The security of routers made by Chinese firm Huawei Technologies has been called into question by two network-security experts at the Defcon hacking convention.
They said the Huawei routers have very few modern security protections and contain easy-to-find vulnerabilities.
The two researchers – Felix “FX” Lindner and Gregor Kopf, both of Recurity Labs – analysed two small-office routers made by Huawei and found a number of vulnerabilities. The ease with which the flaws were exploited shows that the company appears to have a security process reminiscent of the 1990s, complete with a lack of response to bug reports, Lindner stated in an email interview.
“It’s 1990s code and operating system design,” said Lindner, who heads up Recurity Labs. “The OS has absolutely no mitigations in place; to the contrary, it even has functionality to help you exploit it.”
“When you look at companies, one of the things you don’t want to do … you don’t want to have people doubting, will you copy their intellectual property,” Chambers told The Wall Street Journal. “You don’t want to have them doubting about is there security issues, etc.”
Huawei has opened up more about details on the company’s finances but has downplayed its ambitions against other networking vendors.
Still, the networking vendor needs to do better about the actual security of its products, said Lindner. The company’s routers lack modern security measures, such as the ability to limit the execution of certain portions of memory and randomising the addresses where programs are loaded, a feature known as address space layout randomization (ASLR), he said.
“The low cost of these devices comes at a price: security,” said Lindner.
The key vulnerability, a heap overflow in the router software, combined with the lack of security defenses, makes the routers easy to exploit.
The vulnerabilities “were pretty easy to find and we suspect more of them in the code base,” said Lindner.
The researchers were not able to determine the contact point for the company. Following the Defcon talk on 29 July, the networking vendor issued a statement indicating that vulnerability reports can be sent to their Network Security Incident Response Team (NSIRT), a fact that is not clear from the information online, said Lindner.
In a statement released to the Agence France-Presse, Huawei countered that its system for responding to vulnerabilities and security issues is active and ready.
“Huawei adopts rigorous security strategies and policies to protect the network security of our customers, and abides by industry standards and best practices in security risk and incident management,” the company told AFP.
Think you know security? Test yourself with our quiz!
Suspended prison sentence for Craig Wright for “flagrant breach” of court order, after his false…
Cash-strapped south American country agrees to sell or discontinue its national Bitcoin wallet after signing…
Google's change will allow advertisers to track customers' digital “fingerprints”, but UK data protection watchdog…
Welcome to Silicon In Focus Podcast: Tech in 2025! Join Steven Webb, UK Chief Technology…
European Commission publishes preliminary instructions to Apple on how to open up iOS to rivals,…
San Francisco jury finds Nima Momeni guilty of second-degree murder of Cash App founder Bob…