Sign in / up

back to article Huawei website ████ ██████ security flaws ██████ customer info and biz operations at risk: ███████ patched

Huawei has gagged infosec researchers from discussing now-patched critical vulnerabilities in the Chinese giant's web systems that could have been exploited to steal customer information and derail the manufacturer's operations. A security research team at Italian outfit Swascan told The Register on Monday that, within the …

COMMENTS

Post your comment
House rules Send corrections
Add to 'My topics' unstar *
  1. Sanctimonious Prick
    Mushroom

    Clickbait?

    This has nothing to do with the actual security concerns over Huawei 5G mobile phone rollout and networking equipment.

    The fucking yanks will use this headline as _absolute_proof_ Huawei are spying on everyone! and stealing from them (them being the USA).

    Argggghjh! FFS!

    11 36 Reply
    1. Throatwarbler Mangrove Silver badge
      Reply Icon
      WTF?

      Re: Clickbait?

      So . . . what is it you do for Huawei again?

      Also, username still checks out.

      30 7 Reply
    2. Azerty
      Reply Icon

      Re: Clickbait?

      Flaws in websites seem to be quite common, and they were patched, so it's more like that fear-peddling page-filler pretending that now finally the reason to be at war with them is found.

      8 10 Reply
      1. Throatwarbler Mangrove Silver badge
        Reply Icon
        Facepalm

        Re: Clickbait?

        I know, right? Huawei is literally the only vendor whose vulnerabilities are reported upon by The Register! So unfair! Fake News! No collusion! No obstruction!

        29 5 Reply

        1. This post has been deleted by its author

      2. Anonymous Coward
        Reply Icon
        Anonymous Coward

        Cobynista...communist regime is communist...

        Voting Corbyn much? Any threat, even threats that really mean me harm are fine as long as they are not American or British.

        3 3 Reply
  2. Blockchain commentard

    Why did Huawei even allow Swascan to release the info if everything is effectively gagged? That's like saying I went for a drive last Sunday. But I can't tell you were I went or in what car.

    8 0 Reply
    1. Nick Kew
      Reply Icon

      All publicity is good publicity

      Could there be just a hint of clickbait and spin here from ... erm ... who?

      Mission accomplished: we've all now heard of Swascan.

      (cynicism triggered by a report in the form of a most interesting and profitable venture, but no-one to know what it is).

      17 1 Reply
      1. Neil Barnes Silver badge
        Reply Icon

        Re: All publicity is good publicity

        +1 for the south sea bubble reference.

        12 1 Reply
  3. Will Godfrey Silver badge
    Meh

    E for Effort

    Could do better.

    I can understand them wanting to keep the details under wraps for now, but they could have allowed a bit more info I think, and maybe a date when full details would be released. They shouldn't need to be whiter-than-white (compared with everyone else), but that's the reality of their current situation.

    9 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Are they listening?

      Yeah, they could roll some tanks over Swascam for being so uppity...then claim it never happened! All hail our glorious tech leaders!

      1 4 Reply
      1. Sir Runcible Spoon
        Reply Icon

        Re: Are they listening?

        That isn't at all helpful.

        3 0 Reply
  4. mikus

    Any worse than Cisco?

    Enough said - watch the rashes of psirt releases every wednesday from Cisco? Seems authentication bypasses across products and remote exploits are a normal thing, whether US or Chinese. Not surprising when India runs and China makes everything for Cisco.

    11 1 Reply
    1. Fred Flintstone Gold badge
      Reply Icon

      Re: Any worse than Cisco?

      I think we must be careful to meet every message about Huawei with comments about Cisco.

      Yes, Cisco has its own problems and I would not trut them either, but bringing that up every time is whatabouterism that doesn't help the discussion.

      I would much rather that some more pressure is brought to bear on Huawei to make them understand why disclosure (post fix) is A Good Thing™ and if they can't do it just yet (for instance, because they suspect there's still a decent volume of unpatched gear out there) they should consider setting a deadline - also because that could encourage the laggards to get on with updating.

      They've had a good boost from the US government to move into a controlled disclosure model that makes them more trusted than US gear, but it appears they're still on a learning curve. Talking about the competition is only going to provide excuses for the executive team not to go all the way.

      14 1 Reply
      1. John Jennings
        Reply Icon

        Re: Any worse than Cisco?

        It wasnt their gear - it was their website.

        Come on, (almost) everyone have bugs in those and you rarely hear of companies giving the full details on the issues.

        There is nothing to see, here, really.

