Security Expert: Huawei Routers Riddled With Vulnerabilities 126
sabri writes "Cnet reports that German security expert Felix Lindner has unearthed several vulnerabilities in Huawei's carrier grade routers. These vulnerabilities could potentially enable attackers, or the Chinese government, to snoop on users' traffic and/or perform a man-in-the-middle attack. While these routers are mostly in use in Asia, Africa and the Middle East, they are increasingly being used in other parts of the world as well, because of their dirt-cheap pricing. Disclaimer: I work for one of their competitors."
Via the H, you can check out the presentation slides. Yesterday Huawei issued a statement 'We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims...'
Well... (Score:5, Insightful)
Re:Well... (Score:3, Insightful)
When something is being sold for a much lower price then competing products, there is a reason for it.
Yeah, they cloned the designs. Which is naughty, but doesn't mean they don't work exactly the same as the original version.
Re:Well... (Score:2, Insightful)
Yep. That's what Linux is so crappy compared to Windows. Oh, wait...
Re:Well... (Score:4, Insightful)
Does it make a difference if the device is wide open because nobody closed all the doors (east) or because someone opened a backdoor (west)?
In practice, it almost certainly does: Vulnerabilities are exploitable by anybody who knows about them and cares to do so. That is a fairly long list of the world's spook shops, spammers, questionably socialized teenagers, and so forth. Law enforcement backdoors(unless they are also badly implemented and vulnerable) are exploitable by the law enforcement of your given jurisdiction. Not wildly comforting; but it is a shorter list...
You would hardly call me a friend of CALEA and its analogs; but surveillance-under-color-of-law does have the advantage, from a security perspective, of essentially making the local feds users, rather than attackers, of the system. If they already get what they want, they have no incentive to weaken the security mechanisms in order to get what they want(and, indeed, if they want exclusivity, they have an interest in keeping their competitors out). It doesn't help the little people on the end of the wire all that much, of course.
Re:Well... (Score:4, Insightful)
Well, they could just as likely be inadvertent vulnerabilities due to Huawei not diligently copying the newest firmware code from Cisco.
Re:summary is racist (Score:5, Insightful)
First, I don't think you are working from a good definition of "racist." If someone insinuated that Cisco had a backdoor deal with the NSA, I doubt people would be screaming "racist" or even do anything more than shrug and frown. It's sound strategy, and the Chinese government is very good at infosec and cyberwar - the reason why people are up in arms isn't because the Chinese are a different race, it's that the Chinese government has been caught repeatedly engaging in corporate espionage as well as old fashioned espionage, where the US generally only bothers with the latter.
Second, almost anyone who has a real infrastructure to protect knows that Huawei works arm-in-arm (or hand-in-pocket, more likely) with the 7th Bureau of the 3rd People's Liberation Army, the Chinese military infosec unit responsible for network penetration. The 7B3PLA has investments all through China's technology sector, to the point where individual chips on routers made elsewhere need to be vetted, as they might be compromised from the factory, and counterfeit devices are a real issue.
Again, not a race issue. China is a global power, and it's acting like one with a solid strategy. It's likewise a solid strategy to avoid cheap off-brand network equipment for your infrastructure. TANSTAAFL, you get what you pay for.
This IS an instance where.... (Score:4, Insightful)
You get what you pay for.... Honestly if they are cheaper than d-Link, something must be wrong.
It's just like buying your servers from Happy Fun server company. What did you expect you were getting for $49.95?
Re:Tank Man is not surprised (Score:4, Insightful)
Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank [wikipedia.org] than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.
It would be nice to think that by working for American companies you wouldn't be also be behind the controls of the tanks, but unfortunately that's not the case.