Slashdot Mirror

← Back to Stories (view on slashdot.org)

Security Expert: Huawei Routers Riddled With Vulnerabilities

Posted by Unknown on from the more-like-riddled-with-features dept.

sabri writes "Cnet reports that German security expert Felix Lindner has unearthed several vulnerabilities in Huawei's carrier grade routers. These vulnerabilities could potentially enable attackers, or the Chinese government, to snoop on users' traffic and/or perform a man-in-the-middle attack. While these routers are mostly in use in Asia, Africa and the Middle East, they are increasingly being used in other parts of the world as well, because of their dirt-cheap pricing. Disclaimer: I work for one of their competitors." Via the H, you can check out the presentation slides. Yesterday Huawei issued a statement 'We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims...'

126 comments

  1. This doesn't surprise me... by Anonymous Coward · · Score: 1

    I've always hated Huawei because their products seem inferior. This just reinforces that. I'm not surprised at all.

    1. Re:This doesn't surprise me... by Xest · · Score: 1

      I'll be honest, despite them being such a massive firm, and having heard about them many hundreds of times on Slashdot, I've never actually seen a peice of Huawei kit here in the UK.

      Are they just not particularly prominent in the UK market? or are they one of those firms who let others rebrand their kit?

      The reason I ask is because I don't want to inadvertantly use their kit - if it's been rebranded to something else I want to avoid it. If it doesn't get rebranded then I guess I'm okay, because encountering Huawei kit seems to be an uncommon thing here in the UK anyway, though if they do have a decent prescence in our market, I'd be intrigued to know where (e.g. do certain ISPs provide Huawei routers?, or do certain industry sectors use their other networking kit more than others?).

    2. Re:This doesn't surprise me... by Anonymous Coward · · Score: 5, Interesting

      They do usually rebrand their stuff. Some "lower-end" mobile phones, probably ones that carry the operator's brand name and not the manufacturer's, are likely to be made by Huawei or similar companies (ZTE, as another example).

      Another reason Huawei is so cheap is because they don't "innovate" like (most?) Western companies do. They kinda consider R&D to be a profit center and will not move an inch to develop something that is not _known_ to be profitable. I have first-hand experience with this. I work for Huawei. There!, I said it.

      Most customer meetings we have involve going to ask for requirements that they can be sent back up the chain to HQ (R&D) to get started on the development. Seriously. Our Chinese bosses (can't call them managers) and counterparts (some of the "local" staff have a Chinese "mirror") are constantly asking to find the customer's Strategy for a particular product/service and what the business model is going to be....even from technical staff at the customer.

      I recently ready this article http://www.brookings.edu/research/articles/2012/07/10-china-multinationals-shambaugh and it paints a pretty accurate picture of my everyday life working here.

      As much as they "sell" the idea of being a communist country, they are still very much a feudal culture with a close-minded and I'm-never-ever-wrong-because-I'm-the-boss mentality. And it'll catch up to them...soon

      When people mention something about the Chinese taking over the world, I worry too. Just for very different reasons.

      (Posted as AC ((from work)) for obvious reasons)

    3. Re:This doesn't surprise me... by Anonymous Coward · · Score: 3, Interesting

      Oh, and the R&D guys that I've met, look like they're fresh out of the University (or ...idk) and no one has bothered to create any formal programming practices or the like...which is why I totally believe the comment about security coding practices being from 15 years ago.

    4. Re:This doesn't surprise me... by Anonymous Coward · · Score: 0

      Yeah right. Like Cisco products have less backdoors than Microsoft's products...

    5. Re:This doesn't surprise me... by Bondz · · Score: 1

      They make a lot of telephony equipment, software based switches that run ISDN circuits. Do you have an o2 mobile phone? http://www.computerweekly.com/news/2240150185/Huawei-wins-contract-for-O2-network

    6. Re:This doesn't surprise me... by SpooForBrains · · Score: 1

      Huawei make the 3 "MiFi", the original generation at least and probably the rest too. They also make 3G dongles.

      --
      "The dew has clearly fallen with a particularly sickening thud this morning"
    7. Re:This doesn't surprise me... by Antarius · · Score: 2

      It sure makes me take back all the things I thought when the Australian Government Banned Huawei from tendering for the National Broadband Network

    8. Re:This doesn't surprise me... by AlecC · · Score: 1

      My Vodafone dongle and 3 MiFi are both relabelled Huawei products. I think there are a lot of them around, but rebranded by the phone companies.

      --
      Consciousness is an illusion caused by an excess of self consciousness.
    9. Re:This doesn't surprise me... by galaad2 · · Score: 1

      many Vodafone-branded devices across the entire Europe are actually huawei devices, especially those usb 3G+ hsdpa/hsupa wireless modems that look like fattened usb drives.
      If you have one look on its back and it's almost guaranteed to see the label that says it's made by huawei.
      Also, the installation package for Vodafone Mobile Connect (their connectivity management software) has most of its drivers made by huawei.

      --
      root@127.0.0.1
    10. Re:This doesn't surprise me... by faedle · · Score: 3, Interesting

      It is catching up to them.

      I work for a telecom company that has a significant investment in Huawei gear. Their equipment often has serious bugs, and upper management is starting to notice that the ability of the service and support teams to "do their jobs" is being hurt by Huawei's bugs, and we're seriously entertaining bids from other vendors.

      The sad part is that their equipment is SO much cheaper than anything else on the market.. I don't know if we could afford to even convert a fraction of our gear to some other vendor. The economics of the business is such that we couldn't afford to provide the service at the prices we charge without using the cheapest option available.

