Huawei cryptographic keys embedded in Cisco’s firmware

Things happen when they happen. And when developers use third-party or open source libraries in their own product, they may not be aware of potential security issues. Testing firmware for vulnerabilities is time consuming, yet absolutely necessary for compliance with established security standards and legal requirements. That’s why we developed IoT Inspector: to automate security analyses of firmware and to assure a security baseline at scale.

We are constantly improving IoT Inspector’s analysis capabilities. To test new features and capabilities we analyze firmware images from various vendors regularly. One of the more recent analysis results caught us by surprise…

Who is Gary, and why are his keys embedded in Cisco’s firmware?

The starting point was a firmware image for a Cisco SG250 Smart Switch device, which was downloaded from the Cisco download portal and uploaded to IoT Inspector. The analysis results were strange. The firmware contained a few certificates and a corresponding private key. The location of the files in question ( /root/.ssh/ ) is usually intended for SSH keys, not certificates.

The certificates themselves were issued by a Gary from the organization Futurewei Technologies, which is a US-based subsidiary of Huawei Technologies. Just to make sure, we double-checked the IoT Inspector results. They were reliable, a manual analysis confirmed the automated results. So, how does a certificate from a Huawei employee end up in a Cisco firmware image?