Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
China Technology

Vodafone Denies Bloomberg Report on Security Flaws in Huawei Equipment (axios.com) 154

Vodafone denied a Bloomberg report on Tuesday that stated it had found "backdoors" hidden in Huawei equipment supplied to its Italian business dating back years, per BBC . From a report: What they're saying: Vodafone said the "backdoors" in the report were actually a common industry protocol: "The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet. Bloomberg is incorrect in saying that this 'could have given Huawei unauthorised access to the carrier's fixed-line network in Italy.' In addition, we have no evidence of any unauthorised access. This was nothing more than a failure to remove a diagnostic function after development."
This discussion has been archived. No new comments can be posted.

Vodafone Denies Bloomberg Report on Security Flaws in Huawei Equipment

Comments Filter:
  • by AmiMoJo ( 196126 ) on Tuesday April 30, 2019 @11:14AM (#58516812) Homepage Journal

    The vulnerability was a telnet shell, only accessible from inside the network, and the reason they wanted it turned off was to stop the customers controlling the equipment they were renting, not because of Chinese spying.

    • I expect the truth is in the middle.

      Having Telnet Port open after 1998 (20 years ago) is bad. At this point the ability to packet sniff was common, and enough people were getting access to these systems to make it a security risk. Having a Telnet Shell even on your internal network, is either gross incompetence, or a nice little back door, for the people who wants to monitor information, without having to directly connect to your device.

      • Having Telnet Port open after 1998 (20 years ago) is bad.

        Almost. Like TLS, SSH used RSA for server keys at the time, and the U.S. patent on RSA subsisted until September 2000. So 18 1/2 years ago might be more honest.

        • Re:RSA patent (Score:4, Interesting)

          by mysidia ( 191772 ) on Tuesday April 30, 2019 @03:35PM (#58518240)

          Some embedded equipment doesn't have the resources to run crypto algorithms or the SSH daemon, Or
          due to export regulations -- a choice was made to not provide SSH Support.

          Or, the SSH daemon was buggy and Telnet was more reliable.

          Some such equipment can still be found in production all over the world, And there is a way to secure it without replacing the equipment (expensive) that does not require disabling Telnet, either.

          The solution is called segmented management network. A private IP network is created solely for accessing the Telnet ports.

          The administrator uses SSH to access a secure device which only administrators are allowed to access that is directly connected to the same private IP subnet as the equipment to be managed.

          The device ports on this management subnet are on an an Isolated VLAN in Private VLAN group, and the management concentrators are on Promiscuous VLAN in that Private VLAN group --- the result is the user of the administrator box and only a user of the administrator box can access devices by Telnet.

      • by Anonymous Coward

        Its a tty serial connection. you have to physically be at the device to access it and this is common on most network equipment, again it's for diagnostics.

        • by tk77 ( 1774336 )

          Its a tty serial connection. you have to physically be at the device to access it and this is common on most network equipment, again it's for diagnostics.

          Do you have a source for this? I looked a few of the articles where Vodafone denies the report and all they mention is that the issue was that Telnet was available and not accessible from the internet. This leads me to assume it was just enabled on a LAN or Admin LAN interface.

          Serial connections don't generally need telnet. You connect using terminal software (minicom, screen, putty, cu, etc.. ). Telnet is generally used over a network.

          • Re: (Score:2, Interesting)

            by Anonymous Coward

            Most network gear I've used, has options for serial, telnet, ssh, and more. It's about options, and not locking a customer into anything.

            Telnet security is relative. For example, if you plug something directly into your computer, network port to network port, telnet is hardly insecure with plain text data/passwords. Is something in the cable spying? Transmitting it over the air?!

            There are other reasons to have telnet too. I use it on some network gear, but with users with lower permissions. EG, to get

          • by mysidia ( 191772 )

            Serial connections don't generally need telnet. You connect using terminal software

            Sometimes serial Access Concentrators of various types are used --- for example, the installer uses a rollover cable to connect
            the serial AUX port from a router to the serial console port of another device (The "other" device may be an additional router, modem, or
            something such as an IP voice gateway), then you enable a configuration such as

            line aux 0
            login
            transport input telnet
            speed 9600
            flowcontrol hardware
            access-class

        • by AJWM ( 19027 )

          Telnet is not a tty serial connection.

          You can do telnet over a serial connection (eg, using SLIP), but they're different things. It's also not uncommon (or wasn't in the past) to have some kind of ethernet-to-serial box so you could do those "tty only" diagnostics remotely (but that's not what they're talking about).

