Pierre Kim, an independent security researcher claims that LTE routers made by Quanta have 20 major security flaws ranging from backdoor accounts to remote code execution bugs.
Kim was tested devices installed with the latest firmware and found that the bugs were in the Quanta 4G WiFi Router QDH, Quanta 4G WiFi Router UNE, Quanta 4G WiFi Router MOBILY (QDH-Mobily - CPE342X), and Quanta 4G WiFi Router Yoomee versions.
Other Quanta Customer-Premises Equipment variations that run the same vulnerable version may also be vulnerable. The routers may be found in England, France, China and Arabic-speaking countries.
Kim found hardcoded SSH keys inside the firmware, which allowed him to decipher SSH traffic coming to the router. Then there were a backdoors, one for the Samba service, then for the Telnet and SSH servers. Additionally, he later found that another backdoor could be started on the router using a Telnet daemon if the user turned the default one off.This backdoor can be activated by sending a simple UDP packet on a specific port.
Then there were problems with the router's Wi-Fi Protected Setup which used a hardcoded PIN for setting up local Wi-Fi networks. If the user wanted to generate a random WPS PIN, then this would be created using a simple algorithm that was easy to reverse engineer, allowing attackers to guess PIN patterns.
There were remote code execution flaws and denial of service problems and the Firmware Over The Air updates used expired SSL certificates and another set of weak default, hard-coded credentials to contact FOTA servers.
The router's Web admin panel was insecure and allowed attackers to retrieve sensible information about the device's setup. The router's firmware include arbitrary file browsing and file reading using the HTTP daemon, a hardcoded password for a No-IP account, weakness in the router's default WiFi password mechanism that allows attackers to easily brute-force it and sniff network traffic.
Quanta was told about the issues in December and did nothing. Kim does not seem to think they care that much.
"Given the vulnerabilities found, even if the vendor changes its mind and decides to patch the router, I don't think it is even possible as it needs major rewrites in several main components," he wrote.