Huawei reading my Office365 email?

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Huawei reading my Office365 email?

richeeseman

6 posts

Wannabe Geek

#208799 28-Feb-2017 11:21

I have recently moved into rural broadband area, so received a new Huawei B315s modem from Wireless Nation. With an external aerial we get reasonable performance (30/10), but about 2 weeks after installing we all started getting some odd messages:

> "Please reset your gmail passwords" - appeared to all users using either a private gmail domain (richard@xxx.co.nz) or abc@gmail.com. Applies to all devices - IOS, windows 10, android. The dialogue box is a valid email client dialogue.

> Security alerts: "outlook.office365.com - information you exchange with this site cannot be viewed...however there is a problem with the site's security certificate". The security certificate associated with this dialogue is called mobile.wifi and is registered by Huawei in China.... - snapshot of the error here:

> a similar alert occurred on our autodiscover record as well.

Not being a security speicalist I did some digging and wonder if the modem is implementing a proxy in the network, and so effectively performing a man in the middle attack, routing my email via their servers?

So I change the network - implemented my Fritzbox as the main router and DNS server, using the Huawei just as a gateway, but on the same LAN segment (I could not easily setup a DMZ as I use the Fritz for VoIP). Unfortunately the same recurred - and when the error hits the PC slows down to almost stationery. I reject the certificate and in many cases this causes the modem to go into a spate of intermitent internet disconnections.....

So to my question:

Firstly has anyone else come across this?

Secondly am I correct in my understanding - and if so are Vodafone / Spark / Wireless Nation aware of this? Is there a secure solution?

Thanks

Richard

yitz

2077 posts

Uber Geek

#1727597 28-Feb-2017 11:53

Do you come across certificate issues browsing to secure sites in general?, e.g. internet banking or even just Google?

Sometimes it is just trying to redirect you to the modem interface when your broadband connection is down, that is a feature that some modems have, but agree the way it is implemented is a bit dodgy.

richeeseman

6 posts

Wannabe Geek

#1727599 28-Feb-2017 11:57

I have only come across the certificate error with email and once when using terminal services - the server certificate was hijacked in the same way. Internet was up and working fine at the time. I have not done much SSL browsing apart from this so will keep an eye out for that.

Dynamic

3867 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#1727613 28-Feb-2017 12:17

yitz: Do you come across certificate issues browsing to secure sites in general?, e.g. internet banking or even just Google? Sometimes it is just trying to redirect you to the modem interface when your broadband connection is down, that is a feature that some modems have, but agree the way it is implemented is a bit dodgy.

Smart question. Yes I would go to your internet banking login page and check the certificate in the browser to ensure it is the bank's certificate and not a Huawei certificate and report back.

Lenovo, another Chinese company, have been caught out with installing dodgy SSL certificates and intercepting traffic. Googling Lenovo SSL should give you sufficient information if you were interested in looking briefly at this.

“Don't believe anything you read on the net. Except this. Well, including this, I suppose.” Douglas Adams

Referral links to services I use, really like, and may be rewarded if you sign up:
PocketSmith for budgeting and personal finance management. A great Kiwi company.

richeeseman

6 posts

Wannabe Geek

#1727826 28-Feb-2017 17:27

I checked the certificate on a few sites - and when the SSL error is not displaying, they seem correct. I will need to wait for another occurrence of the SSL error to recheck then. This highlights that it is intermittent - which seems strange.

Thanks.

yitz

2077 posts

Uber Geek

#1727849 28-Feb-2017 17:59

Could it simply be that your broadband is dropping out?

You should log a fault / get them to check this (they should be able to tell you from their end). While you are at it let them know about the issues you are having with certificates too.

chevrolux

4962 posts

Uber Geek
Inactive user

#1727862 28-Feb-2017 18:23

yitz: Could it simply be that your broadband is dropping out? You should log a fault / get them to check this (they should be able to tell you from their end). While you are at it let them know about the issues you are having with certificates too.

I would wonder if its just an internal DNS resolver redirecting queries when it can't reach an external server - like a Fritzbox does for example.

richeeseman

6 posts

Wannabe Geek

#1727865 28-Feb-2017 18:32

I wondered about DNS - so have set the Fritz to provide DNS and resolved that to Wireless Nation DNS 1 and 2. We have no noticeable outages at the time this occurs - and what is curious is that the SSL is not targeted internally at all but specifically at a certificate that does exist and is registered to Huawei. When doing a tracert to the specific DNS targeted they resolve correctly and follow an expected path.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

fearandloathing

503 posts

Ultimate Geek

ID Verified

Lifetime subscriber

#1727965 28-Feb-2017 21:35

You typically see the certificate change like that, during content inspection. So not necessarily unwarranted, but normally unwanted as you lose the ability to inspect the actually cert. If there are no content inspection settings, Try setting DNS to Google DNS 8.8.8.8 , 8.8.4.4

Regs

4066 posts

Uber Geek

Trusted

Snowflake

#1727996 28-Feb-2017 22:11

you see this on hotel systems, public internet access, any other wifi that has a redirect to some sot of "I accept", "Get connected" or other start page. Usually once you OK the page then you're home free.

I'm going to guess that this was a one-off, a redirect as part of the initial setup of the wireless modem. With skinny and the same modem, first stop was a page to log in and activate the router.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

Taubin

557 posts

Ultimate Geek

ID Verified

Subscriber

#1728271 1-Mar-2017 13:01

richeeseman:

> "Please reset your gmail passwords" - appeared to all users using either a private gmail domain (richard@xxx.co.nz) or abc@gmail.com.

This was a mistake on Google's account a short bit ago and possibly not related to the certificate issues.

https://news.google.com/news/story?ncl=d3-NGpI54_i7pkMIjk_1MIm-nElOM

It would be good to check them still

ZL2TOY/ZL1DMP