“For the 20th anniversary of Def Con the gift his China,” Recurity Labs chief Felix “FX” Lindner said as he opened his presentation.
“Nobody needs a back door; this is plausible deniability,” he quipped as he detailed weaknesses in three small Huawei routers that could be exploited using basic hacking techniques. “You get what you pay for. Sorry.”
Huawei routers, equipment that connects networks to the Internet, are widely used in Asia, Africa and the Middle East and the company has been striving to gain ground in US and European markets, according to Germany-based Recurity.
Lindner and his teammate Gregor Kopf were particularly troubled that Huawei has not issued any security advisories about its routers to warn users to take precautions.
“These machines have serious security issues,” Kopf told AFP. “In my eyes, the greatest danger is that you don’t know how vulnerable it is; you’re left in the dark.”
Kopf referred to the routers studied by Recurity as having technology reminiscent of the 1990s and said that once attackers slipped in they could potentially run amok in networks.
“It looks pretty bad,” Kopf said. “To be fair, we only looked at three routers. But based on this sample, chances are other equipment they offer is very vulnerable.”
Recurity did not examine “big boxes,” large routers Huawei makes for businesses and telecom networks.
Huawei, founded by a former People’s Liberation Army engineer, has established itself as a major force in the global telecoms industry where its technology is widely used to build mobile phone networks.
Huawei is battling an image problem in the broader technology market due to its perceived close ties with the Chinese military and government.
It was recently blocked from bidding for contracts on Australia’s ambitious national broadband project, reportedly due to concerns about cyber-security.
The company has in the past also run afoul of US regulators and lawmakers because of worries over its links with the Chinese military and Beijing — fears that Huawei has dismissed.
“It doesn’t really matter how much intention is behind the quality that we see,” said Lindner. “If you can take over people’s routers you can get into their stuff. People need to verify what they are dealing with before they buy.”