Huawei Seeks To 'Verify' Allegations About Router Security Problems

Printer-friendly version Email this CRN article

Chinese networking vendor Huawei launched an investigation into reports that at least two of its routers have major security vulnerabilities that make the devices subject to takeover through either a heap overflow or a stack overflow in the firmware of the company's AR18 and AR29 series routers.

The purported vulnerabilities were discussed Sunday at the Defcon conference in Las Vegas during a presentation by Felix Lindner, the head of security firm Recurity Labs and his colleague, security consultant Gregor Kopf. According to both men, there are literally thousands of calls within the firmware to a function called "sprintf," which is known to have security challenges.

In response, Huawei issued a statement indicating that the company is in the process of verifying the claims. "Huawei adopts rigorous security strategies and policies to protect the network security of our customers, and abides by industry standards and best practices in security risk and incident management," read the statement. "Huawei has established a robust response system to address product security gaps and vulnerabilities, working with our customers to immediately develop contingency plans for all identified security risks, and to resolve any incidents in the shortest possible time."

[Related: The Biggest Data Breaches of 2012 (So Far)]

The statement also calls upon the technology industry to promptly report all product security risks so that the vendor's CERT team can address whatever security issues may emerge.

Lindner and Kopf also reported that they had an extremely difficult time reaching the Huawei security team to discuss their findings. They also said that, based on the relative quality of the Huawei code, it's quite likely that additional issues will be found in the near future.

Over the past few years, Huawei has emerged as a major competitor to Cisco. This news is likely to take some of the wind out of the sales of the Chinese networking vendor, according to several solution providers who focus on networking and security.

NEXT: A Question of Trust

Printer-friendly version Email this CRN article