Vodafone Denies Bloomberg Report on Security Flaws in Huawei Equipment (axios.com) 154
Vodafone denied a Bloomberg report on Tuesday that stated it had found "backdoors" hidden in Huawei equipment supplied to its Italian business dating back years, per BBC . From a report: What they're saying: Vodafone said the "backdoors" in the report were actually a common industry protocol: "The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet. Bloomberg is incorrect in saying that this 'could have given Huawei unauthorised access to the carrier's fixed-line network in Italy.' In addition, we have no evidence of any unauthorised access. This was nothing more than a failure to remove a diagnostic function after development."
And the truth comes out (Score:5, Informative)
The vulnerability was a telnet shell, only accessible from inside the network, and the reason they wanted it turned off was to stop the customers controlling the equipment they were renting, not because of Chinese spying.
Re: (Score:1)
I expect the truth is in the middle.
Having Telnet Port open after 1998 (20 years ago) is bad. At this point the ability to packet sniff was common, and enough people were getting access to these systems to make it a security risk. Having a Telnet Shell even on your internal network, is either gross incompetence, or a nice little back door, for the people who wants to monitor information, without having to directly connect to your device.
RSA patent (Score:2)
Having Telnet Port open after 1998 (20 years ago) is bad.
Almost. Like TLS, SSH used RSA for server keys at the time, and the U.S. patent on RSA subsisted until September 2000. So 18 1/2 years ago might be more honest.
Re:RSA patent (Score:4, Interesting)
Some embedded equipment doesn't have the resources to run crypto algorithms or the SSH daemon, Or
due to export regulations -- a choice was made to not provide SSH Support.
Or, the SSH daemon was buggy and Telnet was more reliable.
Some such equipment can still be found in production all over the world, And there is a way to secure it without replacing the equipment (expensive) that does not require disabling Telnet, either.
The solution is called segmented management network. A private IP network is created solely for accessing the Telnet ports.
The administrator uses SSH to access a secure device which only administrators are allowed to access that is directly connected to the same private IP subnet as the equipment to be managed.
The device ports on this management subnet are on an an Isolated VLAN in Private VLAN group, and the management concentrators are on Promiscuous VLAN in that Private VLAN group --- the result is the user of the administrator box and only a user of the administrator box can access devices by Telnet.
Re: (Score:1)
Its a tty serial connection. you have to physically be at the device to access it and this is common on most network equipment, again it's for diagnostics.
Re: (Score:2)
Its a tty serial connection. you have to physically be at the device to access it and this is common on most network equipment, again it's for diagnostics.
Do you have a source for this? I looked a few of the articles where Vodafone denies the report and all they mention is that the issue was that Telnet was available and not accessible from the internet. This leads me to assume it was just enabled on a LAN or Admin LAN interface.
Serial connections don't generally need telnet. You connect using terminal software (minicom, screen, putty, cu, etc.. ). Telnet is generally used over a network.
Re: (Score:2, Interesting)
Most network gear I've used, has options for serial, telnet, ssh, and more. It's about options, and not locking a customer into anything.
Telnet security is relative. For example, if you plug something directly into your computer, network port to network port, telnet is hardly insecure with plain text data/passwords. Is something in the cable spying? Transmitting it over the air?!
There are other reasons to have telnet too. I use it on some network gear, but with users with lower permissions. EG, to get
Re: (Score:2)
Serial connections don't generally need telnet. You connect using terminal software
Sometimes serial Access Concentrators of various types are used --- for example, the installer uses a rollover cable to connect
the serial AUX port from a router to the serial console port of another device (The "other" device may be an additional router, modem, or
something such as an IP voice gateway), then you enable a configuration such as
line aux 0
login
transport input telnet
speed 9600
flowcontrol hardware
access-class
Re: (Score:2)
Telnet is not a tty serial connection.
You can do telnet over a serial connection (eg, using SLIP), but they're different things. It's also not uncommon (or wasn't in the past) to have some kind of ethernet-to-serial box so you could do those "tty only" diagnostics remotely (but that's not what they're talking about).
TFS says telnet, above poster says tty. So which was it?
Re: (Score:1, Interesting)
Having a Telnet Shell even on your internal network, is either gross incompetence, or a nice little back door, for the people who wants to monitor information, without having to directly connect to your device.
