Routers manufactured by Quanta are riddled with critical vulnerabilities–backdoors, a hardcoded SSH key, and remote code execution flaws, to name a few–that won’t be patched because the company considers the product end of life.
Researcher Pierre Kim found the flaws and reasons that the flaws are due to incompetence, or at worst, calls them “a deliberate act of security sabotage from the vendor.”
The issues affect devices sold and used in several unnamed countries, including Quanta’s LTE QDH router, UNE router, Yoomee router, and MOBILY routers. Kim said the routers’ help files are written Arabic, Chinese, French and English, but wasn’t able to determine where the devices are sold.
Kim disclosed the issues in a blog post on Github Monday.
The hardcoded SSH server key, which can be used to decipher SSH traffic to the router, is just the tip of the iceberg. Two backdoor accounts also exist that could enable an attacker to bypass HTTP authentication. The password for one account is “admin,” while the password for another, which grants privileges of the root user, is “1234.” Four backdoor accounts in Samba, which is also configured to run by default, also exist. Like the other backdoor accounts, the password for each is “1234.”
By default, the WiFi password is limited to eight characters, A-Z, which could make it easy to be brute forced. Furthermore, the router’s Wi-Fi Protected Setup suffers from a hardcoded credential, a PIN that never changes, Kim claims.
Two remote code execution vulnerabilities, both in APIs associated with the router’s web interface exist, and could allow an attacker to execute commands as root, Kim warns.
Kim suggests anyone using the router should stop. Even if the Quanta decides to fix the vulnerabilities he found, he believes the company will have a long, steep road ahead of it.
“Given the vulnerabilities found, even if the vendor changes its mind and decides to patch the router, I don’t think it is even possible as it needs major rewrites in several main components,” Kim wrote.
Kim, who discovered the vulnerabilities in December, had quite the back and forth with the company over the last month.
Initially Quanta failed to ask in-depth information about the vulnerabilities and instead simply told him they’d take his findings into consideration for their next product. When pressed, the company acknowledged that it still considers the device as “working well,” even though it doesn’t plan to patch or change the firmware, or provide users with workarounds for the issues.
Kim has documented the mostly hopeless security around routers before. He dug up a slew of similarly damning flaws in routers made by Huawei last fall, including XSS, CSRF, and denial of service bugs. Last summer he detailed flaws in almost 20 different kinds of routers made by TotoLink, including some RCE vulnerabilities that existed in the products since 2009.