Huawei fixes serious LTE USB stick security flaw
A plug-and-play exploit could have posed a serious threat
When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.
Security researchers have discovered a code execution vulnerability in one of Huawei’sLTE USB dongles.
Part ofHuawei’smobile broadband dongle range, the Huawei LTE USB Stick E3372 can be plugged into a computer to enable users to browse the Internet using a LTE network.
Howevercybersecuritycompany Trustwave discovered a rather easy to exploit a vulnerability in the device. In a blog post, Trustwave’s Security Research Manager, Martin Rakhmanov explains the vulnerability exists because one of the installed files is missing appropriateaccess controlsettings.
We’re looking at how our readers use VPN for a forthcoming in-depth report. We’d love to hear your thoughts in the survey below. It won’t take more than 60 seconds of your time.
Click here to start the survey in a new window«
“All a malicious user needs to do is to replace the file with their own desired code and wait for a legitimate user to start using the cellular data service via Huawei device,” writes Rakhmanov.
Knocking on the wrong door
According to Trustwave, this affected file is automatically executed when a user plugs the dongle. It’s designed to fire up the default web browser and point it to the dongle’s device management interface.
However, Huawei hasn’t set proper permissions on the file. This enables any authenticated user on the computer to overwrite the file.
Rakhmanov explains that all a malicious user needs to do is to replace the contents of the file with their own malicious code. Now when a user plugs in the dongle, it’ll automatically execute the malicious code.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Trustwave toldThe Registerthat it’s been trying to bring the issue to Huawei’s attention for the past several months without making any headway. It turns out that they’ve been reporting the issue to the wrong address.
In any case, once it was informed through the proper channels, Huawei quickly released a patch to fix the permissions on the file.
ViaThe Register
With almost two decades of writing and reporting on Linux, Mayank Sharma would like everyone to think he’sTechRadar Pro’sexpert on the topic. Of course, he’s just as interested in other computing topics, particularly cybersecurity, cloud, containers, and coding.
Cisco issues patch to fix serious flaw allowing possible industrial systems takeover
Washington state court systems taken offline following cyberattack
Your doctor may have an AI assistant taking notes during your next Zoom call
