back to article Huawei's half-arsed router patching left kit open to botnets: Chinese giant was warned years ago – then bungled it

Huawei bungled its response to warnings from an ISP's code review team about a security vulnerability common across its home routers – patching only two models rather than all of its products that used the same flawed firmware. Years later, those unpatched Huawei gateways, still vulnerable and still in use by broadband …

  1. _LC_ Bronze badge
    Thumb Down

    How to secure routers 101

    If you activate UPnP, that’s a vulnerability on pretty much every router. The fix is to disable it, which they teach you on every site about 'making your router more secure'.

    1. stiine Silver badge
      FAIL

      Re: How to secure routers 101

      The moral of the story is that if Huawei report a bug being fixed in Model X, you can simply attack the very same bug in Model Y, and repeat ad infintum.

    2. Lee D Silver badge

      Re: How to secure routers 101

      Literally one line of code in a simple utility that all major distros carry, I found out the other day.

      Run a Linux computer, install if necessary, and run upnpc.

      It literally lets you open any port on the external interface you like and forward to an internal port. There's a restriction on "nothing less than 1024 unless you're root" but that's the Linux OS enforcing that, not the UPnP router or the network. You can literally forward any port to any internal port/IP combination from inside the network with one unauthenticated command.

      Very handy to open up my girlfriend's Raspberry Pi TV I made her to the world, complete security nightmare for anyone expecting to secure their network.

      1. Peter2 Silver badge

        Re: How to secure routers 101

        Very handy to open up my girlfriend's Raspberry Pi TV I made her to the world, complete security nightmare for anyone expecting to secure their network.

        Only if your running a consumer grade modem firewall combination? Every business firewall i've ever seen had upnp as an option to enable/disable, with disabled being the default.

    3. GnuTzu Silver badge
      Unhappy

      Re: How to secure routers 101

      The tragedy of things like UPnP is that its purpose is defeated if it's off by default. And, that means that then only people who won't be vulnerable will be those who are smart enough to disable it (and other things like it, such as weak WiFi settings). And, although the intent was to make things easier for untrained consumers, the unintentional (one would hope) effect is to create a massive swath of vulnerable back doors just waiting to be harvested. Still, one is tempted to entertain the thought of conspiracy theories. After all, there were those who warned that this kind of problem was inevitable, and we expect that the only reason that this ended up being created anyway was just a matter of the way the market works--being the enabler rather than the responsible guardian--again, one would hope.

    4. doublelayer Silver badge

      Re: How to secure routers 101

      That's well and good, but the most I've seen from a consumer level device is a page on the interface, usually buried at least two levels in, with the following contents:

      UPNP:

      Enabled

      Click here to disable

      That requires nontechnical users to know what UPNP is, know that it should be disabled, and manually navigate to it and disable it. Keeping in mind that many consumers don't set up their own networking equipment but allow the ISP to do that for them when they're connecting the line anyway, and you have a recipe for your advice to go nowhere because no matter how many of us properly secure our routers, there will be thousands more who haven't. What should really be the case is UPNP off by default and a clearer explanation of what UPNP is and the risks involved. Devices that need UPNP can give a short explanation when they find it turned off, and a properly motivated consumer can log in and turn it back on after reading the security warnings.

    5. LDS Silver badge
      Facepalm

      Re: How to secure routers 101

      Usually, after they disable UPnP, they follow some post/video found somehow that show them how to forward *any* port to a given machine, so any software which required UPnP keeps on working... what is worse?

      For most people networking is some kind of "dark art" - and most people don't want to have a computer always on somewhere in the house, and a Pi is not always enough especially now some people get broadband speeds that are beyond the Pi NIC capabilities.

      1. A.P. Veening Silver badge

        Re: How to secure routers 101

        " Pi is not always enough especially now some people get broadband speeds that are beyond the Pi NIC capabilities."

        You don't need to put all your internet traffic through the Pi, just the DNS requests (very small part of the upload) to your Pi-Hole and for that it is more than quick enough.

  2. alain williams Silver badge

    Just crap software

    Another example of crap software talked about y/day. I doubt that Huawei is worse than many vendors who ship other closed source on their kit. Huawei sells hardware, the software that makes it work is just an inconvenience and so will put as little effort (== cost) into it as it can get away with.

    BTW: some will claim that this is an example of Chinese government back hole in Huawei kit; possible but I doubt it.

    1. doublelayer Silver badge

      Re: Just crap software

      This is almost certainly not a deliberate back door. It is way too basic, and there probably is little interest in back dooring consumer devices. However, while this incident doesn't say anything about whether Huawei is willing to introduce major security flaws in its products for China's government, it shows that they don't care much about their customers' security (not good), they lack the organization required to figure out something this simple so it would be easy for a small group to introduce a vulnerability and not have it discovered by the rest of the company (really not helping them), and they may not have the best security practices for other equipment they produce (which doesn't make them worse than other manufacturers but they have been claiming it a lot after their recent bans). I'm not impressed.

      1. Anonymous Coward
        Anonymous Coward

        Re: Just crap software

        Seems an ideal backdoor...even after being found people think it's a mistake...not a backdoor...the best backdoors are put down as mistakes...it limits reputational damage when they're found.

