
Huawei cryptographic keys embedded in Cisco’s firmware - risent
https://www.iot-inspector.com/blog/2019/07/huawei-cryptographic-keys-embedded-in-ciscos-firmware/
======
elmo2you
So, in summary:

1\. Cisco used Open Source software (OpenDaylight), without sanitizing
publicly available (GitHub) certificates and private keys.

2\. The screenshot in the source article mentions the subject of the
certificate. Yet, the text refers to it as the signing party.

3\. Somebody used a business name and an email address that is associated to
Huawei, to generate a certificate.

Observations:

\- Regarding (1): If any finger pointing or suggesting should be done here, it
should not be at anyone but Cisco.

\- Regarding (2): Either the original source article contains incorrect
information, or these certificates were self-signed, which makes any
information supplied in the certificate arbitrary and meaningless.

\- Regarding (2): If the information is incorrect, and the certificate was
signed by an accredited party, the person who put this on GitHub sure made a
stupid mistake, rendering this private key essentially useless (to anyone,
Huawei and Cisco included).

\- Regarding (3), just because somebody uses (either real of fake) business
information to generate a certificate, does not indicate that said business
had any involvement whatsoever. Not unless the certificate is signed by a
party that guarantees the vetting of that info.

Final thought: The title with "Huawei cryptographic keys" appears to be very
misleading at best, simple incorrect more likely. I do not see the link
between Huawei and these keys, other than somebody using arbitrary information
to generate a (self-signed) certificate from a private key.

~~~
srcmap
From what I read, it sounds like Cisco put a file from public github into the
IOT firmware's /root/.ssh directory.

Something is very wrong with that firmware generating process.

Why would anyone do that? Even accidentally?

~~~
yjftsjthsd-h
There is a nice talk on youtube (sorry, tried to find a link and couldn't in
less than 30 seconds) that discusses Cisco's firmware build... "process". Rest
assured, "very wrong" is a nice description; allegedly, we're talking things
like "random engineer builds firmware image from local checkout using personal
build scripts and uncommitted code, and if it appears to work then it gets
shipped to customers, either at large or on a case-by-case basis". Honestly,
the presence of additional random files is completely unsurprising.

------
segfaultbuserr
Tired: Cisco routers have U.S. backdoors!

Fired: Huawei routers have Chinese backdoors!

Inspired: Cisco routers have Huawei backdoors!

Reality is often stranger than fiction...

~~~
420codebro
No reality is usually boring. It came from an opensource github repo. It was
an oversight.

Dial down the conspiracy-factor brother.

~~~
tzakrajs
If the dial of conspiracy was turned to low for the last few years, it's
quickly moving into the hot position.

------
chvid
The key was in a test folder of an open source project. Shouldn't get into a
production build but doesn't really matter if it did. This is just sloppy work
by Cisco.

------
nrki
* embedded in an OSS package used by Cisco's firmware

------
leptoniscool
If a Cisco crypto key was found in a Huawei switch, the media response would
be very different.

~~~
ETHisso2017
Yep, and you'd likely see Bloomberg running it as a feature special.

~~~
tastythrowaway
I understood this reference

~~~
ValueNull
Please enlighten me

~~~
rocqua
Bloomberg ran a story [1] about a supply chain attack against apple, amazon,
and others. It made big headlines, but evidence never emerged. It is now
generally believed that the story was false.

No one has found these chips and shown them, and the likes of apple and amazon
have issued very direct denials (that would be very clear securities fraud if
they were false). Much more direct than statements by corporations usually
are.

[1] [https://www.bloomberg.com/news/articles/2018-10-04/the-
big-h...](https://www.bloomberg.com/news/articles/2018-10-04/the-big-hack-the-
software-side-of-china-s-supply-chain-attack)

------
vbezhenar
So those were just files hanging around in the image, not used by anything.

~~~
pergadad
To play devils advocate: this is what Cisco says, not result of an independent
analysis :-)

------
marcus_holmes
seeing this more and more... open source projects pulled in as dependencies
without auditing, and causing a security issue.

I predict this is going to become more and more of an issue over the next
couple of years, and provoke some drastic changes to the way we do open-source
software. What those changes are, I don't know...

~~~
yjftsjthsd-h
> years, and provoke some drastic changes to the way we do open-source
> software.

I object to this phrasing because it makes it sounds like the FOSS software is
at fault. The problem is that companies are pulling random code off the
internet and sticking it in products without auditing or understanding it, so
the only solution needed is for companies to actually pay attention to what
they're using/shipping (possibly by holding them liable when people are paying
for their products, but that could have side effects). In particular, pretty
much every FOSS license I've ever seen explicitly says that the software is
offered without any claim that it's good/usable/safe, and you can't limit that
limitation of liability without seriously screwing up the whole FOSS
ecosystem.

~~~
marcus_holmes
I totally understand and agree with that. But we don't live in a perfect world
where people do the things they're supposed to do. And there are lots of
developers out there who will pull in a malign FOSS library, then blame
everyone else when it does exactly what the code said it would do.

Just like every other avenue of life, we're going to have to dumb down what we
do so that idiots don't hurt themselves.

------
Merrill
>"The firmware contained a few certificates and a corresponding private key."

A cunning plot by Huawei to distribute private keys in Cisco firmware?

------
sova
Title reeks of clickbait -- especially since this is innocuous and clearly
just an oversight in packaging

------
kazinator
> _Who is gary.wu1(at)huawei.com, and why are his keys embedded in Cisco’s
> firmware?_

.. and, lastly, why the do we care about protecting his e-mail address from
harvesters with (at) if he so loose with it himself that he lets it end up in
random firmware?

