& cplSiteName &

Def Con Hacks Huawei

Ray Le Maistre
7/30/2012

9:45 AM -- This is just the sort of ammunition that the House of Representatives' Intelligence Committee was looking to load into its east-facing guns. (See More Chinese Whispers.)

Staff from Recurity Labs exposed a number of security flaws in routers made by Huawei Technologies Co. Ltd. during the annual Def Con event for hackers in Las Vegas (July 26-29), reports AFP.

The assessment of the routers' security flaws was pretty damning, not least because there are reportedly no security advisories from Huawei about the alleged flaws. And while the equipment tested by the hackers didn't include any of the carrier-grade equipment deployed in operator networks, this case will no doubt be referenced in reports about the security threats posed by network equipment developed by Chinese vendors.

— Ray Le Maistre, International Managing Editor, Light Reading

(6)  | 
Comment  | 
Print  | 
Related Stories
Newest First  |  Oldest First  |  Threaded View        ADD A COMMENT
Soupafly
Soupafly
12/5/2012 | 5:25:30 PM
re: Def Con Hacks Huawei


@ Brooke7; Agreed.


Frankly, this is a storm in a teacup. Even if they found security issues, its hardly surprising or news. Every single vendor has multiples of said - in past, present & future Software builds.


Does anyone really think that what I call CAPT (cumulative advance persistent threats) exist in a vacuum? Nope. Some are linked to 0 day exploits and assorted un-patched vulnerabilities. This is an inevitable consequence of a digital world.


This is in no way a Huawei only problem.


Having said that, Huawei may have some process tweaks to do.


Its also fair to say that the AFP article is written in a sensationalist style which doesnt help anyone;


E.g: "Kopf referred to the routers studied by Recurity as having technology reminiscent of the 1990s and said that once attackers slipped in they could potentially run amok in networks."


a) What does technology reminiscent of the 1990's mean? (This is like reading a Dan Brown Novel. Nice frothy headlines, no substance or detail.)


b) "Attackers slipped in + run amok" Again emotive language thats better suited to a fiction novel than piece of substantive journalism. Any attack once it bypasses the security & authentication process can be harmful. Thats why its called an attack!


Because I like detail & specifics in life, lets be very clear; Is the Recurity team referring to a specific technical process, proceedure or command that allows the user to bypass the authentication and administration process on the router firmware & once deployed it's use allows/facilitates a privilege elevation exploit to be used to increase the attack surface and/or vulnerability window?


 If the above statement is true, then I would also expect to see a write up that would include Model, Firmware rel no. and additional technical detail with limited (selected) Proof-of-Concept/Exploit code.


The above is how a credible report would read and be presented. Not this sugar coated puff piece from AFP.


 

paolo.franzoi
paolo.franzoi
12/5/2012 | 5:25:30 PM
re: Def Con Hacks Huawei


To mollify a particular poster, I changed the title.


But the reality is that security is a tradeoff.  I had a friend put it this way....


They still rob banks right?  If physical security is a completely solvable problem, nobody would be able to after the 1000s of years of trying to protect it.  So, things go in scale from the cost and safety of a key lock like a dead bolt up to the extreme of Fort Knox.  


You have to think of electronic security in the same way.  It is a tradeoff of security versus cost and usability.  All products and networks are vulnerable.  It is a matter of degree and cost to penetrate them.


I would agree that there is a PR problem more than a real problem.  I would think to help on that front adopting what people perceive as standard practice of publishing security issues would be prudent.  Of course, the unpublished ones are the worst.  But in the end, one still needs to think of any single product or series of products as simply building a higher wall.


seven

Pete Baldwin
Pete Baldwin
12/5/2012 | 5:25:30 PM
re: Def Con Hacks Huawei


Well, from an engineering standpoint, this isn't surprising; every router probably has lots of flaws. It could be harmful from a PR standpoint, though.


Reading the AFP story... what's interesting are the lack of disclosure (vs. other vendors that have all kinds of security alerts out there), and more so, the comment that Huawei's technology (the security technology, presumably) seems way behind the times.

Soupafly
Soupafly
12/5/2012 | 5:25:28 PM
re: Def Con Hacks Huawei
Just to update my post below. Here is a more credible link that provides additional detail & definition on the report;

http://www.computerworld.com/s...

Intriguing piece of FUD or important feedback from security experts. You decide.
melao2
melao2
12/5/2012 | 5:25:23 PM
re: Def Con Hacks Huawei


I wonder who in the industry would take this seriously.


Those problems, as was pointed out here, maybe were already solved in newer software releases. Anyway, it should exist in most of the routers, specially in the lower end such as the AR18 and AR29.

Soupafly
Soupafly
12/5/2012 | 5:25:14 PM
re: Def Con Hacks Huawei


Just to clarify my earlier posts.


This is more significant than I first though. These routers are the key parts of Huawei's new enterprise strategy, from a Campus & WAN networking perspective.


Given that they are brand new & have only just been released, if the reports are true, it seems they have a weak security bubble.


The further reading that's required is important & a must if your thinking of using or deploying any Huawei enterprise kit. The computerworld link is a good start.


Are they the only one's impacted. No. However, given the lack of information on the platforms it would be wise to proceed with caution. Caveat emptor!

More Blogs from AsiaBlog
Staff humiliation strategy goes viral in China
Are you watching, Europe?
Security concerns scupper China Mobile investment in Taiwanese operator
Major carrier plans a near 50% hike in annual spending, with LTE TDD getting a healthy chunk
The Chinese vendors hike their intellectual property investments and ask everyone to play nice with patents
Featured Video
Upcoming Live Events
November 14, 2019, Maritim Hotel, Berlin
December 3-5, 2019, Vienna, Austria
December 3, 2019, New York, New York
March 16-18, 2020, Embassy Suites, Denver, Colorado
May 18-20, 2020, Irving Convention Center, Dallas, TX
All Upcoming Live Events