Security Researcher: Huawei’s Gear is “Full of Holes”
Posted by Sam Reynolds — August 2nd, 2012



At DEFCON, the annual hacker get-together in Las Vegas, a German security research team demonstrated how Huawei’s commercial routers are ripe with serious unpatched security vulnerabilities.

Felix Lindner — who prefers the nom-de-hacker “FX” — demonstrated with colleagues from his security think tank Recurity Labs how Huawei’s AR18 and AR 29 series routers contain serious vulnerabilities that would allow a hacker to compromise the devices using attacks such as a session hijack, a heap overflow, or a stack overflow.

“FX”, a DEFCON veteran and longtime security analyst, says the security on these devices is “the worst ever” because of ”1990s-style code” found in the routers’ firmware. At his DEFCON talk, presented with fellow Recurity Labs security consultant Gregor Kopf, “FX” pointed out that there are 10,000 calls in the firmware’s code to sprintf, a function that’s long been considered insecure if used badly.

While Huawei’s AR 18 and AR 29 routers aren’t used in ISP backbones, they are typically found in small enterprise environments or home offices.

“This stuff is distrusting,” said security researcher Dan Kaminsky.

Mr. Kaminsky is known for discovering a critical cache poisioning vunerability in DNS servers in 2008.

“It’s a big deal for routers to get broken into,” Mr. Kaminsky told CNET. “If you can get into a router you can take it over, monitor and alter peoples’ traffic. You become a man-in-the-middle” attacker who can spoof legitimate Web sites.”

“What “FX” has shown is that the 15 years of secure coding practices that we’ve learned about — the things to do or not do — have not been absorbed by the engineers at Huawei,” Mr. Kaminsky continued.

It has been previously alleged that Huawei equipment contained backdoors that would allow Chinese intelligence — or groups acting at their behest — to monitor and datamine traffic running through it. As previously reported, in late March the Australian government blocked Huawei from bidding on contracts for the country’s new national broadband network citing security concerns.

Huawei provides Telus and Bell with LTE towers.

Regarding the allegations that Huawei’s equipment acts as something of a trojan horse for Chinese intelligence, FX said: “They don’t need to. You (just) need to have Huawei people running your network or help run your network… If you have so many vulnerabilities, they are the best form of (attack) vector.”