On October 11th, 2012, Felix ‘FX’ Lindner presented a report about “Hacking Huawei VRP” in the HITB SecConf 2012 in Malaysia. Once getting the material, Huawei PSIRT immediately conducted deep analysis and evaluation on the report.
This report updates some information based on the report of Felix ‘FX’ Linder in the US DefCon 2012 by adding the explanation that the Bootloader（BIOS） Password of routers can be reset by a ‘hard-coded password’. According to the analysis undertaken by Huawei PSIRT, it can be concluded that this issue does not cause any substantial security risk.
To avoid the improper use of BIOS function, BIOS password is added to enhance the protection. The password can be changed by customers themselves. And in the case of the situation where the customer forgets the BIOS password, the product is configured with the function of resetting the BIOS password. Huawei designed the BIOS to enable customers to reset the BIOS password through the local physical serial port during device startup. The design cannot bypass the customer’s authorization and will not bring any substantial security risk to customers. The Huawei sequent products have canceled the function of resetting the BIOS password in order to avoid external misunderstood.
For other issues in the report of Felix ‘FX’ Lindner, Huawei has released the official response. Please refer to the following links:
2012-12-21 V1.0 INITIAL
Huawei adheres to protecting the ultimate interests of users with best efforts and the principle of responsible disclosure and deal with product security issues through our response mechanism. Please report to Huawei PSIRT at firstname.lastname@example.org if you find any security vulnerability of Huawei products.