    11. Re:This doesn't surprise me... by JDG1980 · · Score: 4, Interesting

      From the article you linked:

      Chinese business culture values interpersonal over institutional relationships, and business decisions are often oriented towards short-term profit. There is also a lack of transparency and oversight, which has been linked to a high degree of corruption.

      Right, because stuff like that would never happen in the United States...

    12. Re:This doesn't surprise me... by Anonymous Coward · · Score: 1
      Hey, Joe, did you notice the bit at the top of the page about how Huawei gear allows snooping on users' traffic?

      Guess what kind of gear we use here at Huawei.

      Please step into my office.

      Your boss

    13. Re:This doesn't surprise me... by pnutjam · · Score: 1

      This is one of those chicken and egg problems, you have priced yourself low, driving others out of the business and now realize you are too low, along comes better service. Either from you, or someone else.

      --
      Cheap storage VM.
    14. Re:This doesn't surprise me... by airdweller · · Score: 1

      It does happen in the US too, but on a much smaller scale.

    15. Re:This doesn't surprise me... by Anonymous Coward · · Score: 0

      Actually, I believe that was Novatel...and then Huawei came out with a similar product...*cough* copy *cough*

    16. Re:This doesn't surprise me... by Rudeboy777 · · Score: 2

      I'm Canadian and your post absolutely SCREAMS Wind Mobile (you don't have to answer if you don't want to).

      I think Globalive uses Huawei gear in most or all of the other countries they have a presence in as well...

      --

      From hell's heart I fstab at /dev/hdc

    17. Re:This doesn't surprise me... by Anonymous Coward · · Score: 0

      Let me tell you that your computer information is checked once in a while for your #manager", they receive inform of your activities often, including your mails of course. (some chinesse staff do not know how to keep secrets)

    18. Re:This doesn't surprise me... by Anonymous Coward · · Score: 0

      they have different level of R&D, some of them do not even do R&D at all, instead they are gather faults of equipment's that nobody else could solve, not even in locals TAC or GTAC!

    19. Re:This doesn't surprise me... by Anonymous Coward · · Score: 0

      If your run another antivirus on your corporate PC you may find some evidence..

    20. Re:This doesn't surprise me... by Anonymous Coward · · Score: 0

      From the article you linked:

      Chinese business culture values interpersonal over institutional relationships, and business decisions are often oriented towards short-term profit. There is also a lack of transparency and oversight, which has been linked to a high degree of corruption.

      Right, because stuff like that would never happen in the United States...

      You should go occupy a street and send someone a message......

    21. Re:This doesn't surprise me... by MROD · · Score: 1

      I you have had installed BT's Fibre To The Cabinet broadband service, either directly from BT or via one of the resellers, then it's most likely that the modem will be a Huawei. Also, the comms equipment installed in the street cabinets will be manufactured by them.

      As far as I'm aware, the company has no (own brand) retail products in the UK.

      --

      Agrajag: "Oh no, not again!"
    22. Re:This doesn't surprise me... by thegarbz · · Score: 1

      I'll be honest, despite them being such a massive firm, and having heard about them many hundreds of times on Slashdot, I've never actually seen a peice of Huawei kit here in the UK.

      I would have a look in the back cover of any 3G USB modem. In 6 different companies through a multitude of carriers I have never seen a carrier branded 3G stick that wasn't manufactured by Huawei.

    23. Re:This doesn't surprise me... by petermgreen · · Score: 1

      I'll be honest, despite them being such a massive firm, and having heard about them many hundreds of times on Slashdot, I've never actually seen a peice of Huawei kit here in the UK.

      Afaict most mobile broadband sticks sold in the UK are made by them.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    24. Re:This doesn't surprise me... by petermgreen · · Score: 1

      I've bought non-rebranded (don't recall if they have hauwei's brand printed on them or if they are just plain white with no brand marking) hauwei mobile broadband sticks in the UK (I wanted them unlocked so I could freely switch carriers and I also wanted an external antenna which meant I needed specific models, many of the newer ones lack the external antenna connector) in the UK. It was from a computer gear supplier though not retail.

      --
      note: i'm known as plugwash most places but i screwd up registering that here somehow in the past and now can't register
    25. Re:This doesn't surprise me... by Anonymous Coward · · Score: 0

      I know for certain that Level 3 Networks has been putting Huawei routers into place. I'm a customer of theirs and have seen the routers in operation while touring their network centers. It made me uneasy then and it makes me even more so now. Unless they officially replace them, I'm thinking we'll be taking our business elsewhere.

  2. Well... by AngryDeuce · · Score: 4, Insightful

    You get what you pay for. Who would trust this craptastic bargain basement shit anyway? When something is being sold for a much lower price then competing products, there is a reason for it.

    1. Re:Well... by 1u3hr · · Score: 2, Insightful

      When something is being sold for a much lower price then competing products, there is a reason for it.

      Yeah, they cloned the designs. Which is naughty, but doesn't mean they don't work exactly the same as the original version.

    2. Re:Well... by obarthelemy · · Score: 1, Insightful

      Yep. That's what Linux is so crappy compared to Windows. Oh, wait...

      --
      The Cloud - because you don't care if your apps and data are up in the air.
    3. Re:Well... by AngryDeuce · · Score: 1

      I highly doubt the motivations behind the low price of Linux as compared to the low price of these Chinese shit-tier routers are one and the same, which I'm betting you damn well know yourself, but if you want to play the 'feigned ignorance' game, you go for it buddy.

      Would you buy electronics out of the back of a van? It could be legit, amirite?

