Huawei Technologies Co. Ltd. has hit back at claims that its router products and security strategies and policies are not up to scratch, following a presentation at the recent DEF CON event in Las Vegas that highlighted a number of flaws. (See Def Con Hacks Huawei.)
However, the network security specialists that tested the vendor's access routers and provided a rather damning appraisal still say Huawei's processes lag behind industry norms.
The background
The DEF CON presentation was made by Felix "FX" Lindner from Berlin-based Recurity Labs GmbH. Lindner and his team tested two Huawei access routers -- the AR Series 18, which is pitched at small and home office users, and the AR Series 28, designed to support multiple VPN applications such as VoIP. (The testers wanted bigger boxes, but couldn't source any -- yet.)
His slides can be viewed here and pored over by those who are router code and hacking literate. But basically, the Recurity Labs team identified bugs and flaws that it described as "'90s style."
Also of concern to Lindner, though, is the apparent lack of security releases, advisories and contact information provided by Huawei. In particular, he noted in his presentation that neither securityfocus.com nor OSVDB (Open Source Vulnerability Database) listed product security contacts and that the Huawei website did not provide such information either.
The response
Huawei contacted Light Reading, providing us with the following statement:
While we are still investigating and verifying the issues, we’d like to let you know Huawei’s position on product security. Huawei adopts rigorous security strategies and policies to protect the network security of our customers, and abides by industry standards and best practices in security risk and incident management. Huawei has established a robust response system to address product security gaps and vulnerabilities, working with our customers to immediately develop contingency plans for all identified security risks, and to resolve any incidents in the shortest possible time. In the interests of customer security, Huawei also calls on the industry to promptly report all product security risks to the solutions provider so that the vendor’s CERT team can work with the relevant parties to develop a solution and roll-out schedule.
Lindner remains unimpressed. "They want the security issues reported to the solution provider," meaning the reseller, he notes in an email to Light Reading. That "is not industry practice. The vendor must be contactable directly."
Lindner also noted that Huawei contacted him to say that NSIRT (Network Security Incident Response Team) is responsible for such matters. "However, it's nowhere listed as such and other vendors have a separate PSIRT (Product Security Incident Response Team)," noted the security expert.
A link to information about that team is available at the foot of some Huawei website pages, but not all: Neither the company's home page nor its Support section (for enterprise or carrier products) display the hyperlink currently. By contrast, on the Cisco Systems Inc. (Nasdaq: CSCO) website it was hard to find a page without a link to its security advisories and associated information (the Investor Relations page was the only exception we could find).
"So while they [Huawei] have something in place, it's not visible enough," notes Lindner. "Also, we still don't know if and where they publish security advisories for their own products."
Huawei isn't taking this lying down, though, sending this statement in response to questions about security information and practices:
Huawei enhance [sic] and comprehensively implement [sic] its E2E global cyber security assurance system as one of the key corporate development strategies. Inside Huawei, we have the Global Cyber Security Committee (GCSC), [which] as the top-level cyber security management body of Huawei, is responsible for ratifying the strategy of cyber security assurance. In addressing the requirements of cyber security, we have built into all of our standard processes, baselines, policies and standards the best practice that is required and we will continue to adopt an open and transparent approach enabling all stakeholders to fully review Huawei's capabilities.
Why this matters
In isolation this seems like little more than a storm in a small IP-edge-box-shaped teacup (and you don't see many of those around).
But here's why this does matter. Huawei is an enormous company with growing influence. It is turning its attention to the enterprise market much more now and so its products and operations should match industry best practices if it's to be taken seriously by customers and partners. (See Huawei Makes Its Enterprise Pitch, Interop Wrap: Huawei's Enterprising Campaign, Huawei's Enterprise Vision Gets Cloudy and Huawei Aims for $100B Annual Revenues.)
The fact that the Recurity Labs team decided to check out some Huawei gear reflects that. The German lab also gave a presentation comparing Apple and Google client platforms at the Black Hat Europe 2012 event in the Netherlands earlier this year -- this is a zeitgeist lab!
That's not all. Security concerns are growing in general as more and more devices are connected to the public Internet and cloud services become more popular. And in Huawei's case, security concerns are of particular concern, given the questions being asked (particularly in the U.S.) about the potential security implications that come with the deployment of IT and network equipment from China. (See More Chinese Whispers.)
— Ray Le Maistre, International Managing Editor, Light Reading