A researcher has identified numerous serious vulnerabilities in routers built by Quanta Computer, a Taiwan-based hardware company that is said to be the largest original design manufacturer (ODM) of notebook computers in the world.
Researcher Pierre Kim published an advisory this week describing more than 20 vulnerabilities he identified in LTE QDH routers made by Quanta. The expert noted that the actual number of flaws is higher and the advisory details only the most significant issues.
The vulnerabilities found by Kim have been identified in the latest available firmware version, namely 01.00.05_1210, which also seems to be found in several other devices, including QDH, UNE, Mobily and YooMee 4G routers, which are used in several countries around the world.
The researcher discovered a hardcoded SSH server key that can be used to decrypt SSH traffic going to the router. He also identified a couple of default root and admin accounts that can be used to bypass HTTP authentication and gain access to the router via telnetd and SSHd services that are running by default. Backdoors have also been found in the Samba local storage sharing feature, and in the /bin/appmgr program.
The /bin/appmgr program also includes a hardcoded PIN for the Wi-Fi Protected Setup (WPS) system. Furthermore, the router allows users to generate a temporary WPS PIN that can be easily brute-forced by an attacker. The default Wi-Fi password is also weak and can be quickly brute-forced, Kim said.
According to the expert, an attacker can obtain sensitive information, including credentials and configuration data, even without authentication by exploiting a vulnerability in the device’s web interface.
In addition, Kim reported identifying remote code execution, arbitrary file access, and denial-of-service (DoS) vulnerabilities in Quanta’s LTE QDH routers.
Quanta said its LTE QDH routers have reached end of life (EOL) and will not get a firmware update to patch the vulnerabilities found by Kim. The company said it will take the researcher’s findings into consideration for future product development.
The researcher is displeased with the fact that the manufacturer has not at least provided security workarounds considering that it has not encouraged customers to discard the outdated product.
“Given the vulnerabilities found, even if the vendor changes its mind and decides to patch the router, I don’t think it is even possible as it needs major rewrites in several main components (the ASM code shows very bad security practices in several binaries),” Kim explained.
“From my tests, it is possible to overwrite the firmware with a custom (backdoored) firmware. Generating a valid backdoored firmware is left as an exercise for the reader, but with all these included vulnerabilities in the default firmware, I don’t think it is worth making the effort,” he added.
This is not the first time Kim has found router vulnerabilities. Last year, the researcher reported discovering a remote code execution flaw in 127 ipTIME router models.
Related Reading: Wireless Routers Plagued by Unpatched Flaws
Related Reading: Asus Settles FTC Charges Over Router Security
