Tuesday, March 28, 2017

Positive Technologies Experts Detect Critical Vulnerability in Huawei LTE Modems

Positive Technologies Experts Detect Critical Vulnerability in Huawei LTE Modems


Huawei thanked the Positive Technologies experts Timur Yunusov and Kirill Nesterov and the information security specialist Alexey Osipov, who detected a harmful vulnerability in Huawei 4G USB modems (E3272s) and helped to fix it.


Upon the research, the Chinese telecommunications equipment company issued a software update for the device.

According to the Huawei PSIRT bulletin, a potential intruder can block the device by sending a malicious packet. The Positive Technologies researchers claim that the vulnerability may lead to a DOS attack and remote arbitrary code execution via an XSS attack or stack overflow.

In late 2014, Positive Technologies specialists carried out a large-scale research on vulnerabilities in 4G USB modems, which included investigation of six different series of devices (including Huawei E3272s) with 30 various types of firmware.

By exploiting detected flaws, an intruder can gain rights on a remote modem, take control over the computer connected to the vulnerable modem, and obtain access to the subscribers account in the mobile operators portal. Moreover, attacks on SIM cards via binary SMS messages allow an attacker to intercept and decrypt a subscribers traffic, track his or her location, and block the SIM card. Timur Yunusov covered attacks on 4G network equipment in his speech at PHDays V in May 2015. You can watch his presentation Bootkit via SMS: 4G Access Level Security Assessment on Positive Technologies page on YouTube.

This is not the first research on the safety of telecommunications equipment and mobile network conducted by Positive Technologies experts. In January 2015, Evgeny Stroev issued a report on severe SNMP vulnerabilities in network equipment produced by Huawei and H3C. Those vulnerabilities allowed penetrating a corporate network of any company, including a technological network of a mobile carrier.

A research, carried out by Dmitry Kurbatov, Sergey Puzankov, and Pavel Novikov in February 2015, revealed that a good few of 2G and 3G mobile networks can be accessed via the internet because of open GTP ports and other open data transfer protocols (FTP, Telnet, HTTP). An attacker can connect to the node of a mobile network operator by exploiting vulnerabilities (for example, default passwords) in these interfaces.


Available link for download