x
Security Platforms/Tools

Huawei Hits Back at Hack Attack

Huawei Technologies Co. Ltd. has hit back at claims that its router products and security strategies and policies are not up to scratch, following a presentation at the recent DEF CON event in Las Vegas that highlighted a number of flaws. (See Def Con Hacks Huawei.)

However, the network security specialists that tested the vendor's access routers and provided a rather damning appraisal still say Huawei's processes lag behind industry norms.

The background
The DEF CON presentation was made by Felix "FX" Lindner from Berlin-based Recurity Labs GmbH. Lindner and his team tested two Huawei access routers -- the AR Series 18, which is pitched at small and home office users, and the AR Series 28, designed to support multiple VPN applications such as VoIP. (The testers wanted bigger boxes, but couldn't source any -- yet.)

His slides can be viewed here and pored over by those who are router code and hacking literate. But basically, the Recurity Labs team identified bugs and flaws that it described as "'90s style."

Also of concern to Lindner, though, is the apparent lack of security releases, advisories and contact information provided by Huawei. In particular, he noted in his presentation that neither securityfocus.com nor OSVDB (Open Source Vulnerability Database) listed product security contacts and that the Huawei website did not provide such information either.

The response
Huawei contacted Light Reading, providing us with the following statement:

    While we are still investigating and verifying the issues, we’d like to let you know Huawei’s position on product security. Huawei adopts rigorous security strategies and policies to protect the network security of our customers, and abides by industry standards and best practices in security risk and incident management. Huawei has established a robust response system to address product security gaps and vulnerabilities, working with our customers to immediately develop contingency plans for all identified security risks, and to resolve any incidents in the shortest possible time. In the interests of customer security, Huawei also calls on the industry to promptly report all product security risks to the solutions provider so that the vendor’s CERT team can work with the relevant parties to develop a solution and roll-out schedule.


Lindner remains unimpressed. "They want the security issues reported to the solution provider," meaning the reseller, he notes in an email to Light Reading. That "is not industry practice. The vendor must be contactable directly."

Lindner also noted that Huawei contacted him to say that NSIRT (Network Security Incident Response Team) is responsible for such matters. "However, it's nowhere listed as such and other vendors have a separate PSIRT (Product Security Incident Response Team)," noted the security expert.

A link to information about that team is available at the foot of some Huawei website pages, but not all: Neither the company's home page nor its Support section (for enterprise or carrier products) display the hyperlink currently. By contrast, on the Cisco Systems Inc. (Nasdaq: CSCO) website it was hard to find a page without a link to its security advisories and associated information (the Investor Relations page was the only exception we could find).

"So while they [Huawei] have something in place, it's not visible enough," notes Lindner. "Also, we still don't know if and where they publish security advisories for their own products."

Huawei isn't taking this lying down, though, sending this statement in response to questions about security information and practices:

    Huawei enhance [sic] and comprehensively implement [sic] its E2E global cyber security assurance system as one of the key corporate development strategies. Inside Huawei, we have the Global Cyber Security Committee (GCSC), [which] as the top-level cyber security management body of Huawei, is responsible for ratifying the strategy of cyber security assurance. In addressing the requirements of cyber security, we have built into all of our standard processes, baselines, policies and standards the best practice that is required and we will continue to adopt an open and transparent approach enabling all stakeholders to fully review Huawei's capabilities.


Why this matters
In isolation this seems like little more than a storm in a small IP-edge-box-shaped teacup (and you don't see many of those around).

But here's why this does matter. Huawei is an enormous company with growing influence. It is turning its attention to the enterprise market much more now and so its products and operations should match industry best practices if it's to be taken seriously by customers and partners. (See Huawei Makes Its Enterprise Pitch, Interop Wrap: Huawei's Enterprising Campaign, Huawei's Enterprise Vision Gets Cloudy and Huawei Aims for $100B Annual Revenues.)

The fact that the Recurity Labs team decided to check out some Huawei gear reflects that. The German lab also gave a presentation comparing Apple and Google client platforms at the Black Hat Europe 2012 event in the Netherlands earlier this year -- this is a zeitgeist lab!

That's not all. Security concerns are growing in general as more and more devices are connected to the public Internet and cloud services become more popular. And in Huawei's case, security concerns are of particular concern, given the questions being asked (particularly in the U.S.) about the potential security implications that come with the deployment of IT and network equipment from China. (See More Chinese Whispers.)

— Ray Le Maistre, International Managing Editor, Light Reading

Michelle Donegan 12/5/2012 | 5:25:08 PM
re: Huawei Hits Back at Hack Attack

It's good to know exactly which routers were used for the test. I'd like to know how similar equipment from other vendors hold up to this scrutiny. 

pdonegan67 12/5/2012 | 5:25:03 PM
re: Huawei Hits Back at Hack Attack

Earlier this year, the mighty Symantec acknowledged for the first time that a 2006 attack on its own systems did indeed result in the exposure of the code for some of its legacy products, something which had previously been denied. F5, another security specialist, was awarded a mock ‘Epic Fail’ award at last week’s Black Hat event in Las Vegas for a product vulnerability.

 

Vulnerabilities do absolutely need exposing as a critical step towards rapidly addressing them - as do more general weaknesses in a vendor’s security processes and procedures.  This isn’t a “new normal”  either – it was ever thus.  