    4. Re:Well... by AngryDeuce · · Score: 4, Funny

      Yeah, exactly the same, except for all the deliberately inserted vulnerabilities. What a bargain!

    5. Re:Well... by Anonymous Coward · · Score: 0

      Does it make a difference if the device is wide open because nobody closed all the doors (east) or because someone opened a backdoor (west)? The most sensible requirement is that a router should be able to run OpenWRT. The hardware works, it just needs better software. If that's available, who cares that the vendor-supplied software is shit?

    6. Re:Well... by h4rr4r · · Score: 1

      I strongly disagree. I can name many 6 figure software products that are worse than a free option in every way. I can name hardware that is similar.

    7. Re:Well... by khallow · · Score: 1

      Unless, of course, the hardware itself has built in vulnerabilities. Then better software isn't good enough.

    8. Re:Well... by Anonymous Coward · · Score: 0

      Go on then, name them.

    9. Re:Well... by fuzzyfuzzyfungus · · Score: 3, Insightful

      Does it make a difference if the device is wide open because nobody closed all the doors (east) or because someone opened a backdoor (west)?

      In practice, it almost certainly does: Vulnerabilities are exploitable by anybody who knows about them and cares to do so. That is a fairly long list of the world's spook shops, spammers, questionably socialized teenagers, and so forth. Law enforcement backdoors(unless they are also badly implemented and vulnerable) are exploitable by the law enforcement of your given jurisdiction. Not wildly comforting; but it is a shorter list...

      You would hardly call me a friend of CALEA and its analogs; but surveillance-under-color-of-law does have the advantage, from a security perspective, of essentially making the local feds users, rather than attackers, of the system. If they already get what they want, they have no incentive to weaken the security mechanisms in order to get what they want(and, indeed, if they want exclusivity, they have an interest in keeping their competitors out). It doesn't help the little people on the end of the wire all that much, of course.

    10. Re:Well... by h4rr4r · · Score: 1

      Lets just say the call center world is full of them. CXM, Click, the list goes on and on. Generally the more it costs the less users, this means little testing gets done.

    11. Re:Well... by poity · · Score: 3, Insightful

      Well, they could just as likely be inadvertent vulnerabilities due to Huawei not diligently copying the newest firmware code from Cisco.

      --
      your thin skin doesn't make me a troll
    12. Re:Well... by UnknowingFool · · Score: 1

      They think they cloned the designs at some level. They may not have gotten all the details right. Remember capacitor plague? That was a case of industrial theft of a electrolytic formula however the formula was incomplete. It wasn't until about 2000 hours into operation that problems would occur.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    13. Re:Well... by Anonymous Coward · · Score: 0

      CXM, Click, the list goes on and on.

      Yet your list stopped at two examples. I'm not necessarily disagreeing with you, but I highly doubt Huawei is releasing these bargain basement routers because they want to give back to the world. If you want to believe that, that's your prerogative, but frankly, I don't fucking trust them. The motivations behind, say, the Raspberry Pi people and Huawei, are likely very different. Call that racist or Anti-Chinese if you want, but with all the industrial espionage and hacking originating from there, I would think that would be a consideration to anyone that's reasonably competent.

    14. Re:Well... by Anonymous Coward · · Score: 0

      Who would trust this craptastic bargain basement shit anyway?

      A government office for example. Here you have people making IT decisions who don't have a fucking clue.
      Work for the government for a few months and you'll soon realize why our country is so fucked up.

    15. Re:Well... by CuriousGeorge113 · · Score: 1

      Tell that to finance. Or a school board. Or any media "investigative reporter" looking for a ratings bump during sweeps week.

      In any public sector, low price almost always wins, because it's safe. Not necessarily for the organization, but definitely for the IT or CIO's job. If shit hits the fan, they can almost always pass the blame and keep their job. Except when it comes to money and (perceived) overspending and waste.

      --
      No man is an island, But if you take a bunch of dead guys and tie them together, they make a pretty good raft.
    16. Re:Well... by Anonymous Coward · · Score: 0

      What did you expect? You didn't really think Cisco was going to allow them to keep stealing their source time and time again?

    17. Re:Well... by Anonymous Coward · · Score: 0

      Those are not the kind of backdoors I meant. I had things like WPS-PIN in mind, which is designed to be broken. Remember how you could disable WPS in Linksys routers and they would accept WPS requests anyway? That kind of backdoor.

    18. Re:Well... by AngryDeuce · · Score: 1

      Whether due to incompetence or malice, it still screams Caveat Emptor, and most people should know better. Even before this particular story broke, how many /.'ers were considering buying network hardware from this company? Probably not many. Most reasonable people can see a deal that is too good to be true.

    19. Re:Well... by h4rr4r · · Score: 1

      That is not what I am saying at all.
      What i am saying is some cheap things are better than some expensive things.

      My list is two, because that is enough to be more than $500k worth of shit.

    20. Re:Well... by Anonymous Coward · · Score: 0

      Not diligently copying?

      Wouldn't that cause some Cisco vulnerabilities to be missed?

    21. Re:Well... by mcgrew · · Score: 1

      You get what you pay for.

      ...says the lemon salesman at the used car lot. No, that's backwards. A bottle of Alieve costs three times as much as the generic and it's the same drug. You're paying for pain relief and led to believe that Alieve is superior to the generic, when it may have come from the same factory.

      You pay for what you get. You only get what you pay for if you're lucky. Item A costing more than item B is no gurantee that item A is superior to item B, and in fact the cheaper alternative may in fact be the better choice.