          TFS says telnet, above poster says tty. So which was it?

      • Re: (Score:1, Interesting)

        by Anonymous Coward

        Having a Telnet Shell even on your internal network, is either gross incompetence, or a nice little back door, for the people who wants to monitor information, without having to directly connect to your device.

        I wouldn't say that is true as a blanket statement.
        Often the case perhaps, and likely once put in the hands of the incompetent sure.

        But the two facts of A) it can be done securely, and B) this wasn't on their "internal network", are one of the few use cases that can be legit.

        As one example I have a serial multiplexing terminal here, 16 serial ports on one end, and ethernet on the other where each serial port has a TCP port linked to it.
        As I have two servers that need to talk to the device, each has a dedica

      • by AmiMoJo ( 196126 )

        It's probably there for engineers visiting on site or remoting in to the user's computer to do some more advanced diagnostics with. It's not that uncommon with home routers.

        Password will be the same as for the web interface so it's really no less secure than the other way you control the thing. Of course the web interface doesn't use HTTPS either. Password is typically random and decent, printed on a sticker on the bottom of the router. Main danger is that they keygen it from the MAC address instead of rand

      • by mysidia ( 191772 )

        Having a Telnet Shell even on your internal network, is either gross incompetence, or a nice little back door

        This is not necessarily either. A very tightly-controlled internal network is exactly the situation under which the Telnet protocol is still safe to use for system management.

        If the Telnet port is exposed but requires valid credentials to work and the administrator does not actually use the Telnet port, then there is no security exposure or attack surface (Other than the possibility of a badly

      • Something being "bad" and being "malicious" are so much different that they should not be used in the same context. Also "Telnet is bad" is a very generalised position and was not shared by (for example) Cisco, at the last time I bought a Cisco device, which should be around 2006 or 2007. Besides port 23 being open by default in all IOS releases we received back then, I even remember one or two NAS images that had primary 8000+ series ports enabled by default.
        So I share the view in general if you mean "usi
    • A Telnet shell even inside a network is a bad vulnerability. The other part is that after it was requested to be “removed” by Vodaphone, they found it had merely been hidden and could still be launched. Sure that could be chalked up to negligence and laziness rather than malevolence.
      • by kevinbr ( 689680 )

        A Telnet shell even inside a network is a bad vulnerability. The other part is that after it was requested to be “removed” by Vodaphone, they found it had merely been hidden and could still be launched. Sure that could be chalked up to negligence and laziness rather than malevolence.

        I have worked with Vodafone in the past as well as Huawei as used by Vodaphone. Bloomberg sidestep a lot of stuff like: Vodaphone have a tightly controlled global security group who sign off on all projects, people like us who define security and audit closely Huawei in terms of what they do, and very very tight ways to get into a production network via a single gateway that is audited as well as auditing all firewall rules etc etc etc ...... If a router had telnet? So what? It would have never been able to

        • I guess what happened was that Telnet was found; it was requested to be removed. The Huawei engineers didn’t think they could do that easily or quickly without understanding the impact so they hid it and disabled the service while figuring how to remove it without major disruptions. Their problem was they didn’t communicate the full plan to Vodafone. “Yes we will remove it; but we need more time to assess how best to do that. For now we will disable it.”
          • by kevinbr ( 689680 )

            Most routers and servers support telnet. Having worked over three years on a long running Huawei/Vodafone project and having visited Huawei headquarters three times, my experience is that Huawei will work with you and never tried to hide stuff. Huawei telnet can be configured as off on their routers. OK cool. I cannot imagine Vodaphone demanding that the actual telnet code was removed. It certainly was never demanded in my project and was a higher level of security than normal ( payments) and certainly grou

    • by bn-7bc ( 909819 )
      Telnet in 2019 sigh, ok lan access only but still, ssh is not exactly new, and even windows has an ssh client now, so why telnet?
    • by gweihir ( 88907 ) on Tuesday April 30, 2019 @02:49PM (#58517992)

      Lies, larger lies, and this one here is pretty much a "Big Lie" by Bloomberg. Either they are terminally incompetent or they just have stopped caring about the truth completely. An open telnet port is not hidden or secret in any way. It is immediately obvious with a simple, basic port-scan or listing the open ports or running processes on the machine itself. It usually has a non-routed IP on such equipment, which makes it unreachable remotely even if accidentally connected to the Internet. But it is per default only reachable on the "LAN" port(s), not the WAN port(s). Even ElCheapo home-routers have this type of protection.

