Huawei has been accused of poor security practice by Russian researcher Nikita Tarakanov, who told Black Hat Europe last week that the vendor's 3G and 4G devices are vulnerable and its update server is a massive attack vector. The update server in the Netherlands that Tarakanov tested probably isn't the only one used by Huawei, …
It does make you wonder if Chinese tech firms are living in a bubble of ignorance? does the great firewall of China stop them reading sites about best practice?
As one who was one of the sparse few who repelled the PRC cyber attack against the US DoD in 2008, I have to ponder, is it lousy practice in place?
Or is it leaving a potential back door, with plausible deniability?
Not accusing, but honestly wondering.
You get what you pay for
Hmm, which device?
Sorry I'm tired, but which "/usr/local"? The one on the modem or the users computer? If it is the computer, doesn't that point to a problem with the computer's kernel? If it is the modem, then why wouldn't it have access?
It's hard to tell if Huawei is really that much of a "bad guy" here.
Re: Hmm, which device?
How is it an OS problem?
The installer will generally ask for administrative privileges so that it can install device drivers. Nothing unusual there. However, having gained administrative privileges, it has all the power to be able to `chmod /usr/local 777`.
Even if there was some restriction on the chmod syscall to prevent this; we're dealing with a piece of driver code that effectively runs inside the kernel space, so has the power to just directly access devices anyway.
Re: Hmm, which device?
Erm, *read* access is one thing. *WRITE ACCESS* is double plus ungood.
First thing I do when I get these sticks is work out how to enable diag mode and disable the cdrom emulation.
They work so much better like that and more consistently regardless of OS I have found.
Does this affect the mi-fi too?
Everyone is worried that Huwai might be a vector for cyber attacks from the Chinese government and/or military. These "vulnerabilities" could then be very useful in being able to deny it was every Huwai's own attack - they can claim that someone merely used them as a vector.
Time to ditch every piece of Huwai kit...
And what then?
Which other piece of kit, made in China, would you go with?
Looks like the 50c army has shown up for some comment down-voting between the lines.
Yep, it does
I bought a throwaway Huawei 4g USB stick on a trip down to Chile a couple years back, and it looks like the installer did actually make /usr/local 777. Thankfully it wasn't recursive, but it seems to have done it in order to create a directory called hw_mp_userdata which is also recursively 777.
Seriously though, WTF?
Re: Yep, it does
I thought linux was so amazingly secure this kind of thing could never happen? ;)
Ah yes, sudo.
If you run linux though, you should be downloading the source and/or reverse engineering and analyzing what the driver does before allowing it on your machine of course ;)
Re: Yep, it does
4G in Chile a couple of years back?
The closed tests for a handful of users of 4G started a couple of weeks ago in Chile, with the first trials in last November.
(in spanish: http://www.latercera.com/noticia/nacional/2013/03/680-512439-9-claro-inicio-marcha-blanca-de-red-4g-en-santiago-que-involucrara-a-100-usuarios.shtml)
Re: Yep, it does
> I thought linux was so amazingly secure this kind of thing could never happen? ;)
If you actually read the article, you'll see that it is MacOS X that gets comprimised here.
Linux users would just use what comes with their OS (likely NetworkManager, wicd, or in my case, I just configure pppd and chat directly) -- thus Huawei's software isn't involved.
Russian calls Chinese company a danger to their users...
"Hi Kettle? Just calling to say you is black man. Soooo black, oo you is black, blacker than a crow's bumhole on a moonless night! Yes i know. Whatever, fuck you. Yes it is Pot calling. bye"
Re: oh rlly
In my experience:
Russians/ex-eastern-bloc denizens are generally aware of issues and are willing to fix 'em even if they have a minor tantrum and call the person who discovers the problem names for a while first.
The chinese are more likely to simply put their fingers in their ears and go "nononononononono" when problems are pointed out, especially if the pointer comes from Johnny Westerner - there's a large element of "Bloody Foreigners, trying to tell us what to do!" involved and it's fairly widespread (Think of it as a backlash against western imperialism and perceptions of the West continuing to try and impose rules upon the locals and you won't go far wrong. Xenophobia isn't confined to the BNP)
There _are_ worse offenders than the chinese for this kind of reaction. Citizens of some countries (eg Malaysia) will try and aggressively wave the racism card at the slightest provokation.
"Hi Kettle? Just calling to say you is black man. Soooo black, oo you is black, blacker than a crow's ASShole on a moonless night! Yes i know. Whatever, fuck you. Yes it is Pot calling. bye"
'fixed that for you.
Not even surprising
"the Huawei OS X update app (ouc.app) has unrestricted access to /usr/local.
"Can anyone verify that the Telekom LTE Stick from Huawei makes /usr/local world writable on OSX? WTF?", Esser posted."
The second paragraph is far worse than the first.
The Huawei update app has unrestricted access to /ussr/local? Well, it probably must run as root anyway to update drivers and so on for itself. No big deal.
The Huwaei update app makes /usr/local world writable? This is VERY bad, this means any software running as any user whatsoever on your system can put stuff into /usr/local (most importantly, /usr/local/bin/, which is almost certainly in the path on OSX since it is on any normal UNIX system.)
Running IIS6 is a big joke too of course. Not too unusual though, I've seen several cases where I was real glad I was running Ubuntu, I'd get some piece of hardware and find the web site (for the Windows software) was just SO SO dodgey I couldn't believe it (of course, served off incredibly old setups like IIS on Windows 2000.)
- DAYS from end of life as we know it: Boffins tell of solar storm near-miss
- Put down that Oracle database patch: It could cost $23,000 per CPU
- The END of the FONDLESLAB KINGS? Apple and Samsung have reason to FEAR
- Pics It's Google HQ - the British one: Reg man snaps covert shots INSIDE London offices
- Bose says today IS F*** With Dre Day: Beats sued in patent battle