        9 1 Reply
  5. Notas Badoff

    "... any CVE numbers for the flaws, ... have all been omitted"

    Um, *were* there any CVE numbers? That is, what if Huawei is not only hiding the newly discovered flaws in their network, but hiding the fact that the same flaws may exist in *other* networks?

    This sounds like a winning strategy, to be able to say *our* network is (now) more secure than other networks. Haha!

    4 1 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: "... any CVE numbers for the flaws, ... have all been omitted"

      Getting a CVE assigned is voluntary, so Huawei can easily omit those by not applying for them.

      4 0 Reply
      1. teknopaul
        Reply Icon

        Re: "... any CVE numbers for the flaws, ... have all been omitted"

        Yeah but this sounds like some infosec bod finding flaws in their _website_, not their products. You wouldnt get a CVE because some bod reports an XSS in your website. The vulnerability is not common.

        You would fix it and ask bod not to report it till its fixed.

        Bit Clickbaity if you ask me.

        6 0 Reply
  6. JohnFen

    Stop signing those NDAs

    I really wish security researchers would stop signing NDAs with companies they've discovered vulnerabilities with. That practice reduces the effectiveness of the research.

    12 0 Reply
    1. Azerty
      Reply Icon

      Re: Stop signing those NDAs

      It depends, in this case the "research" appears to be commercially. These are pen testers being effectively paid to do their job, not academic researchers. This relates to the website, it appears not to any of their products.

      13 0 Reply
      1. JohnFen
        Reply Icon

        Re: Stop signing those NDAs

        If they were hired by Huawei to do the pentesting, then I agree, that's different. But if that were the case, then I wonder why they're making any statement at all. Surely any disclosure would be made by Huawei itself, and the pentesters would not be free to talk directly to anybody else about it at all.

        If Huawei didn't hire them, the only reason to sign an NDA is so they can claim reward money from Huawei. That's the practice that I'm actually condemning in my comment. Those sorts of "rewards" are effectively just hush money.

        If the weren't even getting money out of Huawei, then there is literally no reason at all to sign an NDA, and if they did so in that circumstance, then they deserve to have heaps of scorn piled on them.

        14 2 Reply
        1. John Jennings
          Reply Icon

          Re: Stop signing those NDAs

          Pen testing bounty hunting is commonplace now.

          you might not like it, but it doesn't really harm you - directly or indirectly. It appears to be proprietary web-sites that were vulnerable, and Hauwei (and google, and others) pays when this is brought to their attention. The site gets fixed, and the bounty hunter is allowed to say they found bugs etc - for their credibility - after the issue has been understood and resolved.

          Better that than just selling the vuln to a competitor or a hacking team to do real mischief.

          2 0 Reply
          1. JohnFen
            Reply Icon

            Re: Stop signing those NDAs

            "you might not like it, but it doesn't really harm you - directly or indirectly. "

            I'm not saying that it harms me, I'm saying that it doesn't help in the effort of increasing everyone's security.

            "for their credibility"

            If someone is telling the world that they found a security problem, but isn't saying what the problem is, that doesn't help their credibility, it harms it.

            "Better that than just selling the vuln to a competitor or a hacking team to do real mischief."

            Of course -- that's just plain criminal. But that isn't the alternative.

            3 0 Reply
        2. jmch Silver badge
          Reply Icon

          Re: Stop signing those NDAs

          "If Huawei didn't hire them, the only reason to sign an NDA is so they can claim reward money from Huawei. That's the practice that I'm actually condemning in my comment. Those sorts of "rewards" are effectively just hush money."

          I understand and share your reservations about hush money, and yet what's the alternative? Sure there are some security researchers who report vulnerabilities out of the goodness of their hearts or because they can get a paper / gold star out of it, but there aren't that many of them - not enough to assess a large enough percentage of sites / devices etc.

          Commercial bug-hunters are essentially bounty hunters, they do it for the money and the only ones willing to pay are the companies whose products' security vulnerabilities have been found. In this scenario the bug-bounty plus NDA is probably the least-worst tradeoff

          3 0 Reply
      2. LeahroyNake
        Reply Icon

        Re: Stop signing those NDAs

        If it is a website vulnerability then fair enough, they should have just said that in the first place.

        Depends on how it relates to the Huawei account that asks for various permissions to enable for example the step counter / fit app and other apps that are pre installed.

        If it can push apps to a mobile in the same way Google play can then its a serious issue. I doubt and hope it's not that bad but... Plan for the worst if there is no info forthcoming etc

        0 0 Reply
  7. Anonymous Coward
    Devil

    The Central Committee of the Communist Party of The People's Republic of China ...