      I have some doubts as to them wanting the users to not access this as the cause for the change request. Data-center equipment often has physical serial ports on the machine itself that does not require a log-in user name and password (unlike the telnet port). These serve as emergency access and they are one reason why you lock your rack. Of course, it could be that the users did not have physical access, in which case the claim could be accurate.

      Anyways, this is a complete non-story about a minor, routine configuration change.

    • It is not that simple. All Cisco switches have telnet too. Nowadays, SSH is used to manage switches (I guess you could use their horrible web/GUI thingy to manage it too). Regardless, it is not just for diagnostics, it is how you manage the switch/router.

  • The same people (Score:5, Interesting)

    by ArchieBunker ( 132337 ) on Tuesday April 30, 2019 @11:17AM (#58516824)

    Didn't Bloomberg fabricate the story about Amazons servers being compromised at the hardware level? Everyone denied the claims and no proof was ever produced.

    • by Major Blud ( 789630 ) on Tuesday April 30, 2019 @11:20AM (#58516840) Homepage
      Yep, Amazon and Apple: https://www.bloomberg.com/news... [bloomberg.com] They still haven't shown any proof or issued a retraction. It almost feels like Bloomberg is deliberately trolling now with this latest story.
      • by Major Blud ( 789630 ) on Tuesday April 30, 2019 @11:27AM (#58516904) Homepage
        That being said, leaving Telnet enabled by default (or using Telnet at all, instead of SSH) is still pretty lousy.
        • Having a Telnet port is like having your business doors unlocked, with a huge neon sign saying come in we are open.
          Even the White Hat Ethical Hackers would probably get into the system with a Telnet Port open.

        • by Bert64 ( 520050 )

          Depends, Windows has only just started shipping an ssh client in the latest versions - prior to that all you got was telnet.

          • The Telnet client wasn't enabled by default in the past few iterations of Windows (going back to Windows 7 I think). Anybody with the know-how would have had Putty anyways.
            • Telnet CLIENT wouldn't be an issue, it would be a telnet SERVER that would be a problem.

              • Yeah, but you wouldn't be able to connect to the Huawei equipment in question without first enabling the Windows Telnet CLIENT (or installing Putty, which anybody wanting to do so would probably already have anyway).
        • That being said, leaving Telnet enabled by default (or using Telnet at all, instead of SSH) is still pretty lousy.

          No. Disabling it by default would be lousy. Not disclosing it would be lousy. Having a password of 12345 would be lousy. But having this accessible in the first place is somewhat equivalent to being able to get to an admin page of a router that you just plugged in the first time.

          It's up to the user to secure it once they are done with the setup.

      • by Anonymous Coward

        Funny how neither Apple nor Amazon took any legal action, you absolute fucktard.

    • Re: (Score:1, Troll)

      by Freischutz ( 4776131 )

      Didn't Bloomberg fabricate the story about Amazons servers being compromised at the hardware level? Everyone denied the claims and no proof was ever produced.

      That will not stop Republican pundits from citing both stories as proof of Huawei spying for China.

      • by PPH ( 736903 ) on Tuesday April 30, 2019 @11:42AM (#58516984)

        Republican pundits

        Michael Bloomberg is a Democrat (again).

        • Republican pundits

          Michael Bloomberg is a Democrat (again).

          But he's doing the government's bidding in propagating these fabrications. Who knows who's paying for this or applying other forms of pressure?

          • by PPH ( 736903 )

            doing the government's bidding

            Or his own. In addition to being a news/publishing outfit, Bloomberg is also in the data and applications business. He may perceive Huawei as a competitor or a hindrance to future plans to disseminate information and control markets.

          • by gtall ( 79522 )

            Yep, I'll bet Bloomberg personally wrote this story, the nerve of him.

        • In GP's defense, he's only been calling himself a democrat for, like 20 minutes. He claimed to be a republican or independent from 2001 - 2018. I don't, however, think it is useful to bring up his party loyalties because he doesn't seem to have any.

        • Republican pundits

          Michael Bloomberg is a Democrat (again).

          And Trump used to be a New York democrat, now he is the anointed god emperor of the American right wing, ... things change

          • by dryeo ( 100693 )

            And Hillary started out as a Republican

            • And Hillary started out as a Republican

              And the entire Southern flank of the Democrats became Republicans in the 60s and 70s. In politics turncoating is a favourite sport.

              • by dryeo ( 100693 )

                It does seem more common in American politics, perhaps due to the lack of political parties.

