Skip to main content
October 15, 2012

Never Attribute to Malice, but Always Verify

When I read the New York Time BITS article “The Dangers of Allowing Adversary Access to a Network

an Adversary Access to a Network” by John Markoff, I thought the fear of trojaned vendor products is misplaced. The much bigger problem is vulnerable products. To cyber security experts, a serious vulnerability is indistinguishable from a backdoor as both allow an adversary to take control of a system or device. Yet the U.S. House Committee seems preoccupied with backdoors in Huawei technology while ignoring the gaping vulnerabilities.

On Thursday October 11 I sat in an audience at the “Hack in the Box” security conference in Kuala Lumpur alongside three representatives from Huawei. We were all there to listen to German security expert Felix “FX” Lindner describe all of the devastating vulnerabilities he discovered from his analysis of Huawei network routers. FX didn’t find any backdoors but what he did find in vulnerabilities will keep me from deploying the devices anywhere near my IT organization.

Actually that isn't entirely true. FX did find hardcoded local bootloader passwords. These would require physical access and are the types of hardcoded passwords commonly found in networking gear and appliances. Yes a vulnerability but not likely nefarious. Here are the passwords for 6 of Huawei's routers:

Platform Password
AR18 WhiteLily2970013
AR28 WhiteLily2970013
AR46 supperman
NE20 8070bsp
NE40/80 [email protected]

Decisions on IT purchases or boycotts should be made on facts. Organizations should test technology for vulnerabilities and backdoors, which I would argue are just intentional vulnerabilities. If it passes the test, make the purchase. If it doesn’t, find a supplier that does. If you are afraid of backdoors it would be best to learn from Hanlon’s razor: “Never attribute to malice that which is adequately explained by stupidity.”

Chris Wysopal, co-founder and CTO of Veracode, is recognized as an expert and a well-known speaker in the information security field. He has given keynotes at computer security events and has testified on Capitol Hill on the subjects of government computer security and how vulnerabilities are discovered in software. His opinions on Internet security are highly sought after and most major print and media outlets have featured stories on Mr. Wysopal and his work. At Veracode, Mr. Wysopal is responsible for the security analysis capabilities of Veracode technology.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.