    ... has approved this Huawei security vulnerability scan report.

    12 11 Reply
  8. Anonymous Coward
    Anonymous Coward

    irresponsible non-disclosure

    The whole point of responsible disclosure is supposed to be that there's a compromise. The vulnerability isn't disclosed to the whole world until the vendor has had a reasonable opportunity to protect its customers, if possible. In exchange, the details get published openly once that's happened, both so that the world can judge the vendor and everyone (including other vendors who might have similar bugs!) can learn from it. When done this way, everyone benefits: the vendor gets to protect its customers, the customers get protection, the researchers get to publish and be publicly acknowledged, and everyone has an opportunity to learn. Whether or not this is your preferred system, it does have some merit.

    Signing an NDA is not responsible disclosure; it is, plainly, non-disclosure. Vendors who employ contractors in this manner need to stop calling this responsible disclosure, because it isn't, and the rest of us need to stop going along with the lie and allowing contractors to promote themselves in this manner. If this is what vendors think responsible disclosure is going to be, then full disclosure is the only answer. The party that welches on a compromise agreement can expect to lose the benefits thereof.

    19 0 Reply
    1. NetBlackOps
      Reply Icon

      Re: irresponsible non-disclosure

      Precisely.

      To Huawei: "Responsible disclosure? I've heard of it. You don't get it, do you?" Methinks they may have a bit of a problem with certain elements of the security community, here on out.

      2 0 Reply
    2. Simone
      Reply Icon

      Re: irresponsible non-disclosure

      RE: "The vulnerability isn't disclosed to the whole world until the vendor has had a reasonable opportunity to protect its customers" - good point

      There might not be an NDA. The article states "likely under an NDA" - LIKELY! The 'reasonable opportunity' might not be complete yet. What if the vulnerabilities are in some popular code library? What if there is a lot of code to check? It might not be responsible behaviour to release full details yet.

      So why release anything? Swascan get some pluses for finding the bugs, Huawei get some pluses for having fixed them. The world gets to know some people are trying to make software better

      3 0 Reply
      1. JohnFen
        Reply Icon

        Re: irresponsible non-disclosure

        "There might not be an NDA."

        If not, then that makes the behavior even sketchier.

        "What if the vulnerabilities are in some popular code library?"

        If so, then full disclosure is even more important.

        1 0 Reply
  9. DMcDonnell

    Reconsider the relationship

    Time for Swascan to reconsider the relationship with Huawei. If you are not free to talk about the vulnerabilities then you just might be part of the problem.

    7 0 Reply
    1. Anonymous Coward
      Reply Icon
      Anonymous Coward

      Re: Reconsider the relationship

      >Time for Swascan to reconsider the relationship with Huawei

      Why? If they want to get paid they will follow the rules like everyone else - Huawei always credit the source when they publish. It's hardly secretive and the bounties (upto 1 million RMB) and policy is better than many companies of its size.

      https://www.huawei.com/en/psirt

      0 0 Reply
  10. Anonymous Coward
    Anonymous Coward

    That Chinese chap

    Really does look like Pooh Bear!

    6 0 Reply
    1. Anonymous Coward
      Reply Icon
      Black Helicopters

      Re: That Chinese chap

      That noise isn't your Huawei phone buzzing.

      4 0 Reply
  11. Anonymous Coward
    Anonymous Coward

    Huawei's NDA on disclosure. The #1 reason they have "less" security issues than other vendors.

    2 4 Reply
  12. Anonymous Coward
    Anonymous Coward

    I really wish...

    ... there had been that kind of article on ElReg every time Oracle refused to tell me, their customer, any detail about a critical vulnerability they announced on the systems they sold me.

    So this article leaves me a little uneasy. I understand Huawei is under the spotlight and it's good clickbait, but well... A really astounding headline would be "HUAWEI DOES SOMETHING NO MAJOR US COMPANY IS DOING".

    3 0 Reply
  13. adam payne

    Huawei is under the microscope but then go and NDA these people.

    Hmmmm...interesting...almost like you want to hush up some really stupid mistakes.

    4 0 Reply
  14. Mike Brown

    Sounds like a good news story to me

    They had issues. They fixed those issues. Hurrah!

    2 0 Reply
  15. Anonymous Coward
    Facepalm

    Bad optics...

    The required NDA makes it look like Huawei has something to hide, when the U.S. government is screaming to the high heavens that Huawei has something to hide.

    3 0 Reply

POST COMMENT House rules

Not a member of The Register? Create a new account here.

Forgotten password ?

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like