All the latest UK technology news, reviews and analysis

US warns of Huawei WiFi modem XSS security threat

22 Jul 2014
US CERT finds flaw in Huawei tech

The US Computer Emergency Response Team (CERT) has issued a warning alerting businesses of a flaw in Huawei's popular E355 wireless broadband modem that could be leveraged by hackers to mount cross-site scripting attacks.

The CERT team issued the warning on Monday, revealing that the flaw could leave people connecting to the internet or a cellular network using the modem vulnerable to cyber strikes.

"Huawei E355 wireless broadband modems include a web interface for administration and additional services. The web interface allows users to receive SMS messages using the connected cellular network," explained the advisory.

"The web interface is vulnerable to a stored cross-site scripting vulnerability. The vulnerability can be exploited if a victim views SMS messages that contain JavaScript using the web interface. A malicious attacker may be able to execute arbitrary script in the context of the victim's browser."

Huawei released an advisory on the issue in June and confirmed it is working on a fix. “Huawei has analysed and investigated the vulnerability and informed involved customers. Huawei has prepared a fixing plan and started the development and test of fixed versions. Huawei will update the Security Notice if any progress is made," read the advisory.

FireEye director of technology strategy Jason Steer told V3 hackers could use the flaw for a variety of purposes. "Is it bad? Yes, XSS is a high-severity software flaw, because of its prevalence and its ability be used by attackers to trick users into giving away sensitive information such as session cookies," he said.

"By allowing hostile JavaScript to be executed in a user's browser they can do a number of things. The most popular things are performing account takeovers to steal money, goods and website defacement. If you could get an admin account then you can start changing settings and having other impacts as well."

It is currently unclear if hackers are actively exploiting the flaw but Steer said he would be surprised if it was not.

"I think it's likely hackers are targeting it. I could think of a number of scenarios where having access to the hotspot configuration might be helpful, especially if I wanted to create public hotspot and start to eavesdrop on other users looking for free WiFi to go online," he said.

The CERT team recommended people using the Huawei model temporarily disable scripting in their web browser to avoid falling victim to attack while Huawei works on its fix. "We are currently unaware of a practical solution to this problem. In the meantime, please consider disabling scripting in your web browser," it said.

ESET senior research fellow David Harley mirrored CERT's sentiment and told V3 that, if left unchecked, the flaw definitely has the potential to cause harm.

"If a malicious script was reflected back to the victim's browser and executed, it might be serious: XSS attacks have wide scope in principle. If I was using the vulnerable modem, I'd certainly make sure I had scripting disabled or use an add-on that whitelists scripts," he said.

Huawei is one of many telecoms technology providers to have flaws found in its products in recent weeks. Cisco patched a security flaw affecting multiple versions of its Small Office/Home Office (SoHo) routers on Friday.

  • Comment  
  • Tweet  
  • Google plus  
  • Facebook  
  • LinkedIn  
  • Stumble Upon  
Alastair Stevenson

Alastair has worked as a reporter covering security and mobile issues at V3 since March 2012. Before entering the field of journalism Alastair had worked in numerous industries as both a freelance copy writer and artist.

View Alastair's Google+ profile

More on Security
What do you think?
blog comments powered by Disqus

Devices at work poll

Which device do you use most for work?

Popular Threads

Powered by Disqus
LG G Flex 2 hands-on review

CES 2015: LG G Flex 2 video

A closer look at LG's latest curved-screen smartphone

Updating your subscription status Loading

Get the latest news (daily or weekly) direct to your inbox with V3 newsletters.

newsletter sign-up button

Getting started with virtualisation

Virtualisation can help you reduce costs, improve application availability, and simplify IT
management. However, getting started can be challenging


Converting big data and analytics insights into results

Successful leaders are infusing analytics throughout their organisations to drive smarter decisions, enable faster actions and optimise outcomes

C# Developer / .Net Consultant - £38k

C# Developer/.Net Consultant - £35k + car allowance...

Infrastructure & Network Analyst

Infrastructure & Network Analyst Solihull (and...

Business Intelligence Analyst

Citywire is a global publishing company with offices...

CRM System Officers

At the University of Derby, people are at the heart of...
To send to more than one email address, simply separate each address with a comma.