Forgot your password?
typodupeerror
Security

Security Expert: Huawei Routers Riddled With Vulnerabilities 126

Posted by Unknown Lamer
from the more-like-riddled-with-features dept.
sabri writes "Cnet reports that German security expert Felix Lindner has unearthed several vulnerabilities in Huawei's carrier grade routers. These vulnerabilities could potentially enable attackers, or the Chinese government, to snoop on users' traffic and/or perform a man-in-the-middle attack. While these routers are mostly in use in Asia, Africa and the Middle East, they are increasingly being used in other parts of the world as well, because of their dirt-cheap pricing. Disclaimer: I work for one of their competitors." Via the H, you can check out the presentation slides. Yesterday Huawei issued a statement 'We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims...'
This discussion has been archived. No new comments can be posted.

Security Expert: Huawei Routers Riddled With Vulnerabilities

Comments Filter:
  • by Anonymous Coward

    I've always hated Huawei because their products seem inferior. This just reinforces that. I'm not surprised at all.

    • by Xest (935314)

      I'll be honest, despite them being such a massive firm, and having heard about them many hundreds of times on Slashdot, I've never actually seen a peice of Huawei kit here in the UK.

      Are they just not particularly prominent in the UK market? or are they one of those firms who let others rebrand their kit?

      The reason I ask is because I don't want to inadvertantly use their kit - if it's been rebranded to something else I want to avoid it. If it doesn't get rebranded then I guess I'm okay, because encountering

      • by Anonymous Coward on Thursday August 02, 2012 @10:05AM (#40855547)

        They do usually rebrand their stuff. Some "lower-end" mobile phones, probably ones that carry the operator's brand name and not the manufacturer's, are likely to be made by Huawei or similar companies (ZTE, as another example).

        Another reason Huawei is so cheap is because they don't "innovate" like (most?) Western companies do. They kinda consider R&D to be a profit center and will not move an inch to develop something that is not _known_ to be profitable. I have first-hand experience with this. I work for Huawei. There!, I said it.

        Most customer meetings we have involve going to ask for requirements that they can be sent back up the chain to HQ (R&D) to get started on the development. Seriously. Our Chinese bosses (can't call them managers) and counterparts (some of the "local" staff have a Chinese "mirror") are constantly asking to find the customer's Strategy for a particular product/service and what the business model is going to be....even from technical staff at the customer.

        I recently ready this article http://www.brookings.edu/research/articles/2012/07/10-china-multinationals-shambaugh and it paints a pretty accurate picture of my everyday life working here.

        As much as they "sell" the idea of being a communist country, they are still very much a feudal culture with a close-minded and I'm-never-ever-wrong-because-I'm-the-boss mentality. And it'll catch up to them...soon

        When people mention something about the Chinese taking over the world, I worry too. Just for very different reasons.

        (Posted as AC ((from work)) for obvious reasons)

        • Re: (Score:3, Interesting)

          by Anonymous Coward

          Oh, and the R&D guys that I've met, look like they're fresh out of the University (or ...idk) and no one has bothered to create any formal programming practices or the like...which is why I totally believe the comment about security coding practices being from 15 years ago.

        • by faedle (114018) on Thursday August 02, 2012 @11:51AM (#40856901) Homepage Journal

          It is catching up to them.

          I work for a telecom company that has a significant investment in Huawei gear. Their equipment often has serious bugs, and upper management is starting to notice that the ability of the service and support teams to "do their jobs" is being hurt by Huawei's bugs, and we're seriously entertaining bids from other vendors.

          The sad part is that their equipment is SO much cheaper than anything else on the market.. I don't know if we could afford to even convert a fraction of our gear to some other vendor. The economics of the business is such that we couldn't afford to provide the service at the prices we charge without using the cheapest option available.

          • by pnutjam (523990)
            This is one of those chicken and egg problems, you have priced yourself low, driving others out of the business and now realize you are too low, along comes better service. Either from you, or someone else.
          • I'm Canadian and your post absolutely SCREAMS Wind Mobile (you don't have to answer if you don't want to).

            I think Globalive uses Huawei gear in most or all of the other countries they have a presence in as well...