      • Didn't Bloomberg fabricate the story about Amazons servers being compromised at the hardware level? Everyone denied the claims and no proof was ever produced.

        That will not stop Republican pundits from citing both stories as proof of Huawei spying for China.

        The earlier Bloomberg story has nothing to do with Huawei.

        • by Holi ( 250190 )
          And yet the situation is nearly identical. 1. Bloomberg makes fantastic libelous claim against. 2. Bloomberg's source publicly denies Bloomberg's claims. 3. Bloomberg doubles down on story while offering no evidence and no sources are able to be found that can independently verify the claims. 4. still makes a fucking profit.
          • And yet the situation is nearly identical. 1. Bloomberg makes fantastic libelous claim against. 2. Bloomberg's source publicly denies Bloomberg's claims. 3. Bloomberg doubles down on story while offering no evidence and no sources are able to be found that can independently verify the claims. 4. still makes a fucking profit.

            Yes but the post to which I was replying suggested that both stories would be used against Huawei, when the first Bloomberg piece was about a completely different manufacturer. I also don't think there is an upside for Bloomberg here. The damage they are doing to their reputation is far worse than whatever meager clicks these stories will have generated.

    • by gweihir ( 88907 )

      That is unclear. It was certainly not used in any mass-compromise. It may just have been something done in a lab to see whether it is possible. The tech angle was credible, but you are right, no deployed instances of this were ever found.

      This here is different. An open telnet maintenance port is not "hidden" or "secret" in any way. It is also universally internal-facing (precisely because it is an easy configuration error to make) and has an IP address that is not globally routed (again, because it is a com

  • by hiroshimarrow ( 5489734 ) on Tuesday April 30, 2019 @11:18AM (#58516832)

    is important. But it isn't Freedom for the Press to say anything they want without research and referable sources.

    I miss the glory days of my youth where I of journalists as being trustworthy people to believe. Who, What, When, Where, Why, How is what I know now to be a fantasy... but it was good fantasy for kid. Questions to be asked of sources and verified with another source never happens anymore. It is just "what did some rando say on twitter that I can repeat and add 372 of my own characters to?"

    • Comment removed based on user account deletion
      • I think the biggest consequence is for the owner, as his name gets associated with the lack of credibility. OTOH, after he tried to tell people how much soda to drink, he may be ignored by default anyways.
    • by bob4u2c ( 73467 )

      I miss the glory days of my youth where I of journalists as being trustworthy people to believe.

      Journalists never were this mythical force for truth and exposing the corrupt. Look back at even the earliest newspapers and you will find so many opinion pieces or flat out false stories it would make your head spin. Political news was and still is the worst, each candidate was usually backed by some major paper thats entire purpose was to paint the opponent out to be Satan (often times cartoons depicted candidates with horns and pitchforks).

      Hollywood has perpetrated this myth that journalists are out

      • by Anonymous Coward

        In the old days, there were "editorials" and "option" sections of the newspaper. They were VERY clearly labelled as so, and were chocked just full of option.

        In those days, there were *some* pains to make actual, real news verifiable. It's a little like how older commercials, like those in the 30s, or 50s were completely different than those of today. They'd just stand up and blather on about how good a product is, where as commercials today are immensely more sophisticated than their older brethren.

        Even

    • But it isn't Freedom for the Press to say anything they want without research and referable sources.

      Yes it is. Libel is an after-the-fact tort, and can't be used for prior restraint [wikipedia.org].

      Bloomberg has a right to continue to publish unsubstantiated garbage.

    • Given that they could take a bag of detergent from Iraq and launch a major war that cost taxpayer a trillion dollar, what else they couldn't spin up given a sufficient profit sharing prospect?

    • I'm trying to decide if this is malicious or just idiocy. I've had waaaay too many "IT Pros" in industry who don't have a god damn clue what FTP, Telnet, SSH, or SCH are. I could see a reporter hearing about Telnet being on by default and then finding out that it can be a security risk. With a little bit of poorly misunderstood math (2+2=Lemon) getting that these routers are maliciously set up for spying.

      On the other hand Bloomberg could just be a left leaning National Enquirer.
  • by B'Trey ( 111263 ) on Tuesday April 30, 2019 @11:19AM (#58516838)

    "The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet."

    Uhm, why not? It's certainly possible the protocol was only enabled on interior ports or something, but telnet still works just fine over the Internet. Insecure as hell, yes, but it works. And a protocol and a backdoor are not the same thing. A protocol is a technical specification for communication. A backdoor is an undocumented channel of communication, particularly one granting high levels of access. It doesn't matter whether the protocol was telnet, ssh, a REST API or any other means of communication. If it provided an undocumented way into the system, it was a backdoor.

