The vulnerabilities — a session hijack, a heap overflow and a stack overflow — were found in the firmware of Huawei AR18 and AR29 series routers and could be exploited to take control of the devices over the Internet, said Felix Lindner, the head of security firm Recurity Labs and one of the two researchers who found the flaws.
Huawei is one of the fastest growing providers of networking and telecommunication equipment in the world. Huawei equipment powers half of the world’s Internet infrastructure, Lindner said.
The researcher, who also analyzed the security of Cisco networking equipment in the past, described the security of the Huawei devices he analyzed as “the worst ever” and said that they’re bound to contain more vulnerabilities.
During the Defcon talk, which Lindner gave together with Recurity Labs security consultant Gregor Kopf, the researchers pointed out that there are over 10,000 calls in the firmware’s code to sprintf, a function that’s known to be insecure.
“This stuff is distrusting,” said security researcher Dan Kaminsky, who is best known for discovering a major vulnerability in the world’s DNS (Domain Name System) infrastructure in 2008 and who worked for Cisco in the past. “If I were to teach someone from scratch how to write binary exploits, these routers would be what I’d demonstrate on.”
“What FX [Lindner’s moniker in security circles] has shown is that the 15 years of secure coding practices that we’ve learned about — the things to do or not do — have not been absorbed by the engineers at Huawei,” Kaminsky said.
According to the Huawei website, the AR series routers are used by enterprises and AR18 in particular is marketed as product intended for small and home offices.
The Recurity Labs researchers specified during the talk that they didn’t test any “big boxes” like the Huawei NE series routers — which are intended for telecom data communication networks — because they couldn’t obtain them.
Lindner and Kopf also criticized Huawei for its lack of transparency when it comes to security issues. The company doesn’t have a security contact for reporting vulnerabilities, doesn’t put out security advisories and doesn’t say what bugs have been fixed in its firmware updates, the researchers said.
“If I don’t know who to contact, I can’t tell you about your bugs and this happens,” Lindner said, referring to the public disclosure of vulnerabilities.
The researcher hopes that this will be a wake-up call for Huawei customers. The only way to force a company to build more secure products is to make the customers ask for it, like it happened in the past with Microsoft, Cisco or Apple, he said.