Slew of WiMAX Routers Open to Hijacking, Spying and Botnet Enslavement

A vulnerability in several WiMAX routers, distributed by WiMAX ISPs to subscribers, allows an attacker to change the password of the admin user and gain access to the device, wreaking a range of havoc from there.

According to SEC Consult, once an attacker is in, he or she can gain access to the device, access the network behind it and launch further attacks. Bad actors also can add devices into a Mirai-like botnet, alter the DNS servers to carry out banking or ad fraud, or just simply spy on the user.

The vulnerability affects devices from GreenPacket, Huawei, MADA, ZTE, ZyXEL and others—and together, anywhere from 50,000 to 100,000 of them are open to the internet, according to SEC Consult, who has notified the vendors.

“Based on the information we got from internet-wide scan data, we know that a lot of devices expose a web server on the WAN interface,” SEC researchers said, in an analysis. “This is caused by a misconfiguration, or more likely carelessness by the ISPs that provide WiMAX gateways to customers. Web interfaces are usually a good place to hunt for vulnerabilities.”

Although the issue was introduced somewhere along the supply chain, the fact that these devices have so many OEM components from different sources makes it particularly difficult to track down the source of the flaw, SEC noted. But it may be a moot point anyway: WiMAX is a 4G wireless standard, and is somewhat of an outdated technology, having lost the war for mobile carriers’ hearts and minds to LTE. It is, however, still used for enterprise and campus wireless LAN installations.

The affected products are older, likely manufactured in the early 2010s. In Huawei’s case, all of the affected products have been end-of-service since 2014, meaning that there will be no more updates. Zyxel meanwhile has provided a statement with a workaround on its website. 

"It's unlikely that any of the affected devices will receive updates, so the only solution is to replace the them,” SEC noted. “ISPs should limit the attack surface on CPEs as much as possible. This is not just limited to the web interface and SSH/Telnet but also to the TR-069 Connection Request Server.”

Ben Herzberg, security group research manager for the Incapsula product line at Imperva, said via email that hackers will be able to exploit the issue quite easily, given the information released.

“From previous exploits (like the TalkTalk routers, etc.), we’ve seen that attackers are actually quite quick about it,” he said. “And they should be, as that is how they make money (for example: by renting the hacked devices as DDoS-4-Hire botnets). The only real solution is to upgrade (configuring out the web access should also work, but for safe-measures, if I had such a vulnerable router, I’d replace it).”

What’s Hot on Infosecurity Magazine?