    • It's certainly possible the protocol was only enabled on interior ports or something, but telnet still works just fine over the Internet. Insecure as hell, yes, but it works.

      Of course telnet works over the internet. How else can one watch Star Wars done in ASCII art?

      telnet towel.blinkenlights.nl

      (although since "telnet" probably isn't included with your computer, you might have better luck with

      nc -v towel.blinkenlights.nl 23
      )

    • If the equipment itself was not accessible to the internet, then Telnet was not accessible. A well designed network will control who can connect to internal gear like this, no matter what protocols were open on it.

    • by gweihir ( 88907 )

      Uh, because by default these are only open to internal interfaces, _precisely_ to make their use more secure? Which is something that is _standard_. Also, even if it is open to the Internet (which usually requires a configuration change), you still need an username and password to do anything.

      Seriously, this is a complete non-story.

  • The degree of hate is strong in this post. The new Slashdot Overlords have certainly allowed the Slashdot brand to be devalued.

  • Bloomberg spreading FUD and misinformation? How could that be? I can't believe such a well respected news source would stoop so low as to misreport something like this. Right. (Heavy Sarcasm intended, for those whose sarcasm detector is broken/malfunctioning!)
  • First the Supermicro story, which no one except Bloomberg agrees with, now this. They must have had massive cuts in the editing department.

  • Two stories in the same page contradicting each other.
    Slashdot, you are doomed to die!

  • Well, probably both. Their relationship with the truth is pretty distant in any case.

    A telnet port left open from maintenance is a common occurrence. It is an easy to make misconfiguration. It is so common, in fact, that it gets tested for routinely in acceptance tests. It is then found reliably (because it is not "hidden" or "secret" in any way, but blatantly obvious) and fixed and that is it.

  • I would consider an intentionally open telnet port to be a backdoor. Not only is it unnecessary and insecure. Its been known to be insecure for well over a decade. You use SSH. The original article stated that Huawei refused to disable the port when asked by Vodaphone. I don't see anything in this article or the BBC one it references that disputes that. However Vodaphone is saying that Huawei cooperated in general terms so maybe they did, maybe they didn't. The catch is that its hard to know if leaving teln
  • I'm glad they think it's an innocuous bit of diag code, but neverthess it's there, and with only a lilbit of code it's in a position to create havoc in the system, or just listen. Vodaphone doesn't say that their -testing- proved it's entirely innocuous and can be disregarded. Until it's independently verified as safe, by a reputable org/business/somedangbody, I'll remain concerned. I'm nowhere near a Luddite, but as I get older, and see the direction this whole thing's going, I'm loathing the whole intertu

  • How does Bloomberg have any credibility anymore? Didn't they report that Super Micro had chips embedded in their motherboards that phoned home to the Chinese spy agencies just last year?
  • This was nothing more than a failure to remove a diagnostic function after development.

    Not the first time I've heard that excuse. At worst it's malicious. At best it's just plain stupid.

    • by Anonymous Coward

      For a minute I thought you were talking about Bloomberg. Just pull a list of devices IoT devices that have Telnet port open since 2000 and see how many US equipment manufacturers are there. Hints: the list includes Cisco..

  • And you folks are going to accept what some person at Vodaphone said?
    Did the Vodaphone statement come from Vodaphone's lawyers?
    Is the Vodaphone statement a full disclosure of all vulnerabilities found, or just one of many?

    Suppose someone ran an article that your bank had been using equipment that was found to have had with a vulnerability some time in the past.
    Suppose that your bank's corporate spokesperson then said "Oh, no, everything is fine. You are all safe here with us."
    Are you going to think the ban

  • This is an incredibly important story reported by Bloomberg with serious implications. Unfortunately, Vodafone's denial only reminds me that Bloomberg also had a disputed report earlier about malfeasance at TrendMicro. In that case, the report was similarly as important with just as momentous ramifications. It all makes me start to wonder ...

  • The way this story is brought, from the headline it looks as if vodafone is stupid for denying actual facts.

    But reading the story, it looks very much like vodafone knows what they are talking about and bloomberg is the one who is fabricating stories.

  • Well, this makes it obvious: don't trust American press organs, as they just patriotically reprint what their contacts in the Intelligence community tell them; this is straight up propaganda

"If there isn't a population problem, why is the government putting cancer in the cigarettes?" -- the elder Steptoe, c. 1970

Working...