Slashdot Mirror
Security Expert: Huawei Routers Riddled With Vulnerabilities
sabri writes "Cnet reports that German security expert Felix Lindner has unearthed several vulnerabilities in Huawei's carrier grade routers. These vulnerabilities could potentially enable attackers, or the Chinese government, to snoop on users' traffic and/or perform a man-in-the-middle attack. While these routers are mostly in use in Asia, Africa and the Middle East, they are increasingly being used in other parts of the world as well, because of their dirt-cheap pricing. Disclaimer: I work for one of their competitors."
Via the H, you can check out the presentation slides. Yesterday Huawei issued a statement 'We are aware of the media reports on security vulnerabilities in some small Huawei routers and are verifying these claims...'
You get what you pay for. Who would trust this craptastic bargain basement shit anyway? When something is being sold for a much lower price then competing products, there is a reason for it.
Nice try, Chinese government.
Cisco, Juniper, HP, Nortel, Ericsson are all proprietary black boxes as well. Perhaps they all have vulnerabilities like this? We will never know but perhaps our governments do?
Unfortunately, it's a niche and there are no open source carrier grade router platforms :(
Actually, a back door is deliberately created to allow specific people to come into the system - like a known account name with a known password. Just because you know the back door is there doesn't mean you can use it if you don't know the user and password.
A vulnerability tends to be as a result of poor design or a software bug - and not usually placed deliberately.
That's a clear distinction...
Windows 10 is great - I used it to download Linux.
Huawei is heavily recruiting software developers in the Silicon Valley right now. They contacted me. I did not seriously consider it. In this picture, I identify more with the man in front of the tank than I do with the guys driving the tanks. To spend my life working for Huawei would figuratively put me behind the controls of the tanks.
First, I don't think you are working from a good definition of "racist." If someone insinuated that Cisco had a backdoor deal with the NSA, I doubt people would be screaming "racist" or even do anything more than shrug and frown. It's sound strategy, and the Chinese government is very good at infosec and cyberwar - the reason why people are up in arms isn't because the Chinese are a different race, it's that the Chinese government has been caught repeatedly engaging in corporate espionage as well as old fashioned espionage, where the US generally only bothers with the latter.
Second, almost anyone who has a real infrastructure to protect knows that Huawei works arm-in-arm (or hand-in-pocket, more likely) with the 7th Bureau of the 3rd People's Liberation Army, the Chinese military infosec unit responsible for network penetration. The 7B3PLA has investments all through China's technology sector, to the point where individual chips on routers made elsewhere need to be vetted, as they might be compromised from the factory, and counterfeit devices are a real issue.
Again, not a race issue. China is a global power, and it's acting like one with a solid strategy. It's likewise a solid strategy to avoid cheap off-brand network equipment for your infrastructure. TANSTAAFL, you get what you pay for.
I wouldn't call this racist. Racist would be saying that this event is evidence that Chinese people are inherently secretive/exploitative/dubious in nature. If someone says that, then I'd be on your side. However, the line you quoted is no different from 99% of the first post comments here on stories about the US government doing something /. doesn't like. Unless you and the mods who have modded you up are prepared to reject all of those past comments as racist (or having some other population-based prejudice) as well, then your claim has no basis.
your thin skin doesn't make me a troll
And hundreds of vulnerabilities in Cisco IOS were somehow different, of course.
But of course, their vulnerabilities were not related to 'Chinese government' and wouldn't make 'news for retards'.
Sigh.
They do usually rebrand their stuff. Some "lower-end" mobile phones, probably ones that carry the operator's brand name and not the manufacturer's, are likely to be made by Huawei or similar companies (ZTE, as another example).
Another reason Huawei is so cheap is because they don't "innovate" like (most?) Western companies do. They kinda consider R&D to be a profit center and will not move an inch to develop something that is not _known_ to be profitable. I have first-hand experience with this. I work for Huawei. There!, I said it.
Most customer meetings we have involve going to ask for requirements that they can be sent back up the chain to HQ (R&D) to get started on the development. Seriously. Our Chinese bosses (can't call them managers) and counterparts (some of the "local" staff have a Chinese "mirror") are constantly asking to find the customer's Strategy for a particular product/service and what the business model is going to be....even from technical staff at the customer.
I recently ready this article http://www.brookings.edu/research/articles/2012/07/10-china-multinationals-shambaugh and it paints a pretty accurate picture of my everyday life working here.
As much as they "sell" the idea of being a communist country, they are still very much a feudal culture with a close-minded and I'm-never-ever-wrong-because-I'm-the-boss mentality. And it'll catch up to them...soon
When people mention something about the Chinese taking over the world, I worry too. Just for very different reasons.
(Posted as AC ((from work)) for obvious reasons)
You get what you pay for.... Honestly if they are cheaper than d-Link, something must be wrong.
