

Two versions of the AR18 and AR28 routers that posess a range of vulnerabilities according to researchers "Hacking [redacted] Routers" was the title of a lecture at Defcon by security expert Felix Lindner (also known as FX) and Gregor Kopf of the Berlin-based Recurity Labs. The "censored" routers were quickly established as being the AR18 and AR28 routers from the Chinese manufacturer Huawei. The two hackers have been looking at the firmware, default settings, and overall security of the routers and have concluded that just about everything you can do wrong, Huawei has done wrong.

This starts with services such as SSH, FTP and HTTP, which can be accessed from the outside network by default; FTP can even be used to access flash memory on the router. The problems also include bad session management which can allow a small script to take over a session, and a concrete buffer overflow on the stack and the heap. And the problems don't end there. There are over 10,000 calls to the inherently unsafe sprintf() C-function, according to an analysis of the firmware by the security experts.

The two experts also criticised Huawei's organisation; there are no contact addresses for reporting security vulnerabilities, the company does not publish security advisories, and it doesn't identify the bugs fixed in firmware updates, all of which complement the overall poor image. The routers studied, the AR18 and AR28, are low end models for use in small offices and medium-sized firms. Lindner and Kopf stressed that they had no opportunity to examine the "big boxes" that the company makes for telecommunications carriers. For further information, the slides of the presentation are available to download.

(Lukas Grunwald / djwm)