Flaws in Huawei WiMax routers won't be fixed, researcher says

Pierre Kim published a list of the affected models, which are still used in countries including Ivory Coast, Iran, Iraq, Libya, the Philippines, Bahrain and Ukraine.

Kim notified Huawei of the problem on Oct. 28. He wrote that Huawei said the routers are no longer serviced by the company and would not be patched.

The routers include the EchoLife BM626 WiMax CPE and associated models running the same firmware including the BM626e, BM635, BM632, BM631a, BM632w and the BM652.

Router vulnerabilities that aren't patched pose continuing risks for users who still use them. The devices are typically something that consumers replace because of a failure, rather than on account of security vulnerabilities.

Kim tested the last firmware version available for the routers, which was released in 2013. He found problems including unauthenticated information disclosure, a cookie hijacking risk and cross-site request forgery flaws.

Kim said via email that it is difficult to estimate the number of vulnerable routers that are still in use. Since the routers are provided and configured by an ISP, there are no workarounds that can be applied by users.

"The only solution is to discard the unsupported models," he said.

Huawei officials couldn't be immediately reached for comment.

Last month, Kim found severe software vulnerabilities in more than a dozen of Huawei's 3G routers that are now out of support.