Never Attribute to Malice, But Always Verify

Thursday, November 15, 2012

Fergal Glynn


Article by Chris Wysopal

When I read the New York Time BITS article “The Dangers of Allowing an Adversary Access to a Network” by John Markoff, I thought the fear of trojaned vendor products is misplaced. The much bigger problem is vulnerable products. To cyber security experts, a serious vulnerability is indistinguishable from a backdoor as both allow an adversary to take control of a system or device. Yet the U.S. House Committee seems preoccupied with backdoors in Huawei technology while ignoring the gaping vulnerabilities.

On Thursday October 11 I sat in an audience at the “Hack in the Box” security conference in Kuala Lumpur alongside three representatives from Huawei. We were all there to listen to German security expert Felix “FX” Lindner describe all of the devastating vulnerabilities he discovered from his analysis of Huawei network routers. FX didn’t find any backdoors but what he did find in vulnerabilities will keep me from deploying the devices anywhere near my IT organization.

Actually that isn’t entirely true. FX did find hardcoded local bootloader passwords. These would require physical access and are the types of hardcoded passwords commonly found in networking gear and appliances. Yes a vulnerability but not likely nefarious. Here are the passwords for 6 of Huawei’s routers:

Platform    Password

AR18        WhiteLily2970013

AR28        WhiteLily2970013

AR46        supperman

NE20        8070bsp

NE40/80   www@huawei

Decisions on IT purchases or boycotts should be made on facts. Organizations should test technology for vulnerabilities and backdoors, which I would argue are just intentional vulnerabilities. If it passes the test, make the purchase. If it doesn’t, find a supplier that does. If you are afraid of backdoors it would be best to learn from Hanlon’s razor: “Never attribute to malice that which is adequately explained by stupidity.”

Cross-posted from Veracode

Possibly Related Articles:
Information Security
Passwords Vulnerabilities Attribution Huawei
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.