Huawei’s Routers Really Insecure, 50% of Internet Infrastructure May Be Vulnerable (and buying forbidden stuff)

…and here’s what happens when you don’t learn about defense 🙂

It turns out two types of routers that Chinese networking-gear megacorp Huawei puts out have a load of major security holes. Granted, the researchers didn’t analyze Huawei’s bigger iron — the stuff that powers half the world’s Internet infrastructure. But that Huawei would make the mistakes they did suggests they don’t have the know-how to build the big stuff any better.

Buying forbidden stuff: A while back there was a question about how to buy forbidden stuff safely. Even if you can put in the order anonymously, the physical transfer of goods is much harder to anonymize.

(For the record, I’m not much a fan of either illegal guns or drugs —
the former waste your money, the latter waste your money and make you really vulnerable.

Yet there are other things you might want that require similar security precautions in the purchase. So let’s say this is about some dystopian future where bug sweeping gear is forbidden and you’re out to buy a Rohde & Schwartz spec-a with calibrated antennas.)

Step number one is to minimize risk. “Amateurs accept risk, professionals reduce it,” if you recall the shoplifters. So assume the deal is bad, and the adversary is all over the transfer-site. If there’s no trustworthy but small-fry intermediary to take on that part of the risk, it’s all about spotting the adversary’s presence before they can close the trap.

That’s why the traditional procedure for risky transfers involves hiding the goods somewhere and walking away, then telling the recipient where to pick them up. The sender has no risk, the recipient doesn’t have to worry about the sender killing/etc them at the last minute.

But a bad seller isn’t necessarily someone who springs the trap when you come to pick up the goods. They may let you leave with the gear in peace, knowing the tracking device in it or very subtle sabotage-job they did to it will serve their interests just as well.

Therefore, the second bit is to iterate. Some percentage of sellers out there are bad. Of that percentage, you can hope to spot some fraction of them. That leaves some number of bad sellers you won’t identify ahead of time. By spreading out your purchases over several sellers — buying the same thing twice or more if you can afford — the bad sellers you miss won’t totally screw you.

How to tell which ones are bad? That’s the last bit: close the loop. Introduce feedback into the system by testing the sellers, procedures, and the gear (ideally immediately, before any embedded nasties get a chance to tell the adversary about your own infrastructure).

This doesn’t just protect you in the short run. Checking everything lets you figure out what you did right and what you did wrong, reducing the percentage of fails on your end next time you need something.

“Security researchers disclosed critical vulnerabilities in routers from Chinese networking and telecommunications equipment manufacturer Huawei at the Defcon hackers conference on Sunday.

The vulnerabilities — a session hijack, a heap overflow and a stack overflow — were found in the firmware of Huawei AR18 and AR29 series routers and could be exploited to take control of the devices over the Internet, said Felix Lindner, the head of security firm Recurity Labs and one of the two researchers who found the flaws.

Huawei is one of the fastest growing providers of networking and telecommunication equipment in the world. Huawei equipment powers half of the world’s Internet infrastructure, Lindner said.

The researcher, who also analyzed the security of Cisco networking equipment in the past, described the security of the Huawei devices he analyzed as “the worst ever” and said that they’re bound to contain more vulnerabilities.[…]

“What FX [Lindner’s moniker in security circles] has shown is that the 15 years of secure coding practices that we’ve learned about — the things to do or not do — have not been absorbed by the engineers at Huawei,” Kaminsky said.

According to the Huawei website, the AR series routers are used by enterprises and AR18 in particular is marketed as product intended for small and home offices.

The Recurity Labs researchers specified during the talk that they didn’t test any “big boxes” like the Huawei NE series routers — which are intended for telecom data communication networks — because they couldn’t obtain them. “

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: