Showing results for 
Search instead for 
Did you mean: 

Securing HG612 modems in Bridge Mode

Posts: 17
Registered: 31-07-2015

Securing HG612 modems in Bridge Mode

I thought I'd feed back some thoughts on securing Huawei HG612 routers in bridge mode. Due to the fact it's in bridge mode, security isn't as big a concern as if it's in routing mode, due to the fact there is no IP address in the data path; the only IP address will be on LAN2, which can be seen as a dedicated Out Of Band management interface, and that will be a private address which - providing you don't carelessly NAT it through your firewall / gateway / routing point - should never be able to access the Internet. This post assumes the router has been unlocked and you have full access to the GUI and command line. 

One seemingly problematic sticking point is that changing the admin password within the GUI doesn't change the admin password for telnet access. I searched the web and they said you couldn't do it; here's how Smiley

First of all, ensure you're running in bridge mode; I'm not going to cover securing routed mode because that's a whole different kettle of fish. It will need strong firewall rules to protect it, and you have the challenge of BTAgent and potential other unknown back doors. It's such an old product that I wouldn't trust the code to be at all secure, even with good firewall rules. Far better to use it purely as a modem and buy a new, up to date router / firewall to place behind it. Also, this post isn't intended to be a "click this" Janet & John instruction book - it's more what to do, rather than how to do it.

Next, change the admin password to something secure, and optionally set a user password. This is actually key to locking down the telnet password; if you create a new account of "Bob" and give it your password of choice, you'll find the next bit easier.

As I said, changing the admin password doesn't change the telnet password. What you'll need to do is download the modified config to your PC, change the extension to .txt and then edit it. Now if you created a user account, just search for Bob - and after that, you'll see a string of garbage in double quotes - that's your hashed password. Copy the whole of that string to clipboard. Now go back to the top of the text file and search for admin - there are a couple of entries, but the one you want is followed by something like "telnet password" and again, there will be a string of garbage - this is the hash of "admin". paste your hash in place of the admin hash and you're sorted Smiley Now save the file and remove the .txt extension, go back to your router and upload it.

One word of caution; it seems when you upload a config file, it screws up your bespoke DHCP and routing setup - the DHCP scope will revert to the full subnet (if you had previously set something smaller) and static routes just don't seem to work, though they look ok. You might be thinking "why would you have static routes on a bridged modem?" Well, I've connected my LAN2 interface to a DMZ on my firewall, so I can manage it from my LAN but without bypassing my firewall (I have rules that allow me to http & telnet to the modem, but doesn't allow the modem to initiate connections anywhere), so I have a route pointing to my LAN via the DMZ interface. If you also do this, my suggestion would be to now disable the DHCP server and delete all routes; then reenable and set up DHCP server as you want it and re-add the static routes. (Note, without deleting the routes, it was odd - I could connect when plugged straight into LAN2, but although the static route looked fine, it just didn't work; rebooting made no difference, I had to delete the route and start again).

Now, you should be able to telnet in using your chosen password, and not the default Cheesy


Next, go to advanced / CWMP and disable TR069 - this is the remote config protocol. As there is no IP address in the data path, it shouldn't matter, but you never know... I don't like the idea of TR069 / ACS.


If anyone has any specific questions, I'll try to flesh it out, and if anyone has other ideas for securing it (in bridge mode), please feel free to add.