    2. stiine Silver badge

      Re: Just crap software

      Did you just describe Cisco code as crap software?

  3. Lee D Silver badge

    They pushed out an update to their Huawei HiLink software (which runs on a smartphone to connect to mobile 4G and Wifi routers) last night too.

    Not a great start. But then, I disabled UPnP on my 4G Wifi router as one of the first things out of the box, and even put it behind a real router when it's at home (so even complete compromise of the device gives them access to... nothing... because it's all WAN-side of the real-router and treated as totally untrusted).

  4. Missing Semicolon
    Facepalm

    Bad software practices

    We think they have a customisable firmware set that they deploy across products. No, they just copy and paste the code to a fresh project for each product. They simply have no idea how each model's code is related. Fixing a bug across 'n' products needs 'n' teams!

  5. Anonymous Coward
    Anonymous Coward

    "The Chinese company did not address why it had patched the same code vulnerability in some products back in 2014 but not fixed the same pre-existing flaw in other routers until it was pointed out to the firm years later."

    If this really needs to be explained, I'll go for it: because Huawei, like every other consumer company, doesn't give a damn about security. The consumer is not aware of this and won't pay for it. So, end of the day, it will only be a "fix if framed" matter. If not framed for model X, why bother ?

    And, did I mention the usual "Huawei takes security very seriously" BS ? Cracks me up every time.

    1. Anonymous Coward
      Anonymous Coward

      But, Huawei is not a consumer company. You might associate them with phones, but most of the UK core network backbone runs on its kit.

      1. _LC_ Bronze badge
        Holmes

        Cisco?

        Because in the professional world they do it better, like Cisco:

        https://twitter.com/RedTeamPT/status/1110843396657238016

        Yes girls, the alternatives are even worse.

        1. stiine Silver badge

          Re: Cisco?

          It's a good thing that Huawei never copied Cisco code, isn't it.

      2. LDS Silver badge

        "Huawei is not a consumer company."

        Actually, it's both a consumer and enterprise company now.

  6. Marty McFly
    Mushroom

    Not what they want....

    Patching the vulnerability would not be in a Chinese company's best national interest. And to put the tinfoil hat on really tight, I could venture this is really 'as designed' and not a code defect at all.

  7. fidodogbreath Silver badge

    Consumer routers are a trash fire

    Most consumer routers use ancient versions of open-source software libraries -- even newer models with supposedly updated firmware.

    I gave up and replaced my consumer networking crap with a Ubiquiti router and Unifi access points. UBNT fixes exploits promptly, and (at least under home loading conditions) the gear is rock-solid. I can't remember the last time I had to reboot my router or APs for any reason other than to install an update.

    My low-end commercial-grade system cost about the same as a "high-end" consumer router. Configuring commercial gear does require more networking knowledge than, say, setting up a Linksys device; but that's not likely to be a problem for most people here.

    As any UBNT user will tell you, their software updates can be "of variable quality." Fortunately, there's a large online community of canaries who seem to enjoy installing every update on release day and posting about problems. Thus, it's easy to determine whether to install a release or wait for the next one.

  8. Aodhhan

    Funny

    Oh sure, just disable, disconnect, and remove.

    Except.... if you're using legacy applications and one-off home grown systems requiring it.

    Then there are some industry apps which are so specialized they don't have competition... so they say FU to security requirements.

    Oh, and let's not forget Apple's video need for it.

    on and on.

    It's great you just learned the IP stack, but wait to damn everyone after you have about 10 years of commercial experience first.

    Sitting in mom's basement on your laptop, reading security magazines and attending a conference here and there doesn't teach you everything.

    The fact you came up with an 'obvious solution' in less than 3 minutes should clue you into something.

  9. Kevin McMurtrie Silver badge

    Security risk

    Study after study says that there's no official backdoor that the Chinese government could use. There doesn't need to be anything official. All that's needed is a known unpatched exploit.

    Unfortunately, banning Huawei doesn't leave us with anything better. All home networking devices, especially security cameras, are garbage. They're a pile of stolen source code and bits of ancient Linux hacked together by the lowest bidder, and then re-branded and re-skinned for sale. The seller has no idea where the firmware came from or who should fix flaws.

    If you want secure networks, you need to mandate maintenance of security.

  10. Rajesh Kanungo

    Little story on UPnP

    Way back when I was at Sun and we were fighting MSFT (you know who won). I went to a UPnP conference in Redmond and I asked an unnamed architect about security. He said that there was absolutely no security (at that time) and it would actually make things worse. I was surprised at his candor but MSFT does hire some really smart people. Moral of the story: it is all about business. There were better protocols, better solutions. MSFT did what worked for them. The rest of the industry bought into the dream and are now picking up the pieces.

  11. Anonymous Coward
    Anonymous Coward

    And we're back...

    Spec the hardware a bit higher and help the open source distros install.

    Or just stick a label on the dammed things saying "not supported once the replacement model comes out"

  12. Anonymous South African Coward Silver badge

    Interestingly.

    Am using Smoothwall on my home network. One of the options I have is to enable uPnP. I keep it disabled, because I have the final say of what is going out and what's coming in.

    Tough if $software doesn't work - it just doesn't get used, and we look for an alternative that works.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019