Def Con Hacks Huawei
Staff from Recurity Labs exposed a number of security flaws in routers made by Huawei Technologies Co. Ltd. during the annual Def Con event for hackers in Las Vegas (July 26-29), reports AFP.
The assessment of the routers' security flaws was pretty damning, not least because there are reportedly no security advisories from Huawei about the alleged flaws. And while the equipment tested by the hackers didn't include any of the carrier-grade equipment deployed in operator networks, this case will no doubt be referenced in reports about the security threats posed by network equipment developed by Chinese vendors.
— Ray Le Maistre, International Managing Editor, Light Reading
@ Brooke7; Agreed.
Frankly, this is a storm in a teacup. Even if they found security issues, its hardly surprising or news. Every single vendor has multiples of said - in past, present & future Software builds.
Does anyone really think that what I call CAPT (cumulative advance persistent threats) exist in a vacuum? Nope. Some are linked to 0 day exploits and assorted un-patched vulnerabilities. This is an inevitable consequence of a digital world.
This is in no way a Huawei only problem.
Having said that, Huawei may have some process tweaks to do.
Its also fair to say that the AFP article is written in a sensationalist style which doesnt help anyone;
E.g: "Kopf referred to the routers studied by Recurity as having technology reminiscent of the 1990s and said that once attackers slipped in they could potentially run amok in networks."
a) What does technology reminiscent of the 1990's mean? (This is like reading a Dan Brown Novel. Nice frothy headlines, no substance or detail.)
b) "Attackers slipped in + run amok" Again emotive language thats better suited to a fiction novel than piece of substantive journalism. Any attack once it bypasses the security & authentication process can be harmful. Thats why its called an attack!
Because I like detail & specifics in life, lets be very clear; Is the Recurity team referring to a specific technical process, proceedure or command that allows the user to bypass the authentication and administration process on the router firmware & once deployed it's use allows/facilitates a privilege elevation exploit to be used to increase the attack surface and/or vulnerability window?
If the above statement is true, then I would also expect to see a write up that would include Model, Firmware rel no. and additional technical detail with limited (selected) Proof-of-Concept/Exploit code.
The above is how a credible report would read and be presented. Not this sugar coated puff piece from AFP.