SpeedPort LTE II router

SpeedPort LTE II

Reviewed in May 2024 by i46 s.r.o       |    Conclusion of the Fast Check:   ⚠️

Important. This router has been manufactured by Huawei (under product name “Huawei B390s-2“and sold by telecom operators in Germany since at least 2013. Unless a major feature, impacting the security of the router, is deployed on the router post CRA-enactment, it will not be required to comply with the CRA.

This Fast Check is for information purpose only.

I46’s analysis finds that this router has too many open ports and fails to meet all the requirements of the Cyber Resilience Act. Indeed, during the analysis of the router, i46 found that three core requirements of the CRA were not met:

  • Annex I, paragraph (b): “be made available on the market with a secure by default configuration, unless otherwise agreed between manufacturer and business user in relation to a tailor made product with digital elements, including the possibility to reset the product to its original state”;

  • Annex I, paragraph (d): “ensure protection from unauthorised access by appropriate control mechanisms, including but not limited to authentication, identity or access management systems, and report on possible unauthorised access;”

  • Annex I, paragraph (j): “be designed, developed and produced to limit attack surfaces, including external interfaces;”

 

Below, i46 details a few core features of the router, and provides their compliance findings for each of them.

Which product should i46 review next?

Let us know which product should be reviewed next, by sending us an email to info@i46.cz

Compliance Table

Feature

Findings

Compliance with the CRA

Unique Password

Yes

🟢 Yes

Strong password enforcement

No

🔴 No

Minimal surface (physical)

The device includes RJ-45 ports, power and reset ports

🟢 Yes

Minimal surface (software)

Port 80 (http) is open

🟢 Yes: This port is required for device management.

Minimal surface (software)

Port 23 (Telnet) is open with a sort of filter

🔴 No: This port is not required for the functioning of the router.

(Severity: Unknown)

Minimal surface (software)

Port 631 (printing) is open

🔴 No: This port should be closed by default.

Minimal surface (software)

Port 1280 is open

🔴 No: It is not clear why this port should be opened by default.

(Severity: High)

Minimal surface (software)

Port 8081 is open with a sort of filter

🔴 No: It is not clear why this port should be opened by default.

(Severity: Unknown)

Minimal surface (software)

Port 37215 (UPnP as http) is open

🔴 No: UPnP service should be optional and closed by default. CVE-2017-17215 is associated with 37215. This could allow attackers to take control of the device.

(Severity: Very High)

As shown in the above table, the SpeedPort LTE II fails i46’s Fast Check.

While the device does not need to comply with the Cyber Resilience Act, due to being manufactured before the Act’s enactment, it bears highlighting that the weaknesses identified during the Fast Check means that businesses and people wishing to use this router should proceed with caution.

Who is i46?

i46 s.r.o, a Czech Republic-based company, is a specialist in cybersecurity compliance for IoT manufacturers. Their team of experts meticulously analyzes various devices within their laboratory, forming the foundation for these initial assessments.

The Fact Check service is provided by Cyber Resilience Act.eu and  i46 s.r.o., as a way to empower the community. It is important to remember that the CRA Fast Check analysis is provided “as is” and shouldn’t be considered a replacement for a comprehensive cybersecurity assessment.

If you encounter any errors in this analysis, please don’t hesitate to reach out to us at info@i46.cz.

コンプライアンスを達成する

IOT機器メーカーで

CRA への適合(てきおう)に関して、IoT機器メーカーが率先(せんしょう)して対応(たいおう)する必要があります。 

CRAは、メーカーの活動に大きな変化をもたらすだろう。

このガイドでは、CRA 遵守に必要な事項、遵守に必要な期間、および遵守しなかった場合の法的影響について説明します。

ソフトウェア開発者

無償のオープンソースソフトウェアは、製作者が配布による利益を得ていない場合のみ、サイバーレジリエンス法の対象外となります。ただし、非組み込みソフトウェアと、IoT機器から遠隔処理するソフトウェアは、サイバーレジリエンス法に準拠する必要があります。

私は輸入業者、販売業者です

IoT デバイスの輸入業者、販売業者、再販業者は、サイバーレジリエンス法(CRA)に基づき、多くの要件を遵守する必要があります。場合によっては、製造業者とみなされることもあります。

当社のガイドでは、これらの利害関係者の責任と義務について詳しく説明しています。