      Determining whether or not you're getting what you paid for is difficult. In this case, it's pretty obvious that these cheap routers are in fact bad.

      Oh, one more little correction that I hope you will appreciate: When something is being sold for a much lower price then [sic] competing products, there is a reason for it.

      Than

      --
      Free Martian Whores!
    22. Re:Well... by JDG1980 · · Score: 1

      You get what you pay for. Who would trust this craptastic bargain basement shit anyway? When something is being sold for a much lower price then competing products, there is a reason for it.

      That's not always the case; sometimes certain companies really do offer better price/performance ratio than others. One example I've seen is in the area of woodworking tools. Companies like Delta and Powermatic used to make stationary power tools in the USA; these were built like tanks, priced high but great quality. Then in the mid-1990s they got greedy and started outsourcing production to Taiwan and mainland China, but the prices remained the same. Today even the company names are owned by multinational conglomerates, but they still price as if they were doing things the old way. (There is one exception: Delta's top-end table saw is made in America.) Sometime after this happened, a new company called Grizzly started in the power tool business. They also produced their tools in Taiwan/China, but unlike the legacy players, they passed the cost savings on to customers. (It also helped that they sell exclusively online, rather than through dealers.) From everything I've heard and seen, Grizzly tools really do offer better price/performance than the traditional brands. They generally get good ratings and good recommendations on boards and forums. (And the CEO actually participates in at least one woodworking forum and sometimes personally intervenes if customers are having problems.) Many of the designs are copied from existing designs (the power tool field is far less patent-encumbered than IT, and many designs haven't changed in decades anyway). And the quality seems to be on par with what the other companies are putting out from the same or similar factories.

    23. Re:Well... by zlives · · Score: 1

      why copy when they can hire laid off cisco programmers for cheap...

    24. Re:Well... by coastwalker · · Score: 1

      There are well established security testing methods such as FIPs certification. It cost money to implement defenses and it costs money to do the testing. That is often what you are paying for in more expensive products. You will also probably get hardware that works over a wider temperature range and a product that has been through accellerated life testing and meets the published specification on every single unit made. Take your pick, you can buy products cheaply that usually do the job without problems or you can pay more and get product that is guaranteed to do what it is specified to do and wont have any wrinkles like potential security vunerabilities. There are markets for both kinds of product, you need to pick the one that fits your use case.

      --
      Facts are history now plebs have politics for religion on social media.
    25. Re:Well... by obarthelemy · · Score: 1

      You're confusing distribution channels, products, hardware, software...

      Regarding the "more expensive is always better": no it isn't. There are oodles of examples where paying more is just being a sucker, not getting more quality/features/service. Yep, I'm thinking of Hi-Fi ethernet cables; of the no-name champagne that was ranked higher than almost all brands in a blind test, of linux vs windows.

      To stay in the "router" market, don't forget Cisco treated their customers to a forced update that forced them to manage their routers via cisco's servers, and sign over rights to their traffic info. I'd rather have a few bugs in my firmware and no spying+cloud dependency, thank you. Especially at 1/10th the price.

      --
      The Cloud - because you don't care if your apps and data are up in the air.
    26. Re:Well... by Jade_Wayfarer · · Score: 1

      For some strange reason your sig is now playing in my head on the motive of "Uptown girl". Ah, slow work day...

      --
      Absence of proof != proof of absence.
  3. summary is racist by 1u3hr · · Score: 0, Flamebait

    could potentially enable attackers, or the Chinese government, to snoop on users' traffic

    If they exist they would allow ANYBODY to snoop on users' traffic. What is this, SlashFox? How about "could potentially enable attackers, or PRESIDENT BARACK HUSSEIN OBAMA to snoop on users' traffic!." or "could potentially enable attackers, or homesexuals, to snoop on users' traffic".

    1. Re:summary is racist by Anonymous Coward · · Score: 3, Funny

      Nice try, Chinese government.

    2. Re:summary is racist by JohnnyMindcrime · · Score: 1

      Agreed. Someone in Slashdot needs to read up on the differences between "vulnerability" and "back door".

      --
      Windows 10 is great - I used it to download Linux.
    3. Re:summary is racist by h4rr4r · · Score: 0

      When did Chinese become a race?
      I would suggest it is instead biased against the Chinese as a nation not as a people.

    4. Re:summary is racist by Anonymous Coward · · Score: 0

      Agreed. Someone in Slashdot needs to read up on the differences between "vulnerability" and "back door".

      You're kidding right? A "vulnerability" is sometimes a well-hidden "back door". That's how I build them.

    5. Re:summary is racist by JohnnyMindcrime · · Score: 3, Informative

      Actually, a back door is deliberately created to allow specific people to come into the system - like a known account name with a known password. Just because you know the back door is there doesn't mean you can use it if you don't know the user and password.

      A vulnerability tends to be as a result of poor design or a software bug - and not usually placed deliberately.

      That's a clear distinction...

      --
      Windows 10 is great - I used it to download Linux.
    6. Re:summary is racist by Sponge+Bath · · Score: 1

      Jim Sting: Mister Potato Head! Mister Potato Head! Back doors are not secrets!
      Malvin: Yeah, but Jim, you're giving away all our best tricks!

    7. Re:summary is racist by fa2k · · Score: 1, Funny

      Well it's nothing compared to the slides. When research is presented in such a xenophobic, childish way, it makes it hard to take it seriously (and this cyber* stuff is potentially very serious) Slashdot, being a news organisation and not a hackers shold be held to a higher standard, though.

    8. Re:summary is racist by Anonymous Coward · · Score: 0

      However, what looks like an unintended security flaw is also the best backdoor, obviously. Because sooner or later someone is going to find it.

