Huawei’s problems keep piling up as a security firm specializing in IoT devices found numerous vulnerabilities across the company’s entire product line.
Finite State said it scanned more than 1.5 million files embedded within nearly 10,000 firmware images supporting 558 products looking for risks including hard-coded backdoor credentials, unsafe use of cryptographic keys, indicators of insecure software development practices, and the presence of known and 0-day vulnerabilities.“The results of the analysis show that Huawei devices quantitatively pose a high risk to their users. In virtually all categories we studied, we found Huawei devices to be less secure than comparable devices from other vendors,” the report said.
The primary finding being 55 percent of the devices had at least one backdoor primarily in the form of hard-coded, default user accounts and passwords along with several types of embedded cryptographic keys. However, Finite State also found on average 102 known vulnerabilities associated with each firmware, many rated critical or high, along with hundreds of potential zero day issues.
One of the reasons the vulnerabilities were included is Huawei’s development process. The study found the company’s engineers did not use secure development practices, in some cases including 20-year-old software libraries instead of the more secure current version.
“Overall, despite Huawei’s claims about prioritizing security, the security of their devices appears to lag behind the rest of the industry. Through analysis of firmware changes over time, this study shows that the security posture of these devices is not improving over time — and in at least one case we observed, it actually decreased,” the report stated.
Some of the other vulnerability findings:
- 29 percent of all devices tested had at least one default username and password stored in the firmware.
- 76 instances of firmware where the device was, by default, configured such that a root user with a hard-coded password could log in over the SSH protocol, providing for default backdoor access.
- Eight different firmware images were found to have pre-computed authorized_keys hard coded into the firmware.
- 424 different firmware images contained hardcoded private SSH keys