Incident: Security Holes in Huawei Routers Allow Control and Snooping

Published Date: 2012-07-30

Postmortem Analysis
Timeline 1. The software failure incident involving security holes in Huawei routers happened around July 2012. [Article 13621]
System 1. Huawei routers, specifically the Huawei AR18 and AR 29 series [13621].
Responsible Organization 1. The software failure incident in this case was caused by the vulnerabilities in the routers made by China-based Huawei, specifically due to the use of "1990s-style code" in the firmware of some Huawei VRP routers [13621].
Impacted Organization 1. Internet service providers (ISPs) using Huawei routers were impacted by the software failure incident [13621]. 2. Millions of customers of the ISPs using the vulnerable routers were also impacted as their communications could be spied on [13621].
Software Causes 1. The software causes of the failure incident were security vulnerabilities in the firmware of Huawei VRP routers, specifically the Huawei AR18 and AR 29 series, due to the use of "1990s-style code" [13621].
Non-software Causes 1. Lack of rigorous security strategies and policies in place to protect the network security of customers [13621].
Impacts 1. The software failure incident in Huawei routers uncovered by the German security researcher Felix Lindner exposed security vulnerabilities that could allow attackers to take control of the devices and intercept all traffic running through the routers [13621]. 2. The incident raised concerns not only for the Internet service providers (ISPs) using the vulnerable routers but also for millions of their customers who may have been unaware that their communications could be spied on [13621]. 3. The vulnerability in the routers could potentially lead to attackers being able to log in as administrators, change passwords, reconfigure systems, and conduct man-in-the-middle attacks to monitor and alter peoples' traffic [13621]. 4. The incident highlighted the importance of robust security strategies and policies to protect network security, as well as the need for prompt reporting of product security risks to address vulnerabilities and develop solutions [13621].
Preventions 1. Regular security audits and code reviews of the firmware in Huawei routers could have potentially identified and addressed the vulnerabilities before they could be exploited [13621]. 2. Implementing secure coding practices and modernizing the codebase to eliminate "1990s-style code" could have prevented the exploitation of known vulnerabilities [13621]. 3. Strengthening authentication mechanisms in the routers to prevent unauthorized access and changes to the system configuration could have mitigated the risk of attackers taking control of the devices [13621]. 4. Enhancing encryption protocols and ensuring proper authentication in systems relying on encryption could have made it more difficult for attackers to spoof legitimate websites and intercept communications [13621].
Fixes 1. Updating the firmware of the affected Huawei VRP routers to address the security holes and vulnerabilities identified by the German security researcher [13621]. 2. Implementing rigorous security strategies and policies by Huawei to protect the network security of their customers, in line with industry standards and best practices in security risk and incident management [13621]. 3. Promptly reporting all product security risks to the solutions provider to enable the vendor's CERT team to work on developing solutions and roll-out schedules to address identified security gaps and vulnerabilities [13621].
References 1. German security researcher Felix Lindner, also known as "FX" [13621] 2. U.S.-based Huawei spokeswoman [13621] 3. Dan Kaminsky, security expert and chief scientist at DKH [13621]

