Hijack vulnerability found in Huawei's 4G USB modems

Researchers from security firm Positive Technologies have found a vulnerability in Huawei's 4G USB modem which allows hackers to hijack connected computers.

Researchers Timur Yunusov and Kirill Nesterov have said the vulnerabilities can be exploited through malicious packets sent to the device's gateway:

"The vulnerability may lead to a DOS attack and remote arbitrary code execution via an XSS attack or stack overflow,” it says in the PT Security blog post about the discovery.

“By exploiting detected flaws, an intruder can gain rights on a remote modem, take control over the computer connected to the vulnerable modem, and obtain access to the subscriber's account in the mobile operator's portal. Moreover, attacks on SIM cards via binary SMS messages allow an attacker to intercept and decrypt a subscriber's traffic, track his or her location, and block the SIM card,” it says.

The discovery came as part of a “large-scale research” involving six 4G USB modems, running 30 firmware variants.

The modem’s makers were alerted to the vulnerability and have, together with Positive Technologies’ researchers, created a fix.

“An attacker could send a malicious packet to the Common Gateway Interface (CGI) of target device and make it fail while setting port attribute, which cause a DoS attack,” Huawei confirmed.

Huawei thanked the Positive Technologies experts and the information security specialist Alexey Osipov, who detected a harmful vulnerability in Huawei 4G USB modems (E3272s) and helped to fix it.

The device, whose software is now fixed, can still be bought on Amazon for £78.