Huawei’s Pride Goeth Before Its Fall

Here’s the head of Huawei’s enterprise business last year, telling the Financial Times that the whole security thing is overblown:

Mr Xu said Huawei represented no threat to national security anywhere.

“There has never been a single network security breach case that has ever happened with Huawei.”

Whoops.  Here’s a recent ComputerWorld report on the penetration testing of Huawei’s routers:

Security researchers disclosed critical vulnerabilities in routers from Chinese networking and telecommunications equipment manufacturer Huawei at the Defcon hackers conference on Sunday.

The vulnerabilities — a session hijack, a heap overflow and a stack overflow — were found in the firmware of Huawei AR18 and AR29 series routers and could be exploited to take control of the devices over the Internet, said Felix Lindner, the head of security firm Recurity Labs and one of the two researchers who found the flaws.

The researcher, who also analyzed the security of Cisco networking equipment in the past, described the security of the Huawei devices he analyzed as “the worst ever” and said that they’re bound to contain more vulnerabilities.

“This stuff is distrusting,” said security researcher Dan Kaminsky, who is best known for discovering a major vulnerability in the world’s DNS (Domain Name System) infrastructure in 2008 and who worked for Cisco in the past. “If I were to teach someone from scratch how to write binary exploits, these routers would be what I’d demonstrate on.”

“What FX [Lindner’s moniker in security circles] has shown is that the 15 years of secure coding practices that we’ve learned about — the things to do or not do — have not been absorbed by the engineers at Huawei,” Kaminsky said.

The Recurity Labs researchers specified during the talk that they didn’t test any “big boxes” like the Huawei NE series routers — which are intended for telecom data communication networks — because they couldn’t obtain them.

Lindner and Kopf also criticized Huawei for its lack of transparency when it comes to security issues. The company doesn’t have a security contact for reporting vulnerabilities, doesn’t put out security advisories and doesn’t say what bugs have been fixed in its firmware updates, the researchers said.

Maybe Huawei, which is also suffering from an intelligence committee investigation it requested publicly, should follow former Defense Secretary Gates’s advice about talking to the press.  After the White House gave out a lot of questionable information in early press briefings about the bin Laden raid, Gates is reported in David Sanger’s new book to have suggested “a new press strategy” to the national security staff: “Shut the F*** Up.”

 UPDATE: Huawei has now responded to the DefCon report:

“We are aware of the media reports on security vulnerabilities in some small Huawei routers, and are verifying these claims. Huawei adopts rigorous security strategies and policies to protect the network security of our customers, and abides by industry standards and best practices in security risk and incident management. Huawei has established a robust response system to address product security gaps and vulnerabilities, working with our customers to immediately develop contingency plans for all identified security risks, and to resolve any incidents in the shortest possible time. In the interests of customer security, Huawei also calls on the industry to promptly report all product security risks to the solutions provider so that the vendor’s CERT team can work with the relevant parties to develop a solution and roll-out schedule,” the company said in a statement.