    9. Re:summary is racist by SoupIsGood+Food · · Score: 5, Insightful

      First, I don't think you are working from a good definition of "racist." If someone insinuated that Cisco had a backdoor deal with the NSA, I doubt people would be screaming "racist" or even do anything more than shrug and frown. It's sound strategy, and the Chinese government is very good at infosec and cyberwar - the reason why people are up in arms isn't because the Chinese are a different race, it's that the Chinese government has been caught repeatedly engaging in corporate espionage as well as old fashioned espionage, where the US generally only bothers with the latter.

      Second, almost anyone who has a real infrastructure to protect knows that Huawei works arm-in-arm (or hand-in-pocket, more likely) with the 7th Bureau of the 3rd People's Liberation Army, the Chinese military infosec unit responsible for network penetration. The 7B3PLA has investments all through China's technology sector, to the point where individual chips on routers made elsewhere need to be vetted, as they might be compromised from the factory, and counterfeit devices are a real issue.

      Again, not a race issue. China is a global power, and it's acting like one with a solid strategy. It's likewise a solid strategy to avoid cheap off-brand network equipment for your infrastructure. TANSTAAFL, you get what you pay for.

    10. Re:summary is racist by Anonymous Coward · · Score: 0

      The proper term is xenuphobe, as described herein:
      http://en.wikipedia.org/wiki/Xenu (+ phobe to be precise).

    11. Re:summary is racist by Anonymous Coward · · Score: 0

      Since when is Slashdot a news organization?

    12. Re:summary is racist by Bill,+Shooter+of+Bul · · Score: 1

      Well, aside from your crazy definition of what racism is ( I hate the syrian government, therefore I must be racist?), its also a stupid summary. The Chinese government already can do pretty much what ever the f*ck it wants to inside its own borders. I'm not sure they really care about any traffic from Africa or the Middle east, maybe the rest of Asia, but I'd imagine they'd already have good info through other means. If they were really trying to do bad stuff they wouldn't put vulnerabilities into an untrusted brand, they'd put them into cisco or juniper that would be used by higher valued targets.

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
    13. Re:summary is racist by Bill,+Shooter+of+Bul · · Score: 1

      Furthermore, when did hating a government mean you hated the people it governed?

      --
      Well.. maybe. Or Maybe not. But Definitely not sort of.
    14. Re:summary is racist by poity · · Score: 2

      I wouldn't call this racist. Racist would be saying that this event is evidence that Chinese people are inherently secretive/exploitative/dubious in nature. If someone says that, then I'd be on your side. However, the line you quoted is no different from 99% of the first post comments here on stories about the US government doing something /. doesn't like. Unless you and the mods who have modded you up are prepared to reject all of those past comments as racist (or having some other population-based prejudice) as well, then your claim has no basis.

      --
      your thin skin doesn't make me a troll
    15. Re:summary is racist by poity · · Score: 1

      I'd like to also mention that those epic first post screeds are usually rated +5.

      --
      your thin skin doesn't make me a troll
    16. Re:summary is racist by defender.tx · · Score: 1

      I don't think that the summary is racist at all. Making a conjecture that a Chinese IT company, owned by an Ex-Chinese military officer, is purposefully leaving vulnerabilities in it's products that the Chinese government can exploit is sensational, but not racist.

    17. Re:summary is racist by Anonymous Coward · · Score: 0

      Furthermore, when did hating a government mean you hated the people it governed?

      when the people support the government and any and all viewpoints are based that everyone else is inferior because they can steal, copy and not spend a dime on r&d while fueling the globalization market crisis.

      So, f@#$ off taliban commie nazi flag waver. :)

      And have a nice day.

    18. Re:summary is racist by Anonymous Coward · · Score: 0

      Not racist. Prejudiced, Xenophobic, or just lame.

    19. Re:summary is racist by Anonymous Coward · · Score: 0

      Isn't Huawei part owned by the Chinese government?

    20. Re:summary is racist by drkstr1 · · Score: 1

      Well said. Thanks.

      --
      Fanboy Status: Apache Flex, C#, Eclipse, KDE, Pirate Party, Ron Paul, Slackware, Windows 7
    21. Re:summary is racist by Anonymous Coward · · Score: 0

      The people making the backdoors aren't stupid. They hide their backdoors in plain sight, because nobody's looking, and if somebody happens to look anyway, it's always an oversight, a lapse, an oopsie. If somebody should find additional user accounts, you're busted. If someone finds a bug that allows you access to any system you sold, you apologize, fix that one and nobody's the wiser. That's how it's done.

    22. Re:summary is racist by Anonymous Coward · · Score: 0

      the Chinese government has been caught repeatedly engaging in corporate espionage as well as old fashioned espionage, where the US generally only bothers with the latter.

      How is that not modded funny?

    23. Re:summary is racist by 1u3hr · · Score: 2

      When did Chinese become a race?

      I'd guess at least 10,000 years ago. The Chinese certainly think they are a "race". Google "ethnic Chinese" and argue with the 2 million hits.

      Anyway, racism or just flamebait, it's an accusation without a shred of proof. Yes, we know that the Chinese govt isn't above a bit of techno-espionage, but still PROVE IT FIRST.

    24. Re:summary is racist by 1u3hr · · Score: 1

      not a race issue"

      Right. Well, I guess to Americans, "racism" means using the "N word" or the "J word" Prejudice against foreigners is just good sense.

      The summary leaps from a statement that a vulnerability has been found to implying that a foreign power is using it for espionage. Without bothering to establish that ANY espionage has taken place at all, let alone who might have dome it. But feel free to "Kill them all and let God sort them out".