Software Taxonomy of Faults

Category Option Rationale
Recurring one_organization, multiple_organization (a) The software failure incident related to Huawei routers having security vulnerabilities has happened again within the same organization. The article mentions that a German security researcher uncovered security holes in routers made by Huawei, specifically the Huawei AR18 and AR 29 series, due to the use of "1990s-style code" in the firmware [13621]. (b) The software failure incident related to security vulnerabilities in Huawei routers could potentially impact multiple organizations that use these routers. The article highlights that Huawei routers are used by many Internet service providers in Asia, Africa, and the Middle East, and due to their affordability, they are increasingly being used in other parts of the world as well [13621].
Phase (Design/Operation) design, operation (a) The software failure incident related to the design phase is evident in the article as it discusses security vulnerabilities in routers made by Huawei due to the use of "1990s-style code" in the firmware of some Huawei VRP routers [13621]. This outdated code introduced during the development phase contributed to the security holes that could allow attackers to take control of the devices and intercept all the traffic running through the routers. (b) The software failure incident related to the operation phase is also highlighted in the article when it mentions that attackers could log in as administrators, change admin passwords, and reconfigure the systems, allowing for interception of traffic. This misuse of the system by attackers is a result of vulnerabilities introduced during the design and development phases [13621].
Boundary (Internal/External) within_system, outside_system (a) within_system: The software failure incident related to the Huawei routers' security vulnerabilities was primarily due to the use of "1990s-style code" in the firmware of the routers, specifically the Huawei AR18 and AR 29 series [13621]. This outdated code within the system contributed to the vulnerabilities that could be exploited by attackers to take control of the devices and intercept traffic running through the routers. (b) outside_system: The article mentions concerns about potential back doors in Huawei routers per the Chinese government's request, indicating a possible external influence on the system's security [13621]. Additionally, the statement from a U.S.-based Huawei representative emphasizes the company's commitment to security strategies and policies to protect network security, suggesting a response to external security risks and incidents.
Nature (Human/Non-human) non-human_actions, human_actions (a) The software failure incident in this case is primarily due to non-human actions, specifically vulnerabilities in the firmware of Huawei routers. The security researcher uncovered security holes in the routers due to the use of outdated "1990s-style code" in the firmware, which allowed attackers to exploit the systems and intercept all traffic running through the routers [13621]. (b) However, human actions also play a role in this incident as the researcher, Felix Lindner, identified and disclosed these vulnerabilities. Additionally, there are concerns raised about potential back doors in Huawei routers, which could be exploited by individuals with access to the network or assistance in running the network [13621].
Dimension (Hardware/Software) hardware, software (a) The software failure incident reported in the article is related to hardware vulnerabilities in routers made by Huawei. The German security researcher, Felix Lindner, identified security holes in Huawei routers due to the use of "1990s-style code" in the firmware of some Huawei VRP routers [13621]. These hardware vulnerabilities could allow attackers to take control of the devices and intercept all the traffic running through the routers. (b) The software failure incident is also related to software vulnerabilities as the vulnerabilities were found in the firmware of the Huawei routers. The use of outdated code in the firmware of Huawei routers, specifically the AR18 and AR 29 series, was identified as a contributing factor to the security holes that could be exploited by attackers to gain access to the systems, change admin passwords, and reconfigure the routers [13621].
Objective (Malicious/Non-malicious) malicious (a) The software failure incident reported in the article is malicious in nature. The security researcher uncovered security holes in Huawei routers that could allow attackers to take control of the devices and intercept all the traffic running through the routers. The vulnerabilities could be exploited by attackers to log in as administrators, change passwords, and reconfigure the systems, potentially leading to spying on communications. Additionally, there are concerns about back doors in Huawei routers per the Chinese government's request, although the researcher mentioned that having Huawei personnel running the network could also pose a significant security risk [13621].
Intent (Poor/Accidental Decisions) poor_decisions (a) The software failure incident related to the Huawei routers was primarily due to poor decisions made in the design and implementation of the firmware. The vulnerabilities in the routers were attributed to the use of "1990s-style code" in the firmware of some Huawei VRP routers, which allowed attackers to exploit known vulnerabilities and take control of the devices [13621]. Additionally, there were concerns raised about potential backdoors in the routers, although the researcher highlighted that having numerous vulnerabilities in the routers themselves could serve as an effective attack vector without the need for explicit backdoors [13621]. These poor decisions in the design and security of the routers led to significant security risks for both the Internet service providers and their customers.
Capability (Incompetence/Accidental) development_incompetence, unknown (a) The software failure incident related to development incompetence is evident in the article as a German security researcher uncovered several security holes in routers made by Huawei due to the use of "1990s-style code" in the firmware of some Huawei VRP routers [13621]. This outdated code indicates a lack of professional competence in ensuring secure coding practices, leading to vulnerabilities that could allow attackers to take control of the devices and intercept traffic. (b) The software failure incident related to accidental factors is not explicitly mentioned in the provided article.
Duration temporary The software failure incident reported in the article is temporary. The security holes in the Huawei routers, as identified by the German security researcher Felix Lindner, are vulnerabilities that could allow attackers to take control of the devices and snoop on people's traffic. These vulnerabilities are due to the use of "1990s-style code" in the firmware of some Huawei VRP routers, specifically the Huawei AR18 and AR 29 series [13621]. The incident is temporary because it is caused by specific vulnerabilities in the routers' firmware, which can be addressed and fixed through software updates and patches.
Behaviour omission, value, other (a) crash: The software failure incident in the article is not specifically described as a crash where the system loses state and does not perform any of its intended functions. (b) omission: The vulnerability in the Huawei routers allowed attackers to take control of the devices and intercept all the traffic running through the routers, indicating an omission in performing the intended functions of securing the network [13621]. (c) timing: The software failure incident is not related to timing issues where the system performs its intended functions but at the wrong time. (d) value: The vulnerability in the Huawei routers led to the system performing its intended functions incorrectly by allowing unauthorized access and control, leading to potential spying on communications [13621]. (e) byzantine: The software failure incident does not exhibit behaviors of inconsistency or erratic responses that would classify it as a byzantine failure. (f) other: The software failure incident can be categorized as a security vulnerability that allowed unauthorized access and control over the Huawei routers, potentially compromising the security and privacy of the network users [13621].

IoT System Layer

Layer Option Rationale
Perception None None
Communication None None
Application None None

Other Details

Category Option Rationale
Consequence harm, property, theoretical_consequence The consequence of the software failure incident discussed in the article is related to potential harm and property impact due to the vulnerabilities in Huawei routers. The security holes discovered in the routers could allow attackers to take control of the devices and intercept all the traffic running through them, potentially leading to harm by snooping on people's communications [13621]. Additionally, the ability for attackers to change admin passwords and reconfigure the systems could result in property impact, such as unauthorized access to sensitive data or manipulation of network traffic [13621].
Domain information (a) The software failure incident related to Huawei routers uncovered by the German security researcher impacted the production and distribution of information. The vulnerabilities in the routers could allow attackers to intercept and snoop on people's traffic, compromising the security and privacy of the information being transmitted through the affected systems [13621].

Sources

Back to List