A cursory search finds identical “backdoors” in D-Link, Cisco, and Sony devices, among others, as poor security practices do not equate to malicious intent.
Huawei stands accused of implanting “hidden backdoors” into commercial telecom equipment and home internet routers sold to Vodafone Italia in 2009, according to a Bloomberg report published Tuesday. Naturally, Huawei is denying the accusations, while Vodafone told the BBC that “Bloomberg is incorrect in saying that this ‘could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy’.”
This is familiar territory for Huawei, which has been fighting claims of corporate espionage for over a decade. In 2013, former CIA and NSA chief Michael Hayden accused Huawei of engaging in espionage on behalf of the Chinese government, while a Huawei spokesperson called it “tired nonsense we’ve been hearing for years” and “politically-inspired and racist corporate defamation.” In 2018, six US intelligence chiefs cautioned against buying Huawei or ZTE products, while the US carrier launch of the Mate 10 Pro was scuttled after pressure from Congress.
Ten years on, the “smoking gun” is an exposed Telnet interface
Bloomberg’s report hinges on a Telnet interface that was discovered by a third-party contractor hired by Vodafone Italia, claiming a sequence of events that occurred over “a two-month period during which Vodafone’s Italian unit discovered the telnet service, demanded its removal by Huawei and received assurances from the supplier that the problem was fixed,” but that Huawei “refused to fully remove the backdoor, citing a manufacturing requirement.”
Telnet, for those unaware, is a protocol that provides access to a command-line interface on a remote device, used for configuration. Telnet dates back to 1969, was not designed with security in mind, and does not (by default) encrypt communication. Telnet has largely fallen out of favor with the release of SSH in 1995. It does persist, in some devices, for local area network use, and inadvertent exposure of a telnet interface has been identified as a security vulnerability in other products.
Calling this a “smoking gun,” as Tim Culpan breathlessly put it in a companion editorial at Bloomberg, would mean that practically every other router vendor has a few bullet holes, as unsecured Telnet interfaces are a problem, writ large:
- In May 2018, Kaspersky Lab found that D-Link DIR-620 wireless routers have an exposed Telnet interface with hardcoded credentials, which D-Link refused to patch.
- Also in May 2018, a Brazilian ISP deployed nearly 5,000 routers without a Telnet password at all.
- In March 2017, 318 different models of Cisco switches contained a vulnerability in Cluster Management Protocol, allowing outside users to gain Telnet access. This vulnerability was disclosed publicly as part of Wikileaks “Vault 7,” a collection of documents from the CIA.
- In December 2016, a vulnerability in “as many as 80 models” of Sony’s IPELA cameras allow attackers to enable Telnet or SSH services. The cameras were shipped with hardcoded credentials, and researchers noted that “The cameras aren’t designed to receive software updates so the zero-day exploits can’t be patched.”
- In September 2015, the SYNful Knock vulnerability gave attackers Telnet access to Cisco routers, if the administrator password was discovered or a default password was used.
Update: After this article was published, Cisco disclosed the existence of hardcoded credentials in software used on Cisco Nexus 9000 series switches, allowing attackers to gain root access in SSH when connected over IPv6, effectively constituting a backdoor.
There are a variety of other historical vulnerabilities involving hardcoded credentials that happen to include an enabled Telnet interface, as well as the Mirai botnet, which relies on Internet of Things (IoT) devices with exposed Telnet interfaces.
In terms of spycraft, the best backdoors are easily hidden and are plausibly deniable. There’s nothing remarkable about the nature of the vulnerability reported on by Bloomberg, and it is consistent with the UK’s Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board findings that Huawei has struggles with “basic engineering competence and cybersecurity hygiene that lead to vulnerabilities that were capable of being exploited by a range of actors,” as ZDNet’s Steve Ranger reported.
That said, Telnet interfaces on ISP equipment should be put behind firewalls, and not rely on vendors to explicitly disable them.
So, what does it mean?
Bloomberg’s reporting is of no help to an already fraught situation filled with either spin or disinformation about Huawei, depending on your point of view. This is familiar territory for them, following their show-stopping report in October 2018 claiming the existence of hardware backdoors in products from Supermicro, without providing evidence.
In the wake of that report, Apple CEO Tim Cook called on Bloomberg to retract the story, while other companies named in the report as being in receipt of products with hardware backdoors were seen fleeing in the opposite direction so as to not be entangled in a maelstrom of misinformation. Patrick Kennedy at Serve the Home wrote a laudable point-by-point debunking of the claims.
This report will-independent of validity-doubtlessly be used as part of politically-motivated bans of Huawei equipment ahead of global rollouts of 5G networks. Though there is ample reason to doubt Bloomberg’s reporting, it is still not exculpatory for Huawei.