    25. Re:summary is racist by 1u3hr · · Score: 1

      Well, fuck, I only got +3. I should have been more over the top.

    26. Re:summary is racist by ColdWetDog · · Score: 2

      I'm not sure they really care about any traffic from Africa or the Middle east, maybe the rest of Asia, but I'd imagine they'd already have good info through other means.

      Au contraire, China does care about Africa and the Middle East. Very much so. One word:

      Resources.

      The ME still has lots of the black stuff. That's still very important. China uses a lot of black stuff, wants more, wants a long term supply (just like everyone else). Increasing one's ability to sniff out the various issues surrounding oil and politics in the ME is important to any major country, China included.

      Africa is becoming a new area of opportunity for China. After the West has fucked over the continent for several centuries, the Chinese see a chance to 'help' while continuing to extract resources. The fact that they are more willing to overlook certain ethical constraints puts them at a definite advantage. For more info, return to your search engine of choice - lots of stuff out there.

      --
      Faster! Faster! Faster would be better!
    27. Re:summary is racist by Anonymous Coward · · Score: 0

      Actually the are a few documented cases were the CIA was doing commercial espionage for the aircraft and autombile industries. Although you said 'generally' maybe the commericial espionage was accidential, as-in, the CIA was capturing foreign communications anyway and they found some useful things in there they could forward to some US companies, for no cost.

    28. Re:summary is racist by sabri · · Score: 1

      If they exist they would allow ANYBODY to snoop on users' traffic. What is this, SlashFox? How about "could potentially enable attackers, or PRESIDENT BARACK HUSSEIN OBAMA to snoop on users' traffic!." or "could potentially enable attackers, or homesexuals, to snoop on users' traffic".

      As the story submitter I find your accusation of racism unfair. Chinese government access to Huawei equipment has been a concern for years, check for example this Wikipedia entry on Huawei.

      This has nothing to do with racism. This has to do with the companies background and practices. Have you read this article, about a data stealing employee?

      --
      I'm not a complete idiot... Some parts are missing.
    29. Re:summary is racist by raodin · · Score: 1

      Be fair, there really is a difference between distrusting all ethnically Chinese people and distrusting the Chinese government.

    30. Re:summary is racist by theArtificial · · Score: 2

      Right. Well, I guess to Americans, "racism" means using the "N word" or the "J word" Prejudice against foreigners is just good sense.

      You are aware that China isn't a race, it's a country. And as a buyer of Chinese goods America buys many, so your racist comment is without merit, if anything it would be referred to as Nationalism (Nationalistic is often used to describe Chinese, here is result number 3 for 'how are foreigners treated in china'). Prejudice and ethnocentric view points are hardly unique to Americans. Prejudice of foreigners is alive and well outside of America and there are many more non-Americans than Americans. One can look nearly anywhere to see it from France to Korea. While America has its issues, it's referred to as the melting pot with good reason. This still applies because she admits over 1 million people a year with permanent resident status. This doesn't include illegal immigration. Asia, specifically China, Korea, Japan are tolerant of foreigners but the word xenophobic comes into play especially when you look at their demographics...

      The summary leaps from a statement that a vulnerability has been found to implying that a foreign power is using it for espionage. Without bothering to establish that ANY espionage has taken place at all, let alone who might have dome it.

      I'm not sure what rock you live under, but these devices do have back doors built into them. All of them do, even CISCO gear does, which these devices bear strong resemblance to. Screw foreign powers, wouldn't any owner be concerned with unauthorized use of their property? Let me guess, you give it a pass based on ethnicity? Wouldn't want to be racist after all! /sarcasm. You're in front of a computer connected to the internet with several search engines ready to provide information at your request. All that's required is a little effort on your part to educate yourself.

      But feel free to "Kill them all and let God sort them out".

      You mean like the Cultural Revolution?

      --
      Man blir trött av att gå och göra ingenting.
    31. Re:summary is racist by Anonymous Coward · · Score: 0

      The race is Han. China has other races, but none of them have any influence. The next largest ethnicity is a little more than 1% as numerous as the Han.

      For most purposes, the nation of China and the ethnicity Han can be considered synonymous.

  4. FTW by rmdingler · · Score: 0

    So these Chinese Olympians are the rule rather than the exception? Crazytown!

    --
    Happiness in intelligent people is the rarest thing I know.

    Ernest Hemingway

  5. Re:WHA !! CHINA COMPANY OWNS YOU ?? by Anonymous Coward · · Score: 0

    It be because it is.

  6. And how is this different from any other vendor? by pointyhat · · Score: 2

    Cisco, Juniper, HP, Nortel, Ericsson are all proprietary black boxes as well. Perhaps they all have vulnerabilities like this? We will never know but perhaps our governments do?

    Unfortunately, it's a niche and there are no open source carrier grade router platforms :(

  7. The CIA did it! by Anonymous Coward · · Score: 0

    The CIA did it in order to enable them to snoop on Chinese traffic!

  8. I do not see any bug/hacks of carrier grade router by Anonymous Coward · · Score: 1

    I used a NE40 for a couple of weeks to determine if it was worth buying instead of Juniper for our network. I decided against it but I have to admit for the price it
    did pretty much everything we would want it to do. The hardware build quality left a lot to be desired and it was only 32 bit CPU so the memory would never be
    able to be upgraded past 4 gigs so we passed.

    But to hack a few small SOHO routers and then make the claim carrier grade gear is also just as bad without ever touching or using it? I think that is pretty sad.
    Does one find a bug in some crappy apache module and then make the claim apache itself is also poor? No. So why here?