 

 What is new is that with the viral proliferation of computing and IP end points throughout our lives, together with the increase in the number of attackers and the level of sophistication and criminality with which they behave, the potential costs of failing to address product vulnerabilities are now so much greater for businesses, governments,  carriers and consumers.

 

Given the heightened risks, vendors should avoid “casting the first stone” relative to one another, even where they have good grounds to think they have a lead on security relative to competitors – for now.  The best response the industry can provide is a common front, a never ending process of optimizing security best practices,  a recognition that security is a perpetual journey rather than any one destination.


 

macster 12/5/2012 | 5:25:02 PM
re: Huawei Hits Back at Hack Attack

LOL, check out this week's Economist.

pdonegan67 12/5/2012 | 5:25:02 PM
re: Huawei Hits Back at Hack Attack

I assume you are refering to the article about the possible vulnerability of Skype. And yes LOL (or not...)

macster 12/5/2012 | 5:24:58 PM
re: Huawei Hits Back at Hack Attack

Sorry, wasn't clear. It's the upcoming one with the main title "Who's afraid of Huawei?" Great cover pic :)

Soupafly 12/5/2012 | 5:24:53 PM
re: Huawei Hits Back at Hack Attack

I read the economist article. It's a reasonable read and tries to be balanced in tone & content.


In terms of the recurity labs report.


I think its interesting because;


a) The routers they tested are not Huawei. They are OEM'd & re-sold under a MRA from what was H3C and is now HP. Huawei staff helped develop the software, back in the day & are committed to supporting it, but thats it AFAIK.


b) The new range of Huawei routers has very few final production units in circulation. They are mostly "sample only" availability. Unless you have a meaningful triple/ quad digit order, you can forget about getting hold of any.


c) The comment you get what you pay for is very harsh! Huawei are very expensive!


The boxes themselves and software are reverse-engineered, given the very low development costs (which is where the real $$ are spent)  & the weak global support organisation, the Huawei kit should be 70-80% cheaper than market leading alternatives - to be credible & worthy of consideration. That comments goes to Juniper, Brocade, etc and not just Cisco.


Of course this is all anecdotal infomation and just a personal view. So if you disagree with every word I have typed, thats fine too. I wont feel bad or lose any sleep over that.


@ PatrickD; Did you consult with your collegues at Darkreading? I would be very interested to get there take on this story. Some of the team over there have relevant experience, in this type hacking story.


For once I am a little surprised by your post. Its relatively accurate up until the point where you call for industry unity. That is a myth. Juniper have pursued a "red/ blue" positioning strategy with customers from a security perspective for years! I was in some of those sales meetings and it worked in some cases.


 


 


 

pdonegan67 12/5/2012 | 5:24:52 PM
re: Huawei Hits Back at Hack Attack

I take your point.  And I agree, If anyone is well placed to benefit from finger-pointing in the security stakes, then Juniper certainly is.  But I’d also argue that there aren’t many vendors who are as well placed as Juniper to go “casting the first stone”.

 

There’s always a balance to be reached between competition and collaboration among vendors. My point is that in most cases there is a lot more to be gained from raising everyone’s game where security is concerned. As far as possible finger-pointing shouldn’t get in the way of that.

Soupafly 12/5/2012 | 5:24:45 PM
re: Huawei Hits Back at Hack Attack

@ PatD. Your absolutely right in your statements, however in some respects this is a unique and atypical situation for the industry to be in. Collaboration & cooperation has only ever occurred between the United States & its allies. That would typically include the NATO countries and Israel.


China, Russia, India, Brazil, Iran, etc, have not (historically) been included in that initiative. The views & merits on them joining it, will fluctuate depending on what politician you talk to, election time & expediency. Is it time for them to join those discussions? The answer to that question would depend on variables that are way beyond this board & post.


Huawei (and ZTE for that matter) have shown limited willingness to be active participants in the global security movement - up until relatively recently. Yes they have people on the standards committees but what I am referring to extends way beyond that. At the moment they do not appear to have been invited to the very top table, in terms of threat intelligence sharing, global traffic trends and anomalies, etc, etc.  Creating cyber centres and hiring political cronies (as they have done in the UK, US & Australia) is the chinese way. Its too limited in scope, to yield sustainable results.


Why are they locked out? Well if you believe the media hubris its all down to the consistent level of threat deemed to be emanating from China & its networks.


That is a consistent statement. The chinese have shown zero respect for international laws, IPR ownership and have displayed a wilful disregard for any existing economic interests or strategic assets. That is 1 of the reasons they have been able to close the industrial & economic gap, so quickly. 


However, they are not the only players at the party, and may not even be the most active or dangerous. Just the most high-profile and convenient - right now.


As for the recurity presentation PDF, its a fascinating read. If you understand this area, the tech, the software and the coding languages, its a rare in-depth peak behind the curtain at the Wizard.


For example. VX Works. Its widely used across a massive user base of devices.  I know that Mitel Networks, a specialist VoIP player uses it. Why? Its a idiosyncratic language thats relatively obscure. That made it more secure to them. To be fair. They are not alone in that viewpoint, and it depends on which layer of the software build & stack your referring to.

HOME
Sign In
SEARCH
CLOSE
MORE
CLOSE