Officials at Huawei Technologies say that they’re looking into claims by security researchers made at DEF CON last week that there are a handful of serious security vulnerabilities in some of the company’s routers. Saying it employs “rigorous security strategies and policies” Huawei is trying to verify the flaws discovered by researchers Felix “FX” Lindner and Gregor Kopf.
The response from Huawei, a Chinese telecom and hardware provider, comes several days after the researchers gave a presentation at DEF CON that detailed a series of vulnerabilities in the company’s routers. Lindner and Kopf said that they looked at a couple of the smaller routers that Huawei makes, some of the AR series routers. Among the flaws they discovered and disclosed at DEF CON are stack and heap buffer overflows.
“All of them allow to take over the router, the session hijack requires an active session obviously,” Lindner said in an email.
The researchers said that in addition to the vulnerabilities they discovered, they also had a really difficult time trying to get in contact with anyone on a security team at Huawei to discuss the problems. It only took Lindner and Kopf about a week to find the vulnerabilities, but trying to get a response from the vendor was another story. They couldn’t find a public security contact or any security advisories to look at for reference.
“Responsible disclosure is a thing where you want to sit on the receiving end, as soon as possible,” they said in their presentation.
Officials at Huawei, a massive conglomerate with operations around the world and a diverse product line, said that they’re now trying to verify the claims made by Lindner and Kopf.
“We are aware of the media reports on security vulnerabilities in some small Huawei routers, and are verifying these claims. Huawei adopts rigorous security strategies and policies to protect the network security of our customers, and abides by industry standards and best practices in security risk and incident management. Huawei has established a robust response system to address product security gaps and vulnerabilities, working with our customers to immediately develop contingency plans for all identified security risks, and to resolve any incidents in the shortest possible time. In the interests of customer security, Huawei also calls on the industry to promptly report all product security risks to the solutions provider so that the vendor’s CERT team can work with the relevant parties to develop a solution and roll-out schedule,” the company said in a statement.
Lindner, who works at Recurity Labs aling with Kopf, said that he wouldn’t be surprised to see more vulnerabilities disclosed in Huawei products soon. Some of the flaws they found were reminiscent of bugs common in the 1990s, he said.
“The flaws are bad but fixable. What is more serious is the overall code quality of the operating system. There are likely to be quite some more issues and we have not found any security advisories published by Huawei,” he said.
