Huawei Firmware Backdoor Vulnerabilities

by Josh Biggs in Tech on 1st September 2019

The Chinese telecommunications software company Huawei has become a household name in recent months. Many countries considered or implemented bans against Huawei equipment, and the US refused to allow chips and software to be sold to the company (though that sanction seems to be relaxing).

However, the telecom company has been making the news for another reason in recent weeks: poor security. Research has discovered that Huawei networking solutions have numerous security flaws, creating the potential for backdoor access or hacks. Any data running over these systems, therefore, runs the increased risk of being intercepted.

As Huawei is the largest telecom supplier globally and the second largest mobile phone manufacturer, this represents a serious threat to organizations’ website security. Websites and their sensitive data may be accessed over Huawei components and visited by Huawei phones. Even if the website is designed well, insecure and untrustworthy networking infrastructure may make it vulnerable to attack. As a result, vulnerable networking components, like those examined in the research on Huawei, may represent a serious threat to organizations’ network and website security.


The State of Huawei Security

Concerns about the security of Huawei products are nothing new.  In 2012, the US government issued a ban on Huawei networking equipment for US companies, and in 2018 and 2019 was the uproar over banning Huawei gear from both traditional and 5G networks due to concerns about intellectual property theft by Huawei and their close ties with the Chinese government.

The uproar about Huawei has led to a great deal of scrutiny towards the company. One report, generated by Finite State, paints a less than rosy picture of the current security state of Huawei products. The company performed an in-depth analysis of Huawei products and classified their findings into four categories:


  1. Backdoor Access Vulnerabilities: 55% of devices studied had a built-in default username/password, hard-coded SSH credentials, or a built-in set of authorized keys that could be used by anyone with knowledge of them to log into the device remotely.
  2. Pattern of Security Flaws: The average tested device had 102 vulnerabilities in its firmware. The worst device had 1,419 vulnerabilities, and all tested devices had a combined 8,826 CVSS level 10 severity (the maximum possible) vulnerabilities
  3. Highly Insecure Software Development Practices: Among other issues, Huawei engineers would disable default software security protections and rename insecure software functions as their safe variants so that code looked safer than it was. In one case, the security of a software update was worse than the previous version.
  4. Quantitatively Higher Risk than Other Similar Devices: On average, Huawei devices had 2-8x as many 0-day vulnerabilities as similar products from competitors.

The results of Finite State’s analysis demonstrate that Huawei’s products are extremely insecure. The use of default, hard-coded credentials is bad enough, but the deliberate deactivation of security controls and use of insecure functions (masquerading as the secure option that has been available for over a decade) demonstrates that no effort is being made by developers to even try to create secure products.


Impacts of Huawei Firmware Vulnerabilities

Insecurities in Huawei networking products are bad enough for the products themselves, but they also can impact the security of the systems attached to them. At a minimum, routers are the medium over which all traffic to, from, and within an organization’s network travels. This means that an attacker who manages to exploit vulnerabilities in Huawei systems has visibility into and potentially the ability to control the traffic passing over the network.

One way in which Huawei security can be exploited is to launch a Denial of Service attack against an organization’s network. If Huawei systems are used inside the network, an attacker can reprogram them to drop all traffic to a particular computer, rendering it completely unusable.

Another application of an exploited networking component would be as a platform for launching attacks against vulnerable webservers and other systems. If an organization does not have the appropriate protections in place for their machines, their website security could be attacked by compromised networking components.


Securing Your Systems

For many organizations, their Internet presence is a critical part of their brand. A website acts as the main point of contact between the customer and the organization, and it’s important that it’s available, functional, and secure at all times. As a result, many organizations put significant effort into protecting their webservers from attacks originating from outside the company network.

But what if the attack comes from inside the network? Finite State’s research on the networking solutions offered by Huawei brings into question the security of any system relying on these components. While an organization may have strong perimeter defenses, an attacker that manages to gain access to the routers using hardcoded login credentials or one of the numerous zero-day vulnerabilities on the network may be able to bypass these protections and attack the systems directly.

For this reason, it is vital for organizations to deploy specialized network security protections to ensure their website security. A modern web application firewall (WAF) or runtime application self protection (RASP) solution has the ability to provide specialized protection to the organization’s web applications and is much more likely to detect and block this type of unusual attack than more generalized security solutions. An organization wanting to provide the proper level of protection to its network, websites, and customers needs to deploy the security solution best suited to blocking common attack vectors.


Categories: Tech