Hackers reveal critical vulnerabilities in Huawei routers at Defcon
Hackers criticize Huawei for insecure coding practices and lack of security transparency
IDG News Service - Security researchers disclosed critical vulnerabilities in routers from Chinese networking and telecommunications equipment manufacturer Huawei at the Defcon hackers conference on Sunday.
The vulnerabilities -- a session hijack, a heap overflow and a stack overflow -- were found in the firmware of Huawei AR18 and AR29 series routers and could be exploited to take control of the devices over the Internet, said Felix Lindner, the head of security firm Recurity Labs and one of the two researchers who found the flaws.
Huawei is one of the fastest growing providers of networking and telecommunication equipment in the world. Huawei equipment powers half of the world's Internet infrastructure, Lindner said.
The researcher, who also analyzed the security of Cisco networking equipment in the past, described the security of the Huawei devices he analyzed as "the worst ever" and said that they're bound to contain more vulnerabilities.
During the Defcon talk, which Lindner gave together with Recurity Labs security consultant Gregor Kopf, the researchers pointed out that there are over 10,000 calls in the firmware's code to sprintf, a function that's known to be insecure.
"This stuff is distrusting," said security researcher Dan Kaminsky, who is best known for discovering a major vulnerability in the world's DNS (Domain Name System) infrastructure in 2008 and who worked for Cisco in the past. "If I were to teach someone from scratch how to write binary exploits, these routers would be what I'd demonstrate on."
"What FX [Lindner's moniker in security circles] has shown is that the 15 years of secure coding practices that we've learned about -- the things to do or not do -- have not been absorbed by the engineers at Huawei," Kaminsky said.
According to the Huawei website, the AR series routers are used by enterprises and AR18 in particular is marketed as product intended for small and home offices.
The Recurity Labs researchers specified during the talk that they didn't test any "big boxes" like the Huawei NE series routers -- which are intended for telecom data communication networks -- because they couldn't obtain them.
Lindner and Kopf also criticized Huawei for its lack of transparency when it comes to security issues. The company doesn't have a security contact for reporting vulnerabilities, doesn't put out security advisories and doesn't say what bugs have been fixed in its firmware updates, the researchers said.
"If I don't know who to contact, I can't tell you about your bugs and this happens," Lindner said, referring to the public disclosure of vulnerabilities.
The researcher hopes that this will be a wake-up call for Huawei customers. The only way to force a company to build more secure products is to make the customers ask for it, like it happened in the past with Microsoft, Cisco or Apple, he said.
Huawei did not return a request for comment.
- Path Selection Infographic Path Selection Infographic
- Hyperconvergence Infographic A wide range of observers agree that data centers are now entering an era of "hyperconvergence" that will raise network traffic levels faster...
- Preparing Your Infrastructure for the Hyperconvergence Era From cloud computing and virtualization to mobility and unified communications, an array of innovative technologies is transforming today's data centers.
- How WAN Optimization Helps Enterprises Reduce Costs If you wanted to break down innovation into a tidy equation, it might go something like this: Technology + Connectivity = Productivity. Productivity...
- Redefine Your IT Operations: Remote Office IT Has Never Been Simpler Join us to see why PC Pro named Dell PowerEdge VRTX the "2013 Server of the Year." PowerEdge VRTX may be just what...
- Cloud Knowledge Vault Learn how your organization can benefit from the scalability, flexibility, and performance that the cloud offers through the short videos and other resources... All Hardware White Papers | Webcasts
Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!