I wouldn't say that is true as a blanket statement.
Often the case perhaps, and likely once put in the hands of the incompetent sure.
But the two facts of A) it can be done securely, and B) this wasn't on their "internal network", are one of the few use cases that can be legit.
As one example I have a serial multiplexing terminal here, 16 serial ports on one end, and ethernet on the other where each serial port has a TCP port linked to it.
As I have two servers that need to talk to the device, each has a dedica
Re: (Score:2)
It's probably there for engineers visiting on site or remoting in to the user's computer to do some more advanced diagnostics with. It's not that uncommon with home routers.
Password will be the same as for the web interface so it's really no less secure than the other way you control the thing. Of course the web interface doesn't use HTTPS either. Password is typically random and decent, printed on a sticker on the bottom of the router. Main danger is that they keygen it from the MAC address instead of rand
Re: (Score:2)
Having a Telnet Shell even on your internal network, is either gross incompetence, or a nice little back door
This is not necessarily either. A very tightly-controlled internal network is exactly the situation under which the Telnet protocol is still safe to use for system management.
If the Telnet port is exposed but requires valid credentials to work and the administrator does not actually use the Telnet port, then there is no security exposure or attack surface (Other than the possibility of a badly
Re: And the truth comes out (Score:1)
Re: (Score:2)
So I share the view in general if you mean "usi
Re: (Score:2)
Re: (Score:3)
Re: (Score:1)
A Telnet shell even inside a network is a bad vulnerability. The other part is that after it was requested to be “removed” by Vodaphone, they found it had merely been hidden and could still be launched. Sure that could be chalked up to negligence and laziness rather than malevolence.
I have worked with Vodafone in the past as well as Huawei as used by Vodaphone. Bloomberg sidestep a lot of stuff like: Vodaphone have a tightly controlled global security group who sign off on all projects, people like us who define security and audit closely Huawei in terms of what they do, and very very tight ways to get into a production network via a single gateway that is audited as well as auditing all firewall rules etc etc etc ...... If a router had telnet? So what? It would have never been able to
Re: (Score:2)
Re: (Score:3)
Most routers and servers support telnet. Having worked over three years on a long running Huawei/Vodafone project and having visited Huawei headquarters three times, my experience is that Huawei will work with you and never tried to hide stuff. Huawei telnet can be configured as off on their routers. OK cool. I cannot imagine Vodaphone demanding that the actual telnet code was removed. It certainly was never demanded in my project and was a higher level of security than normal ( payments) and certainly grou
Re: (Score:1)
Re:And the truth comes out (Score:5, Informative)
Lies, larger lies, and this one here is pretty much a "Big Lie" by Bloomberg. Either they are terminally incompetent or they just have stopped caring about the truth completely. An open telnet port is not hidden or secret in any way. It is immediately obvious with a simple, basic port-scan or listing the open ports or running processes on the machine itself. It usually has a non-routed IP on such equipment, which makes it unreachable remotely even if accidentally connected to the Internet. But it is per default only reachable on the "LAN" port(s), not the WAN port(s). Even ElCheapo home-routers have this type of protection.
I have some doubts as to them wanting the users to not access this as the cause for the change request. Data-center equipment often has physical serial ports on the machine itself that does not require a log-in user name and password (unlike the telnet port). These serve as emergency access and they are one reason why you lock your rack. Of course, it could be that the users did not have physical access, in which case the claim could be accurate.
Anyways, this is a complete non-story about a minor, routine configuration change.
Re: (Score:2)
It is not that simple. All Cisco switches have telnet too. Nowadays, SSH is used to manage switches (I guess you could use their horrible web/GUI thingy to manage it too). Regardless, it is not just for diagnostics, it is how you manage the switch/router.
The same people (Score:5, Interesting)
Didn't Bloomberg fabricate the story about Amazons servers being compromised at the hardware level? Everyone denied the claims and no proof was ever produced.
Re:The same people (Score:5, Interesting)
Re:The same people (Score:5, Insightful)
Re: (Score:3)
Having a Telnet port is like having your business doors unlocked, with a huge neon sign saying come in we are open.
