The Facts: Two researchers from Recurity Labs – Felix Lindner (also known as “FX”) and Gregor Kopf – presented a talk at DEFCON titled: Hacking [Redacted] Routers. (see https://www.defcon.org/html/defcon-20/dc-20-speakers.html#FX). Their work examined the Huawei AR18 and AR28 routers. Exploitable vulnerabilities were discovered. Questions to the quality of the code were raised. A general concern in Huawei’s lack of normal communication channels so that a security researcher can report a vulnerability were highlighted.
Their updated presentation is posted here: http://www.phenoelit.org/stuff/Huawei_DEFCON_XX.pdf (please download & review the findings)
Their methodology and approach to finding vulnerabilities is not new. The approach has effectively work to influence other router vendors, with their findings useful to building more resilient code (based on my personal experience working @ a couple of vendors for whom FX has done previous investigations). Service Providers and Equipment Vendors should have ways to work with this segment of the industry – commissioning vulnerability research and then responding to their findings. The fact that Huawei does not is a concern for everyone in the industry (more in the next blog).
The “Real” Direct Risk: The real direct risk has been overlooked since the FX & Gregor’s DEFCON talk. Namely the Huawei AR18 and AR28 routers are exploitable. These exploits pose two major threats. First, companies that use these routers are vulnerable to having these routers violated and then used as a launch pad for further penetration (think the first step in a Advanced Persistent Threat – APT attack). Second, violated routers are extremely valuable to cyber-criminals who use them as part of their SPAM, Phishing, DDOS for hire, and other criminal operations. These groups constantly scan the Internet looking for routers that could be easily hacked. It is logical for these miscreants to add the Huawei AR18 and AR28 routers to their scans.
Recommended Action to the Direct Risk:
- Contact your Huawei reseller or Huawei directly if your organization has Huawei AR18 and AR28 routers in their network. Ask for the security advisory with the work arounds, risk assessment (preferably with the CVSS base score), and status when the updates will be distributed. Huawei Network Security Incident Response Team (Huawei NSIRT ) can be contacted through the information provided at FIRST – http://www.first.org/members/teams/huawei_nsirt.
- Monitor for increase scans on routers, switches, and other network devices. This can be done with access-list on routers sending “deny” hits to syslog then processing all of the syslog to get a reading of “the volume of scanning interest.” Monitoring scans is a best common practice for network security. For examples, check out Shadowserver’s reports: http://www.shadowserver.org/wiki/pmwiki.php/Stats/ScanCharts and Dshield’s system – http://www.dshield.org/. Medium to large networks who do not have the time to set up their own “scan log processing” can use Dshield’s services. They will anonymize details, process the logs, and display the details in a portal.
The Real In-Direst Risk: The facts presented by FX and Gregor on the quality of the code added to Huawei’s response can lead people to believe similar problems exist in other Huawei products. Lazy coding is never an isolated incident. The engineering environment that allows for poor code quality will span different product teams. If there are problems in AR18 and AR28 routers, then there might be problems in all of the other routers. This ambiguity is normally mitigated with aggressive communications between the vendor (Huawei in this case) and the network operator. Security advisories, special briefings, and updates are used to communicate action, concern, and commitment – that are all required to maintain confidence. Huawei is not doing any of this, increasing the concerns and destroying confidence.
The service provider and network operator have limited options to regain confidence. Most cannot afford to pull out Huawei gear from their network. So they can try the following:
- Contact the local Huawei account manager – ask for the updated Security Advisory.
- Request a briefing on Huawei’s vulnerability disclosure processes. For reference, other major vendors provide these briefings. Cisco, Microsoft, Juniper, Oracle, and others all provide updates to their customers. There will always be vulnerabilities – the question is what will be done to mitigate the threat and restore confidence.
- Commission Testing of Huawei equipment. This can range from having engineers in the network’s lab to do their own testing to paying for teams to “break into” the router. If/when vulnerabilities are found; they should be reported to Huawei or a local CSIRT Team.
Bottom Line – This should not be a big issue! FX and Gregor should have done their work, contacted the security team at Huawei, Huawei would then validate the findings and prepare their response plan. When FX and Gregor presented at DEFCON, Huawei would have then posted their security advisory. In fact, FX and Gregor would most likely have provided the pointer to the security advisory in their presentation. None of this happened. In fact, FX reached out to the operational security community of network operators to try to contact Huawei at the last minute before the DEFCON talk. What was amazing was that service providers with Huawei gear in their network did not know the product security contact.