access to the subscriber's account in the mobile operator's portal. Moreover, attacks on SIM cards via binary SMS messages allow an attacker to intercept and decrypt a subscriber's traffic, track his or her location, and block the SIM card. Timur Yunusov covered attacks on 4G network equipment in his speech at PHDays V in May 2015. You can watch his presentation Bootkit via SMS: 4G Access Level Security Assessment on Positive Technologies' page on YouTube.

This is not the first research on the safety of telecommunications equipment and mobile network conducted by Positive Technologies experts. In January 2015, Evgeny Stroev issued a report on severe SNMP vulnerabilities in network equipment produced by Huawei and H3C. Those vulnerabilities allowed penetrating a corporate network of any company, including a technological network of a mobile carrier.

A research, carried out by Dmitry Kurbatov, Sergey Puzankov, and Pavel Novikov in February 2015, revealed that a good few of 2G and 3G mobile networks can be accessed via the internet because of open GTP ports and other open data transfer protocols (FTP, Telnet, HTTP). An attacker can connect to the node of a mobile network operator by exploiting vulnerabilities (for example, default passwords) in these interfaces.

53 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
    Replies
    1. This comment has been removed by a blog administrator.

      Delete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. This comment has been removed by a blog administrator.

    ReplyDelete
  4. This comment has been removed by a blog administrator.

    ReplyDelete
  5. This comment has been removed by a blog administrator.

    ReplyDelete
  6. This comment has been removed by a blog administrator.

    ReplyDelete
  7. This comment has been removed by a blog administrator.

    ReplyDelete
  8. This comment has been removed by a blog administrator.

    ReplyDelete
  9. This comment has been removed by a blog administrator.

    ReplyDelete
  10. This comment has been removed by a blog administrator.

    ReplyDelete
  11. This comment has been removed by a blog administrator.

    ReplyDelete
  12. This comment has been removed by a blog administrator.

    ReplyDelete
  13. This comment has been removed by a blog administrator.

    ReplyDelete
  14. This comment has been removed by a blog administrator.

    ReplyDelete
  15. This comment has been removed by a blog administrator.

    ReplyDelete
  16. This comment has been removed by a blog administrator.

    ReplyDelete
  17. This comment has been removed by a blog administrator.

    ReplyDelete
  18. This comment has been removed by a blog administrator.

    ReplyDelete
  19. This comment has been removed by a blog administrator.

    ReplyDelete
  20. This comment has been removed by a blog administrator.

    ReplyDelete
  21. This comment has been removed by a blog administrator.

    ReplyDelete
  22. This comment has been removed by a blog administrator.

    ReplyDelete
  23. This comment has been removed by a blog administrator.

    ReplyDelete
  24. This comment has been removed by a blog administrator.

    ReplyDelete
  25. This comment has been removed by a blog administrator.

    ReplyDelete
  26. This comment has been removed by a blog administrator.

    ReplyDelete
  27. This comment has been removed by a blog administrator.

    ReplyDelete
  28. This comment has been removed by a blog administrator.

    ReplyDelete
  29. This comment has been removed by a blog administrator.

    ReplyDelete
  30. This comment has been removed by a blog administrator.

    ReplyDelete
  31. This comment has been removed by a blog administrator.

    ReplyDelete
  32. This comment has been removed by a blog administrator.

    ReplyDelete
  33. This comment has been removed by a blog administrator.

    ReplyDelete
  34. This comment has been removed by a blog administrator.

    ReplyDelete
  35. This comment has been removed by a blog administrator.

    ReplyDelete
  36. This comment has been removed by a blog administrator.

    ReplyDelete
  37. This comment has been removed by a blog administrator.

    ReplyDelete
  38. This comment has been removed by a blog administrator.

    ReplyDelete
  39. This comment has been removed by a blog administrator.

    ReplyDelete
  40. This comment has been removed by a blog administrator.

    ReplyDelete
  41. This comment has been removed by a blog administrator.

    ReplyDelete
  42. This comment has been removed by a blog administrator.

    ReplyDelete
  43. This comment has been removed by a blog administrator.

    ReplyDelete
  44. This comment has been removed by a blog administrator.

    ReplyDelete
  45. This comment has been removed by a blog administrator.

    ReplyDelete
  46. This comment has been removed by a blog administrator.

    ReplyDelete
  47. This comment has been removed by a blog administrator.

    ReplyDelete
  48. This comment has been removed by a blog administrator.

    ReplyDelete
  49. This comment has been removed by a blog administrator.

    ReplyDelete
  50. This comment has been removed by a blog administrator.

    ReplyDelete
  51. This comment has been removed by a blog administrator.

    ReplyDelete
  52. This comment has been removed by a blog administrator.

    ReplyDelete