    I do use Huawei sonet gear though. Great bang for the buck, reliable, and just works.

  9. Tank Man is not surprised by cryfreedomlove · · Score: 3

    Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.

    1. Re:Tank Man is not surprised by sociocapitalist · · Score: 3, Insightful

      Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.

      It would be nice to think that by working for American companies you wouldn't be also be behind the controls of the tanks, but unfortunately that's not the case.

      --
      blindly antisocialist = antisocial
    2. Re:Tank Man is not surprised by cryfreedomlove · · Score: 1

      Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.

      It would be nice to think that by working for American companies you wouldn't be also be behind the controls of the tanks, but unfortunately that's not the case.

      I'm against injustice, regardless of whether it is committed by Americans or Chinese or anyone else. You seem to be arguing that crushing children with tanks at Tiananmen Square was morally allowed because the USA government has been known to also have moral failures. That's an interesting world view on your part.

    3. Re:Tank Man is not surprised by Jade_Wayfarer · · Score: 1

      Hmm... and you seem to be arguing that by creating your product and paying your taxes you're actively not supporting your government, with all of Guantanamo, TSA and Predator drones "little mistakes"? So if you are so strongly inclined against use of government's overwhelming force (military and other) against common people, why do you allow these things to happen? Using your analogy, you are not behind the controls of the tank, but you are on the passenger seat, drinking coke and paying for gas for the said tank on every stop. Which is, of course, much better.

      And yes, I am, like you, paying for gas for government's oppressive machine in my country. But at least I'm not trying to pretend that I'm somehow better than everyone else.

      --
      Absence of proof != proof of absence.
    4. Re:Tank Man is not surprised by sociocapitalist · · Score: 2

      Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.

      It would be nice to think that by working for American companies you wouldn't be also be behind the controls of the tanks, but unfortunately that's not the case.

      I'm against injustice, regardless of whether it is committed by Americans or Chinese or anyone else. You seem to be arguing that crushing children with tanks at Tiananmen Square was morally allowed because the USA government has been known to also have moral failures. That's an interesting world view on your part.

      I can't even begin to imagine how you could come to such a conclusion based on what I said. In fact it's so far off from what I said, and what I think, that I have trouble figuring out what to say to you without being offensive.

      I'll rather try and clarify what I said in other terms. The original poster was saying that he wouldn't work for Huawei because to do so would, in effect, be moral support for the Chinese government who was / is responsible for human rights violations. So far I think you had the same understanding. I then said, that it would be good to think that by working for American companies one would have the moral high ground in such an argument, but that the reality is that many American companies support not only the Chinese government but anyone who has money by selling them services, weapons, products to repress and control their population and so forth. In other words that working for an American company does not automatically mean that you are not supporting the Chinese or any other repressive regime.

      I hope that's more clear.

      --
      blindly antisocialist = antisocial
  10. read the slides by Anonymous Coward · · Score: 0

    'We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims...'

    The only systems that were tested were low end because they were not able to get there hands on Huawei's high end products...

  11. Hahaha. "Security experts" these days... by X.25 · · Score: 3, Interesting

    And hundreds of vulnerabilities in Cisco IOS were somehow different, of course.

    But of course, their vulnerabilities were not related to 'Chinese government' and wouldn't make 'news for retards'.

    Sigh.

    1. Re:Hahaha. "Security experts" these days... by zlives · · Score: 2

      "Unless and until Huawei becomes a stand-alone widely held listed company with employees free to trade their shares and without a controlling shareholder, these suspicions and allegations will likely continue,"
      http://www.itnews.com.au/News/175946,analysis-who-really-owns-huawei.aspx

  12. man, they need to bring back those commercials... by Anonymous Coward · · Score: 0

    http://en.wikipedia.org/wiki/Xenu

    You got your thetans in my peanutbutter!

  13. Are you all dense???? by Anonymous Coward · · Score: 0

    HUAWEI is SPONSORED by the GOVERNMENT. It is NOT a corporate entity, it is an EXTENSION of the government.

    That said, hell, not a bad way to protect your citizens from corporate imperialism...

    Neil saw it right, grand-kids are going to inhert SNOWCRASH.

  14. This IS an instance where.... by Lumpy · · Score: 3, Insightful

    You get what you pay for.... Honestly if they are cheaper than d-Link, something must be wrong.

    It's just like buying your servers from Happy Fun server company. What did you expect you were getting for $49.95?

    --
    Do not look at laser with remaining good eye.
    1. Re:This IS an instance where.... by Anonymous Coward · · Score: 0

      Do not taunt Happy Fun server company!

  15. My own Huwei tax is paid-up. by SpzToid · · Score: 3, Informative

    My gargantuan 3g USB-dongle mandated with my subscription from Telfort in the Netherlands is from Huwei. But I never use it, and instead have placed the SIM inside my Nokia N9 (which also tethers nicely). Still, I am claiming the Huwei tax here in the Netherlands

    --
    You can't be ahead of the curve, if you're stuck in a loop.
  16. Beware FiOS free routers by THE_WELL_HUNG_OYSTER · · Score: 2

    When you subscribe to Verizon FiOS, Verizon gives you a free ActionTec wifi router with custom firmware. No doubt it has similar backdoors.

  17. Oh Yeah? by Greyfox · · Score: 1
    And their competitors are not? In fact, to hear one of their competitors talk about it, if Huawei hardware is riddled with holes, it's only because they copied all those holes (Along with everything else) from their competitor!

