THOUSANDS of customers of one of the country’s biggest telecoms companies remain vulnerable to cyberattacks through their Wi-Fi routers because of that entity’s failure to take adequate action against the threat.

The device putting consumers at risk is the Huawei HG532 router used for Wi-Fi connections, chiefly in the home. Huawei itself has acknowledged the risk, warning on its website as far back as November 2017 (updated in July 2021) that the vulnerability exposes those using the particular router to attacks.

“Successful exploit(ation) could lead to the remote execution of arbitrary code,” the notice on the Huawei website warning about the vulnerability reads. A remote execution of arbitrary code describes a form of cyberattack in which the attacker takes control of another person’s computing device or computer. It takes place when malicious malware is downloaded by the host.

The risk to Jamaican consumers using the particular router for Wi-Fi connections was highlighted by Lieutenant Colonel Godphey Sterling, head of Jamaica Cyber Incident Response Team (JaCIRT), in a recent Jamaica Observer Business Forum. Sterling told journalists that the local telco, which he declined to name, is aware of the risks the Wi-Fi routers expose its customers to, but has done little to mitigate the situation.

“There is a particular service provider whose main line is Huawei devices, and this vulnerability has persisted since 2017,” Sterling said of the issue which affects blocks of Internet protocol (IP) addresses, most of which use the Huawei Wi-Fi routers.

“[The vulnerability] resolves back to a service provider who has no obligation to tell us who [the exposed IP addresses] belong to, so those people remain vulnerable as long as the service provider does not decide to work with them, because [JaCIRT] doesn’t know who is exposed. So we send to the service provider [to say], “These IP addresses are vulnerable, can you reach out or tell us so we can reach out.”

In addition to reaching out to the telco in question, JaCIRT itself, on its website, published notices for consumers strongly recommending “viewing the advisory issued by Huawei addressing the vulnerability mentioned”, and called on the telco to “install the necessary patches based on the supported version if you or your organisation uses Huawei HG352”.

For now, JaCIRT is relegated to just reaching out to the telcos about the vulnerability but hopes that with new legislation being drafted to give it additional powers, it may be able to do more in the future.

“We have made progress with one of the service providers, and in a nine-month period we have seen a 60 per cent reduction in the vulnerability. And with the other service provider, we get their lawyers, and their vulnerabilities keep trending up,” Sterling pointed out.

Yet, he said he wouldn’t say the company is not doing anything to mitigate the issue, but rather that “they are not doing enough”.

“We will work with that service provider to literally fight an exploitation in the wild on a weekend, so they got props for that, but when they get a list of vulnerabilities, their lawyers come back and say, ‘Look, sorry, I can’t help,’ so it’s not consistent and it’s not enough. And the way in which the Internet is sold means you will go back to the top five ISPs [Internet service providers] in Jamaica, and they are not the ones that are vulnerable necessarily, and they have no legal obligation to say to the subscriber, ‘You are vulnerable’ or to say to us,’This is the subscriber,’ ” Sterling said.

To make matters worse for consumers, Sterling said if one IP address is exploited the Spamhaus project, which tracks and identifies verified spam sources (including spammers, spam gangs and spam support services) for blocking, will not block a single IP address but a bloc of IP addresses from which the troublesome spams are originating.

“That can lead to the entire network being blocked – and while a lot of persons may not be vulnerable because the issue is coming from this network segment, they are just going to block it,” he added.

Still, it is not just the telcos that JaCIRT has issued a warning to about the vulnerability of their networks. The entity, which was created in 2015 in the aftermath of widespread cyberattacks in 2013, has proactively monitored the Internet for vulnerabilities affecting IP addresses in Jamaica.

“From the cybersecurity standpoint we issue what is called vulnerability notifications. If we find breaches that they are unaware of, we share these and we monitor the Internet-facing aspects of their operations that we are allowed to — because in Jamaica hacking is still illegal so we can’t really call ourselves ethical hackers and run into people’s network; we don’t do that. But once the issue is Internet-facing and we are allowed to monitor it, we do monitor it, and we share what we find. By so doing they are able to see the vulnerabilities, fix them, and therefore stave off attacks or breaches from those exploitations. You can’t catch everything and so what we do is to work with them when the eventuality does occur, to recover in the shortest possible time and to build back a more secure infrastructure,” Sterling explained.

“The fact is, we are attacked constantly, daily, by east, west, north and south, and we sometimes hear about attacks happening here but there are IP addresses here that, on a daily basis, are attacking IP addresses elsewhere, sometimes with hundreds of malicious connections attempts per hour.”

At the time of discussion Sterling said in pushing the avalanche malware, one IP address in Jamaica pushed 126 connections per hour for the entire day.

“Let me be honest with you, the JaCIRT will not get on social media and argue with people about what we can do. But this, similar to the vulnerabilities and the blocking of blocs of IP address, is going to create significant challenges going into the future because the top malware families that are pushing avalanche — gamaru, darkbot, trikbot, and citadel — on a daily basis, hundreds of connections from the same IP addresses… there is no silver bullet which we can fire to say ‘Leave this company alone,’ ” he said.

“It’s different than where a vulnerability exists where we will hold the vulnerability because we don’t want people to exploit it, and we will try to find the owner of the IP address, but if you are doing something malicious and it’s not a cyber crime yet, we are going to publish it — and we have done that,” Sterling added.