Even the White Hat Ethical Hackers would probably get into the system with a Telnet Port open.
Re: (Score:2)
Depends, Windows has only just started shipping an ssh client in the latest versions - prior to that all you got was telnet.
Re: (Score:3)
Re: (Score:2)
Telnet CLIENT wouldn't be an issue, it would be a telnet SERVER that would be a problem.
Re: (Score:2)
Re: (Score:2)
That being said, leaving Telnet enabled by default (or using Telnet at all, instead of SSH) is still pretty lousy.
No. Disabling it by default would be lousy. Not disclosing it would be lousy. Having a password of 12345 would be lousy. But having this accessible in the first place is somewhat equivalent to being able to get to an admin page of a router that you just plugged in the first time.
It's up to the user to secure it once they are done with the setup.
Dear Asshole... (Score:1)
Funny how neither Apple nor Amazon took any legal action, you absolute fucktard.
Re: (Score:1, Troll)
Didn't Bloomberg fabricate the story about Amazons servers being compromised at the hardware level? Everyone denied the claims and no proof was ever produced.
That will not stop Republican pundits from citing both stories as proof of Huawei spying for China.
Re:The same people (Score:5, Insightful)
Republican pundits
Michael Bloomberg is a Democrat (again).
Re: (Score:2)
Republican pundits
Michael Bloomberg is a Democrat (again).
But he's doing the government's bidding in propagating these fabrications. Who knows who's paying for this or applying other forms of pressure?
Re: (Score:2)
doing the government's bidding
Or his own. In addition to being a news/publishing outfit, Bloomberg is also in the data and applications business. He may perceive Huawei as a competitor or a hindrance to future plans to disseminate information and control markets.
Re: (Score:2)
Yep, I'll bet Bloomberg personally wrote this story, the nerve of him.
Re: (Score:2)
After the last one, he certainly is responsible for allowing another hit piece to go out.
Re: (Score:2)
In GP's defense, he's only been calling himself a democrat for, like 20 minutes. He claimed to be a republican or independent from 2001 - 2018. I don't, however, think it is useful to bring up his party loyalties because he doesn't seem to have any.
Re: (Score:3)
Republican pundits
Michael Bloomberg is a Democrat (again).
And Trump used to be a New York democrat, now he is the anointed god emperor of the American right wing, ... things change
Re: (Score:2)
And Hillary started out as a Republican
Re: (Score:2)
And Hillary started out as a Republican
And the entire Southern flank of the Democrats became Republicans in the 60s and 70s. In politics turncoating is a favourite sport.
Re: (Score:2)
It does seem more common in American politics, perhaps due to the lack of political parties.
Re: (Score:2)
Didn't Bloomberg fabricate the story about Amazons servers being compromised at the hardware level? Everyone denied the claims and no proof was ever produced.
That will not stop Republican pundits from citing both stories as proof of Huawei spying for China.
The earlier Bloomberg story has nothing to do with Huawei.
Re: (Score:2)
Re: (Score:2)
And yet the situation is nearly identical. 1. Bloomberg makes fantastic libelous claim against. 2. Bloomberg's source publicly denies Bloomberg's claims. 3. Bloomberg doubles down on story while offering no evidence and no sources are able to be found that can independently verify the claims. 4. still makes a fucking profit.
Yes but the post to which I was replying suggested that both stories would be used against Huawei, when the first Bloomberg piece was about a completely different manufacturer. I also don't think there is an upside for Bloomberg here. The damage they are doing to their reputation is far worse than whatever meager clicks these stories will have generated.
Re: (Score:3)
Extraordinary claims require extraordinary proof. Go ahead and tell a silicon fab you want a quantity of five chips. Even if they do take your order those chips are going to cost a million dollars each. But now I'm getting ahead of myself. Someone has to design it in the first place. Then the problem of compromising the hardware at the assembly line. Its a string of bullshit to hook rubes.
Re: (Score:2)
Go ahead and tell a silicon fab you want a quantity of five chips. Even if they do take your order those chips are going to cost a million dollars each.
And a state level actor says, "Ok. Shut up and take my money."
That's not to say that extraordinary evidence isn't required. It is. Just saying that there are plenty of entities with the resources to accomplish what Bloomberg claimed.
Re: (Score:2)
That is unclear. It was certainly not used in any mass-compromise. It may just have been something done in a lab to see whether it is possible. The tech angle was credible, but you are right, no deployed instances of this were ever found.
This here is different. An open telnet maintenance port is not "hidden" or "secret" in any way. It is also universally internal-facing (precisely because it is an easy configuration error to make) and has an IP address that is not globally routed (again, because it is a com
Freedom of the Press... (Score:5, Insightful)
is important. But it isn't Freedom for the Press to say anything they want without research and referable sources.
I miss the glory days of my youth where I of journalists as being trustworthy people to believe. Who, What, When, Where, Why, How is what I know now to be a fantasy... but it was good fantasy for kid. Questions to be asked of sources and verified with another source never happens anymore. It is just "what did some rando say on twitter that I can repeat and add 372 of my own characters to?"
Re: (Score:3)
Re: (Score:2)
Re: (Score:2)
I miss the glory days of my youth where I of journalists as being trustworthy people to believe.
Journalists never were this mythical force for truth and exposing the corrupt. Look back at even the earliest newspapers and you will find so many opinion pieces or flat out false stories it would make your head spin. Political news was and still is the worst, each candidate was usually backed by some major paper thats entire purpose was to paint the opponent out to be Satan (often times cartoons depicted candidates with horns and pitchforks).
Hollywood has perpetrated this myth that journalists are out
Re: (Score:1)
In the old days, there were "editorials" and "option" sections of the newspaper. They were VERY clearly labelled as so, and were chocked just full of option.
In those days, there were *some* pains to make actual, real news verifiable. It's a little like how older commercials, like those in the 30s, or 50s were completely different than those of today. They'd just stand up and blather on about how good a product is, where as commercials today are immensely more sophisticated than their older brethren.
Even
Re: (Score:2)
But it isn't Freedom for the Press to say anything they want without research and referable sources.
Yes it is. Libel is an after-the-fact tort, and can't be used for prior restraint [wikipedia.org].
Bloomberg has a right to continue to publish unsubstantiated garbage.
Re: (Score:2)
Given that they could take a bag of detergent from Iraq and launch a major war that cost taxpayer a trillion dollar, what else they couldn't spin up given a sufficient profit sharing prospect?
Re: (Score:1)
On the other hand Bloomberg could just be a left leaning National Enquirer.
Telnet not accessible? (Score:5, Insightful)
"The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet."
Uhm, why not? It's certainly possible the protocol was only enabled on interior ports or something, but telnet still works just fine over the Internet. Insecure as hell, yes, but it works. And a protocol and a backdoor are not the same thing. A protocol is a technical specification for communication. A backdoor is an undocumented channel of communication, particularly one granting high levels of access. It doesn't matter whether the protocol was telnet, ssh, a REST API or any other means of communication. If it provided an undocumented way into the system, it was a backdoor.
Re: (Score:3)
It's certainly possible the protocol was only enabled on interior ports or something, but telnet still works just fine over the Internet. Insecure as hell, yes, but it works.
Of course telnet works over the internet. How else can one watch Star Wars done in ASCII art?
telnet towel.blinkenlights.nl
(although since "telnet" probably isn't included with your computer, you might have better luck with
nc -v towel.blinkenlights.nl 23
)
Re: (Score:2)
If the equipment itself was not accessible to the internet, then Telnet was not accessible. A well designed network will control who can connect to internal gear like this, no matter what protocols were open on it.
Re: (Score:2)
Uh, because by default these are only open to internal interfaces, _precisely_ to make their use more secure? Which is something that is _standard_. Also, even if it is open to the Internet (which usually requires a configuration change), you still need an username and password to do anything.
Seriously, this is a complete non-story.
Re: (Score:3, Insightful)
Seriously though, leaving a telnet port open is something that shouldn't have happened. They shouldn't have even been using telnet, SSH maybe. When the final product was shipped though all non-essential services should have been turned off or blocked, as that is a fundamental part of security.
Yes, it may have only allowed access on a local network, but it only takes one person on your network to get hacked befo
Re: (Score:2)
You make too much sense to be on the Internet. Best response here! +1
Re: (Score:1)
Most network equipment still supports telnet, in many cases telnet is also the default and has to be explicitly turned off.
Windows did not ship with an SSH client until very recently, it has always shipped with a telnet client which used to be installed by default.
You are massively overstating the actual risk of telnet...
Just having access to a local network doesn't automatically compromise telnet, you have to actually intercept the traffic of someone using it - which might never happen, even if telnet is t
Re: (Score:2)
Cool, so your ok with me installing software that controls your car and it having an open telnet port? I mean there is no harm and I assure you I will choose a very complex password for the admin account, "wink".
That's about the presence of a remote management service under the control of someone else, so no i'm not ok with someone leaving a remote management service for which they control the authentication. Wether that service uses ssh, telnet, https or some proprietary protocol is not relevant.
If https and/or ssh is supported, and telnet is idle, why is it even on there then? To make the attack vector bigger?
It marginally increases the attack surface, it doesn't create a new gaping hole - hence my previous comment "You are massively overstating the actual risk of telnet...", compared to your previous comment "Yes, it may have
Hate Mongering (Score:1)
The degree of hate is strong in this post. The new Slashdot Overlords have certainly allowed the Slashdot brand to be devalued.
Impossible! (Score:1)
Typical Bloomberg (Score:1)
First the Supermicro story, which no one except Bloomberg agrees with, now this. They must have had massive cuts in the editing department.
Impossible! (Score:1)
Two stories in the same page contradicting each other.
Slashdot, you are doomed to die!
So Bloomberg is incompetent or lying? (Score:2)
Well, probably both. Their relationship with the truth is pretty distant in any case.
A telnet port left open from maintenance is a common occurrence. It is an easy to make misconfiguration. It is so common, in fact, that it gets tested for routinely in acceptance tests. It is then found reliably (because it is not "hidden" or "secret" in any way, but blatantly obvious) and fixed and that is it.
As a sysadmin (Score:2)
Trust, but verify. (Score:1)
I'm glad they think it's an innocuous bit of diag code, but neverthess it's there, and with only a lilbit of code it's in a position to create havoc in the system, or just listen. Vodaphone doesn't say that their -testing- proved it's entirely innocuous and can be disregarded. Until it's independently verified as safe, by a reputable org/business/somedangbody, I'll remain concerned. I'm nowhere near a Luddite, but as I get older, and see the direction this whole thing's going, I'm loathing the whole intertu
How does Bloomberg have any credibility (Score:1)
Failure to remove a diagnostic function (Score:2)
This was nothing more than a failure to remove a diagnostic function after development.
Not the first time I've heard that excuse. At worst it's malicious. At best it's just plain stupid.
Re: (Score:1)
For a minute I thought you were talking about Bloomberg. Just pull a list of devices IoT devices that have Telnet port open since 2000 and see how many US equipment manufacturers are there. Hints: the list includes Cisco..
Trust No One in this. (Score:2)
And you folks are going to accept what some person at Vodaphone said?
Did the Vodaphone statement come from Vodaphone's lawyers?
Is the Vodaphone statement a full disclosure of all vulnerabilities found, or just one of many?
Suppose someone ran an article that your bank had been using equipment that was found to have had with a vulnerability some time in the past.
Suppose that your bank's corporate spokesperson then said "Oh, no, everything is fine. You are all safe here with us."
Are you going to think the ban
Second disputed report by Bloomberg (Score:2)
This is an incredibly important story reported by Bloomberg with serious implications. Unfortunately, Vodafone's denial only reminds me that Bloomberg also had a disputed report earlier about malfeasance at TrendMicro. In that case, the report was similarly as important with just as momentous ramifications. It all makes me start to wonder ...
phrasing a story. (Score:2)
The way this story is brought, from the headline it looks as if vodafone is stupid for denying actual facts.
But reading the story, it looks very much like vodafone knows what they are talking about and bloomberg is the one who is fabricating stories.
Propaganda (Score:2)
Well, this makes it obvious: don't trust American press organs, as they just patriotically reprint what their contacts in the Intelligence community tell them; this is straight up propaganda
Re: (Score:2)
No, he's not. He's a businessman. And he's smart enough to realize that most people will just lap up the b.s. he dishes out to further his own interests without doing further research.