A number of WiMax routers from big-name vendors, including Huawei, ZTE and ZyXEL, suffer from glaring security flaws that enable hackers to gain access, change passwords and to take over devices.
That's according to a security advisory from SEC Consult, which claims that routers from the three aforementioned suppliers, as well as one called MADA, all suffer from an old vulnerability.
SEC has advised the firms about the issue, and at least one - Huawei - has told consumers to stop using ancient routers for their own good.
"SEC Consult has found a vulnerability in several WiMAX routers, distributed by WiMAX ISPs to subscribers. The vulnerability allows an attacker to change the password of the admin user. An attacker can gain access to the device, access the network behind it and launch further attacks, add devices into a Mirai-like botnet or just simply spy on user," said the security firm.
"This vulnerability affects devices from GreenPacket, Huawei, MADA, ZTE, ZyXEL, and others. Some of the devices are accessible from the web," it added.
SEC Consult says that the vulnerability could lead to the user becoming part of the Mirai botnet, or just a sieve for personal information.
"Based on the information we got from an internet-wide scan data, we know that a lot of devices expose a web server on the WAN interface. This is caused by a misconfiguration, or more likely carelessness by the ISPs that provide WiMAX gateways to customers. Web interfaces are usually a good place to hunt for vulnerabilities," added the firm.
"The affected products are quite old, likely manufactured in the early 2010s. According to Huawei, all of their affected products are end-of-service since 2014, and will not receive any updates.
"We reported this vulnerability to CERT/CC who coordinated the vulnerability and released a vulnerability note (VU#350135)... They, unfortunately, did not get a response from ZyXEL. It's unlikely that any of the affected devices will receive updates, so the only solution is to replace them."
Ben Herzberg, security research group manager at Imperva Incapsula, agreed that binning the devices and buying new ones is probably the best solution to the problem, but added that this kind of problem can have many ramifications and that organisations ought to be prepared for them.
"The lack of basic security in a wide-spread number of devices connected to the internet has caused a lot of security issues over time.
"From large-scale denial of service attacks done from a horde of infected devices, launched against a wide array of targets, to usage for attempts to brute force accounts. This is without even mentioning the fact that the devices allows hackers to have an attack surface against the networks on which such devices are installed," he said.
"This can cause organisations and users several problems including, loss of privacy (By eavesdropping to traffic, accessing CCTV systems, etc), being used as part of malicious attacks (for example DDoS attacks), and gaining a foothold on a network, to further exploit it.
"Hackers can exploit this quite easily, given the information released, as they can take over the administrative accounts in the devices and take control of the routers."
Using photocatalysts to convert carbon dioxide into usable energy such as methane or ethane
Trained on curated data from Moorfields Eye Hospital, the neural network also shows clinicians how it reached its judgement
Yokohama National University demonstrate technology that could lead to a fault-tolerant universal quantum computer
Top-of-the-range Threadripper 2990WX now available from Scan, Ebuyer, Overclockers, Novatech and Amazon