It's just like buying your servers from Happy Fun server company. What did you expect you were getting for $49.95?
Do not look at laser with remaining good eye.
Oh, and the R&D guys that I've met, look like they're fresh out of the University (or ...idk) and no one has bothered to create any formal programming practices or the like...which is why I totally believe the comment about security coding practices being from 15 years ago.
My gargantuan 3g USB-dongle mandated with my subscription from Telfort in the Netherlands is from Huwei. But I never use it, and instead have placed the SIM inside my Nokia N9 (which also tethers nicely). Still, I am claiming the Huwei tax here in the Netherlands
You can't be ahead of the curve, if you're stuck in a loop.
When you subscribe to Verizon FiOS, Verizon gives you a free ActionTec wifi router with custom firmware. No doubt it has similar backdoors.
It sure makes me take back all the things I thought when the Australian Government Banned Huawei from tendering for the National Broadband Network
When did Chinese become a race?
I'd guess at least 10,000 years ago. The Chinese certainly think they are a "race". Google "ethnic Chinese" and argue with the 2 million hits.
Anyway, racism or just flamebait, it's an accusation without a shred of proof. Yes, we know that the Chinese govt isn't above a bit of techno-espionage, but still PROVE IT FIRST.
I'm not sure they really care about any traffic from Africa or the Middle east, maybe the rest of Asia, but I'd imagine they'd already have good info through other means.
Au contraire, China does care about Africa and the Middle East. Very much so. One word:
Resources.
The ME still has lots of the black stuff. That's still very important. China uses a lot of black stuff, wants more, wants a long term supply (just like everyone else). Increasing one's ability to sniff out the various issues surrounding oil and politics in the ME is important to any major country, China included.
Africa is becoming a new area of opportunity for China. After the West has fucked over the continent for several centuries, the Chinese see a chance to 'help' while continuing to extract resources. The fact that they are more willing to overlook certain ethical constraints puts them at a definite advantage. For more info, return to your search engine of choice - lots of stuff out there.
Faster! Faster! Faster would be better!
It is catching up to them.
I work for a telecom company that has a significant investment in Huawei gear. Their equipment often has serious bugs, and upper management is starting to notice that the ability of the service and support teams to "do their jobs" is being hurt by Huawei's bugs, and we're seriously entertaining bids from other vendors.
The sad part is that their equipment is SO much cheaper than anything else on the market.. I don't know if we could afford to even convert a fraction of our gear to some other vendor. The economics of the business is such that we couldn't afford to provide the service at the prices we charge without using the cheapest option available.
From the article you linked:
Right, because stuff like that would never happen in the United States...
It's different because Cisco publicly announces their security advisories and publishes security bug information. Full disclosures:
http://www.cisco.com/en/US/products/products_security_advisories_listing.html
Other companies (such as Juniper) are a bit less public, but seem to offer more information than Huawei to their customers too:
http://s-tools1.juniper.net/support/security/report_vulnerability.html
I'm Canadian and your post absolutely SCREAMS Wind Mobile (you don't have to answer if you don't want to).
I think Globalive uses Huawei gear in most or all of the other countries they have a presence in as well...
From hell's heart I fstab at /dev/hdc
Right. Well, I guess to Americans, "racism" means using the "N word" or the "J word" Prejudice against foreigners is just good sense.
You are aware that China isn't a race, it's a country. And as a buyer of Chinese goods America buys many, so your racist comment is without merit, if anything it would be referred to as Nationalism (Nationalistic is often used to describe Chinese, here is result number 3 for 'how are foreigners treated in china'). Prejudice and ethnocentric view points are hardly unique to Americans. Prejudice of foreigners is alive and well outside of America and there are many more non-Americans than Americans. One can look nearly anywhere to see it from France to Korea. While America has its issues, it's referred to as the melting pot with good reason. This still applies because she admits over 1 million people a year with permanent resident status. This doesn't include illegal immigration. Asia, specifically China, Korea, Japan are tolerant of foreigners but the word xenophobic comes into play especially when you look at their demographics...
The summary leaps from a statement that a vulnerability has been found to implying that a foreign power is using it for espionage. Without bothering to establish that ANY espionage has taken place at all, let alone who might have dome it.
I'm not sure what rock you live under, but these devices do have back doors built into them. All of them do, even CISCO gear does, which these devices bear strong resemblance to. Screw foreign powers, wouldn't any owner be concerned with unauthorized use of their property? Let me guess, you give it a pass based on ethnicity? Wouldn't want to be racist after all! /sarcasm. You're in front of a computer connected to the internet with several search engines ready to provide information at your request. All that's required is a little effort on your part to educate yourself.
But feel free to "Kill them all and let God sort them out".
You mean like the Cultural Revolution?
Man blir trött av att gå och göra ingenting.