        • by JDG1980 (2438906) on Thursday August 02, 2012 @12:03PM (#40857023)

          From the article you linked [brookings.edu]:

          Chinese business culture values interpersonal over institutional relationships, and business decisions are often oriented towards short-term profit. There is also a lack of transparency and oversight, which has been linked to a high degree of corruption.

          Right, because stuff like that would never happen in the United States...

        • by Anonymous Coward
          Hey, Joe, did you notice the bit at the top of the page about how Huawei gear allows snooping on users' traffic?

          Guess what kind of gear we use here at Huawei.

          Please step into my office.

          Your boss

      • by SpzToid (869795) on Thursday August 02, 2012 @10:12AM (#40855651)

        My gargantuan 3g USB-dongle mandated with my subscription from Telfort in the Netherlands is from Huwei. But I never use it, and instead have placed the SIM inside my Nokia N9 (which also tethers nicely). Still, I am claiming the Huwei tax here in the Netherlands

      • by Bondz (2699235)
        They make a lot of telephony equipment, software based switches that run ISDN circuits. Do you have an o2 mobile phone? http://www.computerweekly.com/news/2240150185/Huawei-wins-contract-for-O2-network [computerweekly.com]
      • Huawei make the 3 "MiFi", the original generation at least and probably the rest too. They also make 3G dongles.

      • by AlecC (512609)

        My Vodafone dongle and 3 MiFi are both relabelled Huawei products. I think there are a lot of them around, but rebranded by the phone companies.

      • by galaad2 (847861)

        many Vodafone-branded devices across the entire Europe are actually huawei devices, especially those usb 3G+ hsdpa/hsupa wireless modems that look like fattened usb drives.
        If you have one look on its back and it's almost guaranteed to see the label that says it's made by huawei.
        Also, the installation package for Vodafone Mobile Connect (their connectivity management software) has most of its drivers made by huawei.

      • by MROD (101561)
        I you have had installed BT's Fibre To The Cabinet broadband service, either directly from BT or via one of the resellers, then it's most likely that the modem will be a Huawei. Also, the comms equipment installed in the street cabinets will be manufactured by them.

        As far as I'm aware, the company has no (own brand) retail products in the UK.
        • I've bought non-rebranded (don't recall if they have hauwei's brand printed on them or if they are just plain white with no brand marking) hauwei mobile broadband sticks in the UK (I wanted them unlocked so I could freely switch carriers and I also wanted an external antenna which meant I needed specific models, many of the newer ones lack the external antenna connector) in the UK. It was from a computer gear supplier though not retail.

      • by thegarbz (1787294)

        I'll be honest, despite them being such a massive firm, and having heard about them many hundreds of times on Slashdot, I've never actually seen a peice of Huawei kit here in the UK.

        I would have a look in the back cover of any 3G USB modem. In 6 different companies through a multitude of carriers I have never seen a carrier branded 3G stick that wasn't manufactured by Huawei.

      • I'll be honest, despite them being such a massive firm, and having heard about them many hundreds of times on Slashdot, I've never actually seen a peice of Huawei kit here in the UK.

        Afaict most mobile broadband sticks sold in the UK are made by them.

    • by Antarius (542615)
      It sure makes me take back all the things I thought when the Australian Government Banned Huawei from tendering for the National Broadband Network [slashdot.org]
  • Well... (Score:5, Insightful)

    by AngryDeuce (2205124) on Thursday August 02, 2012 @09:00AM (#40854841)
    You get what you pay for. Who would trust this craptastic bargain basement shit anyway? When something is being sold for a much lower price then competing products, there is a reason for it.
    • Re: (Score:3, Insightful)

      by 1u3hr (530656)

      When something is being sold for a much lower price then competing products, there is a reason for it.

      Yeah, they cloned the designs. Which is naughty, but doesn't mean they don't work exactly the same as the original version.

      • Re:Well... (Score:5, Funny)

        by AngryDeuce (2205124) on Thursday August 02, 2012 @09:13AM (#40854963)
        Yeah, exactly the same, except for all the deliberately inserted vulnerabilities. What a bargain!
        • Re:Well... (Score:4, Insightful)

          by poity (465672) on Thursday August 02, 2012 @09:39AM (#40855227)

          Well, they could just as likely be inadvertent vulnerabilities due to Huawei not diligently copying the newest firmware code from Cisco.

