Article by Chris Wysopal
When I read the New York Time BITS article “The Dangers of Allowing an Adversary Access to a Network” by John Markoff, I thought the fear of trojaned vendor products is misplaced. The much bigger problem is vulnerable products. To cyber security experts, a serious vulnerability is indistinguishable from a backdoor as both allow an adversary to take control of a system or device. Yet the U.S. House Committee seems preoccupied with backdoors in Huawei technology while ignoring the gaping vulnerabilities.
On Thursday October 11 I sat in an audience at the “Hack in the Box” security conference in Kuala Lumpur alongside three representatives from Huawei. We were all there to listen to German security expert Felix “FX” Lindner describe all of the devastating vulnerabilities he discovered from his analysis of Huawei network routers. FX didn’t find any backdoors but what he did find in vulnerabilities will keep me from deploying the devices anywhere near my IT organization.
Actually that isn’t entirely true. FX did find hardcoded local bootloader passwords. These would require physical access and are the types of hardcoded passwords commonly found in networking gear and appliances. Yes a vulnerability but not likely nefarious. Here are the passwords for 6 of Huawei’s routers:
Platform Password
AR18 WhiteLily2970013
AR28 WhiteLily2970013
AR46 supperman
NE20 8070bsp
NE40/80 www@huawei
Decisions on IT purchases or boycotts should be made on facts. Organizations should test technology for vulnerabilities and backdoors, which I would argue are just intentional vulnerabilities. If it passes the test, make the purchase. If it doesn’t, find a supplier that does. If you are afraid of backdoors it would be best to learn from Hanlon’s razor: “Never attribute to malice that which is adequately explained by stupidity.”
Cross-posted from Veracode