Frankly, this is a storm in a teacup. Even if they found security issues, its hardly surprising or news. Every single vendor has multiples of said - in past, present & future Software builds.
Does anyone really think that what I call CAPT (cumulative advance persistent threats) exist in a vacuum? Nope. Some are linked to 0 day exploits and assorted un-patched vulnerabilities. This is an inevitable consequence of a digital world.
This is in no way a Huawei only problem.
Having said that, Huawei may have some process tweaks to do.
Its also fair to say that the AFP article is written in a sensationalist style which doesnt help anyone;
E.g: "Kopf referred to the routers studied by Recurity as having technology reminiscent of the 1990s and said that once attackers slipped in they could potentially run amok in networks."
a) What does technology reminiscent of the 1990's mean? (This is like reading a Dan Brown Novel. Nice frothy headlines, no substance or detail.)
b) "Attackers slipped in + run amok" Again emotive language thats better suited to a fiction novel than piece of substantive journalism. Any attack once it bypasses the security & authentication process can be harmful. Thats why its called an attack!
Because I like detail & specifics in life, lets be very clear;Is the Recurity team referring to a specific technical process, proceedure or command that allows the user to bypass the authentication and administration process on the router firmware & once deployed it's use allows/facilitates a privilege elevation exploit to be used to increase the attack surface and/or vulnerability window?
If the above statement is true, then I would also expect to see a write up that would include Model, Firmware rel no. and additional technical detail with limited (selected) Proof-of-Concept/Exploit code.
The above is how a credible report would read and be presented. Not this sugar coated puff piece from AFP.
To mollify a particular poster, I changed the title.
But the reality is that security is a tradeoff. I had a friend put it this way....
They still rob banks right? If physical security is a completely solvable problem, nobody would be able to after the 1000s of years of trying to protect it. So, things go in scale from the cost and safety of a key lock like a dead bolt up to the extreme of Fort Knox.
You have to think of electronic security in the same way. It is a tradeoff of security versus cost and usability. All products and networks are vulnerable. It is a matter of degree and cost to penetrate them.
I would agree that there is a PR problem more than a real problem. I would think to help on that front adopting what people perceive as standard practice of publishing security issues would be prudent. Of course, the unpublished ones are the worst. But in the end, one still needs to think of any single product or series of products as simply building a higher wall.
Well, from an engineering standpoint, this isn't surprising; every router probably has lots of flaws. It could be harmful from a PR standpoint, though.
Reading the AFP story... what's interesting are the lack of disclosure (vs. other vendors that have all kinds of security alerts out there), and more so, the comment that Huawei's technology (the security technology, presumably) seems way behind the times.
I wonder who in the industry would take this seriously.
Those problems, as was pointed out here, maybe were already solved in newer software releases. Anyway, it should exist in most of the routers, specially in the lower end such as the AR18 and AR29.
This is more significant than I first though. These routers are the key parts of Huawei's new enterprise strategy, from a Campus & WAN networking perspective.
Given that they are brand new & have only just been released, if the reports are true, it seems they have a weak security bubble.
The further reading that's required is important & a must if your thinking of using or deploying any Huawei enterprise kit. The computerworld link is a good start.
Are they the only one's impacted. No. However, given the lack of information on the platforms it would be wise to proceed with caution. Caveat emptor!
@ Brooke7; Agreed.
Frankly, this is a storm in a teacup. Even if they found security issues, its hardly surprising or news. Every single vendor has multiples of said - in past, present & future Software builds.
Does anyone really think that what I call CAPT (cumulative advance persistent threats) exist in a vacuum? Nope. Some are linked to 0 day exploits and assorted un-patched vulnerabilities. This is an inevitable consequence of a digital world.
This is in no way a Huawei only problem.
Having said that, Huawei may have some process tweaks to do.
Its also fair to say that the AFP article is written in a sensationalist style which doesnt help anyone;
E.g: "Kopf referred to the routers studied by Recurity as having technology reminiscent of the 1990s and said that once attackers slipped in they could potentially run amok in networks."
a) What does technology reminiscent of the 1990's mean? (This is like reading a Dan Brown Novel. Nice frothy headlines, no substance or detail.)
b) "Attackers slipped in + run amok" Again emotive language thats better suited to a fiction novel than piece of substantive journalism. Any attack once it bypasses the security & authentication process can be harmful. Thats why its called an attack!
Because I like detail & specifics in life, lets be very clear; Is the Recurity team referring to a specific technical process, proceedure or command that allows the user to bypass the authentication and administration process on the router firmware & once deployed it's use allows/facilitates a privilege elevation exploit to be used to increase the attack surface and/or vulnerability window?
If the above statement is true, then I would also expect to see a write up that would include Model, Firmware rel no. and additional technical detail with limited (selected) Proof-of-Concept/Exploit code.
The above is how a credible report would read and be presented. Not this sugar coated puff piece from AFP.