          • Whether due to incompetence or malice, it still screams Caveat Emptor, and most people should know better. Even before this particular story broke, how many /.'ers were considering buying network hardware from this company? Probably not many. Most reasonable people can see a deal that is too good to be true.
          • by zlives (2009072)

            why copy when they can hire laid off cisco programmers for cheap...

      • They think they cloned the designs at some level. They may not have gotten all the details right. Remember capacitor plague [wikipedia.org]? That was a case of industrial theft of a electrolytic formula however the formula was incomplete. It wasn't until about 2000 hours into operation that problems would occur.
    • Re: (Score:2, Insightful)

      by obarthelemy (160321)

      Yep. That's what Linux is so crappy compared to Windows. Oh, wait...

      • I highly doubt the motivations behind the low price of Linux as compared to the low price of these Chinese shit-tier routers are one and the same, which I'm betting you damn well know yourself, but if you want to play the 'feigned ignorance' game, you go for it buddy.

        Would you buy electronics out of the back of a van? It could be legit, amirite?

        • You're confusing distribution channels, products, hardware, software...

          Regarding the "more expensive is always better": no it isn't. There are oodles of examples where paying more is just being a sucker, not getting more quality/features/service. Yep, I'm thinking of Hi-Fi ethernet cables; of the no-name champagne that was ranked higher than almost all brands in a blind test, of linux vs windows.

          To stay in the "router" market, don't forget Cisco treated their customers to a forced update that forced them to

          • For some strange reason your sig is now playing in my head on the motive of "Uptown girl". Ah, slow work day...
    • by h4rr4r (612664)

      I strongly disagree. I can name many 6 figure software products that are worse than a free option in every way. I can name hardware that is similar.

    • Tell that to finance. Or a school board. Or any media "investigative reporter" looking for a ratings bump during sweeps week.

      In any public sector, low price almost always wins, because it's safe. Not necessarily for the organization, but definitely for the IT or CIO's job. If shit hits the fan, they can almost always pass the blame and keep their job. Except when it comes to money and (perceived) overspending and waste.

    • by mcgrew (92797) *

      You get what you pay for.

      ...says the lemon salesman at the used car lot. No, that's backwards. A bottle of Alieve costs three times as much as the generic and it's the same drug. You're paying for pain relief and led to believe that Alieve is superior to the generic, when it may have come from the same factory.

      You pay for what you get. You only get what you pay for if you're lucky. Item A costing more than item B is no gurantee that item A is superior to item B, and in fact the cheaper alternative may in

      • There are well established security testing methods such as FIPs certification. It cost money to implement defenses and it costs money to do the testing. That is often what you are paying for in more expensive products. You will also probably get hardware that works over a wider temperature range and a product that has been through accellerated life testing and meets the published specification on every single unit made. Take your pick, you can buy products cheaply that usually do the job without problems

    • by JDG1980 (2438906)

      You get what you pay for. Who would trust this craptastic bargain basement shit anyway? When something is being sold for a much lower price then competing products, there is a reason for it.

      That's not always the case; sometimes certain companies really do offer better price/performance ratio than others. One example I've seen is in the area of woodworking tools. Companies like Delta and Powermatic used to make stationary power tools in the USA; these were built like tanks, priced high but great quality. T

  • Cisco, Juniper, HP, Nortel, Ericsson are all proprietary black boxes as well. Perhaps they all have vulnerabilities like this? We will never know but perhaps our governments do?

    Unfortunately, it's a niche and there are no open source carrier grade router platforms :(

  • I used a NE40 for a couple of weeks to determine if it was worth buying instead of Juniper for our network. I decided against it but I have to admit for the price it
    did pretty much everything we would want it to do. The hardware build quality left a lot to be desired and it was only 32 bit CPU so the memory would never be
    able to be upgraded past 4 gigs so we passed.

    But to hack a few small SOHO routers and then make the claim carrier grade gear is also just as bad without ever touching or using it? I think t

  • by cryfreedomlove (929828) on Thursday August 02, 2012 @09:38AM (#40855213)
    Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank [wikipedia.org] than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.
    • by sociocapitalist (2471722) on Thursday August 02, 2012 @10:57AM (#40856219)

      Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank [wikipedia.org] than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.

      It would be nice to think that by working for American companies you wouldn't be also be behind the controls of the tanks, but unfortunately that's not the case.

      • Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank [wikipedia.org] than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.

        It would be nice to think that by working for American companies you wouldn't be also be behind the controls of the tanks, but unfortunately that's not the case.

        I'm against injustice, regardless of whether it is committed by Americans or Chinese or anyone else. You seem to be arguing that crushing children with tanks at Tiananmen Square was morally allowed because the USA government has been known to also have moral failures. That's an interesting world view on your part.

        • Hmm... and you seem to be arguing that by creating your product and paying your taxes you're actively not supporting your government, with all of Guantanamo, TSA and Predator drones "little mistakes"? So if you are so strongly inclined against use of government's overwhelming force (military and other) against common people, why do you allow these things to happen? Using your analogy, you are not behind the controls of the tank, but you are on the passenger seat, drinking coke and paying for gas for the sai
        • Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank [wikipedia.org] than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.

          It would be nice to think that by working for American companies you wouldn't be also be behind the controls of the tanks, but unfortunately that's not the case.

          I'm against injustice, regardless of whether it is committed by Americans or Chinese or anyone else. You seem to be arguing that crushing children with tanks at Tiananmen Square was morally allowed because the USA government has been known to also have moral failures. That's an interesting world view on your part.

          I can't even begin to imagine how you could come to such a conclusion based on what I said. In fact it's so far off from what I said, and what I think, that I have trouble figuring out what to say to you without being offensive.

          I'll rather try and clarify what I said in other terms. The original poster was saying that he wouldn't work for Huawei because to do so would, in effect, be moral support for the Chinese government who was / is responsible for human rights violations. So far I think you had the s

  • by X.25 (255792) on Thursday August 02, 2012 @10:00AM (#40855501)

    And hundreds of vulnerabilities in Cisco IOS were somehow different, of course.

    But of course, their vulnerabilities were not related to 'Chinese government' and wouldn't make 'news for retards'.

    Sigh.

  • by Lumpy (12016) on Thursday August 02, 2012 @10:07AM (#40855571) Homepage

    You get what you pay for.... Honestly if they are cheaper than d-Link, something must be wrong.

    It's just like buying your servers from Happy Fun server company. What did you expect you were getting for $49.95?

  • When you subscribe to Verizon FiOS, Verizon gives you a free ActionTec wifi router with custom firmware. No doubt it has similar backdoors.
  • And their competitors are not? [wikipedia.org] In fact, to hear one of their competitors talk about it, if Huawei hardware is riddled with holes, it's only because they copied all those holes (Along with everything else) from their competitor!

    Their competitor's hardware [scribd.com] is truly a masterpiece of engineering, and if you're an engineer you may find it to be beautiful. I always thought they should ditch the custom VM, provide some kernel modules and ioctls for the special hardware functionality and do all their programming

  • The title of this article seems a little deceptive to me. Not that I have a particular fondness for some Chinese router company, but I think this should have been titled "Competitor: Huawei Routers Riddled With Vulnerabilities".
  • Cnet reports that German security expert Felix Lindner has...

    Some expert. Now everyone knows who he is. Oh, wait, now I get it....

  • I think the safe (and honest) assumption should be that anything coming out of a shipping container that can rub two chips together is a possible attack vector of the PRC. They are the ultimate and most effective sleeper agents ever created.
  • Perhaps there is something to be said about routing & switching performed by open source software based systems...

  • Whether it's Huawei or some American company, as long as the source code is hidden there is no way to prove that a router does not have a trap door built in. My first thought for doing this would be through 'port knocking', which would be undetectible until actually used. No doubt, black hats have even more sneaky methods.

    • by NeveRBorN (86123)

      You should have worded your subject "You Can Only Really Know if Open Source Routers are Secure". For the sake of discussion, say I were to create the world's first 100% secure, completely unhackable router and not release its source code. It is secure, but you're assuming it isn't because you can't see that it is. At the same time you can't prove that it isn't. You could spend your entire life trying to find holes in it without ever knowing there was one. (You can't prove a negative)

      Now with that said,

  • so now i'm wondering about a purchase i've been considering, gsm modules from rf solutions have huawei pdf's, really cheap stuff, would make putting together a smart phone easy. i'm slightly concerned about the quality and security of the modules now...

Mommy, what happens to your files when you die?

Working...