    Their competitor's hardware is truly a masterpiece of engineering, and if you're an engineer you may find it to be beautiful. I always thought they should ditch the custom VM, provide some kernel modules and ioctls for the special hardware functionality and do all their programming in C or C++, though. It's kind of hard going back to something like PLEX after programming with pretty much any other language from 1960 on.

    The axe (heh heh) their competitor has to grind with Hauwei may very well be a legitimate one. There always were some shenanigans going on. Unfortunately I really don't have a lot of power over what phone switches get used anywhere, so there's not much I can do about it. I do think this possibly-unfair competition has driven more feature development than we might have seen had Hauwei not been playing their little game. So maybe in the end it's not all bad, even if it's not particularly good.

    --

    I'm trying to teach myself to set people on fire with my mind... Is it hot in here?

  18. Re:Get the slant on the wogs by couchslug · · Score: 1

    Americans want "cheap" and don't give a fuck.

    This country is getting what its public, ALL of us, deserve.

    Inaction is consent.

    --
    "This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
  19. Deceptive title by kelemvor4 · · Score: 1

    The title of this article seems a little deceptive to me. Not that I have a particular fondness for some Chinese router company, but I think this should have been titled "Competitor: Huawei Routers Riddled With Vulnerabilities".

  20. Stereotypical by Anonymous Coward · · Score: 0

    Having interacted with Huawei folks over the years they are nice people and driven but holy shit are they sloppy.

    I don't know what environmental pressures coincide to make them think lax QA and programming standards is acceptable behavior.. if they expect to be taken seriously they need to get their shit together.

  21. Since day one.. by Anonymous Coward · · Score: 0

    I've said it anonymously on /. since day one but Huawei is a state company whose sole purpose is to spy on citizens / companies / other states worldwide.

  22. Recurity by LeadSongDog · · Score: 1

    Cnet reports that German security expert Felix Lindner has...

    Some expert. Now everyone knows who he is. Oh, wait, now I get it....

    --
    Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
  23. It is different, if you work in the field. by Moskit · · Score: 2

    It's different because Cisco publicly announces their security advisories and publishes security bug information. Full disclosures:
    http://www.cisco.com/en/US/products/products_security_advisories_listing.html

    Other companies (such as Juniper) are a bit less public, but seem to offer more information than Huawei to their customers too:
    http://s-tools1.juniper.net/support/security/report_vulnerability.html

  24. Safe assumption by ThatsNotPudding · · Score: 1

    I think the safe (and honest) assumption should be that anything coming out of a shipping container that can rub two chips together is a possible attack vector of the PRC. They are the ultimate and most effective sleeper agents ever created.

  25. What about US CALEA by Anonymous Coward · · Score: 0

    The backdoors are already in every vendors. http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act

  26. Researcher by Anonymous Coward · · Score: 0

    Is it just me, or is the researcher in the article holding a "touch my monkey" pose?

  27. Research sponsored by cisco by Anonymous Coward · · Score: 0

    lol

  28. Open Source Software Defined Networking by TheSync · · Score: 1

    Perhaps there is something to be said about routing & switching performed by open source software based systems...

  29. Re:I do not see any bug/hacks of carrier grade rou by Anonymous Coward · · Score: 0

    Thank you for that enlightening review Mr. Wong. See you at the Huawei picnic later this month!

  30. Only Open Source routers have hope of being secure by J+Story · · Score: 1

    Whether it's Huawei or some American company, as long as the source code is hidden there is no way to prove that a router does not have a trap door built in. My first thought for doing this would be through 'port knocking', which would be undetectible until actually used. No doubt, black hats have even more sneaky methods.

  31. Huawei = Linux + C + Lua by Anonymous Coward · · Score: 0

    Huawei's stuff runs Linux. The software is written in C with a lot of the configurability written and controlled by Lua.

    If it's vulnerable at the OS level then that is cluelessness or deliberate.

    They are dirt cheap to work for, or rather they expect you to be. They approached us recently because we had tools they liked. They wanted us to custom port them to Linux for them. When we quoted them they came back to us with "our budget is X" where X was 1/7th of what we quoted them. We declined and told them to find another software vendor.

  32. Re:Only Open Source routers have hope of being sec by NeveRBorN · · Score: 1

    You should have worded your subject "You Can Only Really Know if Open Source Routers are Secure". For the sake of discussion, say I were to create the world's first 100% secure, completely unhackable router and not release its source code. It is secure, but you're assuming it isn't because you can't see that it is. At the same time you can't prove that it isn't. You could spend your entire life trying to find holes in it without ever knowing there was one. (You can't prove a negative)

    Now with that said, If I were to scour the source of every open source router, I may or not find holes. Even if I didn't, does that mean that none exist? No. That just means that I was only able to validate the lack of holes within the confines of my own experience, short attention span, and ability to grasp the complexity. Sure, you have more eyes on things with Open Source solutions, but that doesn't make them immune to stupidity, lack of knowledge and complacency.

  33. gsm by jamesskaar · · Score: 1

    so now i'm wondering about a purchase i've been considering, gsm modules from rf solutions have huawei pdf's, really cheap stuff, would make putting together a smart phone easy. i'm slightly concerned about the quality and security of the modules now...

  34. Re:Only Open Source routers have hope of being sec by Anonymous Coward · · Score: 0

    Yes, the subject line sucked, but its length is limited. I was going to add "proven" or "able to demonstrate some confidence to be", etc., but what I had was literally as long as was allowed.

    I freely admit that being able to see source code does not guarantee that malicious programming will be spotted, but having the code at least gives people a fighting chance.