Quanta LTE Router May Be Most Unsecure Router Ever Made

An anonymous reader writes: LTE routers made by Quanta Computer Incorporated, a Taiwanese hardware manufacturer, are plagued by over twenty major security flaws ranging from backdoor accounts to remote code execution bugs, from hardcoded SSH keys to undocumented diagnostics pages, and from weak WPS PINs to network eavesdropping functions. As the researcher explains: "A personal point of view: at best, the vulnerabilities are due to incompetence; at worst, it is a deliberate act of security sabotage from the vendor." The vendor has not fixed any of these issues even after almost four months.

Re:Definition of unsecure

[Thanshin]

Counterarguments:

A steel chain with steel painted wooden links is way more dangerous than a steel chain with a clearly visible paper link.

A router identified as having no access control is way safer than a router which is expected to be secure.

About time?

[TheReaperD]

Isn't about time for manufacturers to face civil and potentially criminal penalties, plus recalls, for shipping insecure and faulty electronic products like every other product industry? Until is is less expensive to ship a secure (understanding that nothing is perfectly secure) product than it is to pay fines, penalties and recalls, vendors will continue to ship faulty and insecure products. Right now they know that it will cost them little to nothing to deal with insecure and faulty products so they do so with impunity and we get stuck with the crappy products in the end with the only possible recourse being an expensive class-action lawsuit that will take years and net those affected very little in the end. The class-actions tend to be very hard to win as there's very little case precedent for the owners of insecure products. People don't want to be the ones first to risk millions in legal fees and lawyers to set the initial precedence.

Vulnerability Warriors meet EOL

[Virtucon]

From: https://pierrekim.github.io/bl...

Mar 15, 2016: Quanta confirms the product is EOL and the released firmware was approved by the operator. Quanta can't modify of change without the customer's approval. Quanta does not have plan to patch or change FW as the product is EOL. Quanta thanks Pierre Kim for the information and will consider the findings into our next product development in the near future.

So then the Vulnerability finder discloses, which is fine but the product is EOL. Don't buy it, don't use it. As a rule don't buy network routers from unknown or little known manufacturers. It may be cheap now but it'll cost you eventually.