HP asks researcher to not reveal router bugs

By on
HP asks researcher to not reveal router bugs

A researcher who was planning this weekend to disclose major vulnerabilities in Huawei and H3C routers has decided to scrap the presentation.

The researcher, Kurt Grutzmacher, was scheduled to deliver the talk Saturday at the ToorCon security show in San Deigo, but agreed to can it after being contacted this week by HP, the parent company of China-based H3C and a partner of Huawei.

On Aug. 6, Grutzmacher revealed the flaws to US-CERT, which was to coordinate with the affected vendors, he said in a Thursday blog post. US-CERT's disclosure policy dictates that the researcher must then wait 45 days before going public with the vulnerability details.

A month later, he checked on the progress and learned that the companies needed more time. Grutzmacher told them they could have until ToorCon. Then, this week, he received a "very cordial and apologetic voicemail and email" from HP's software security response team, asking requesting that he not present.

"The vulnerabilities are apparently too big for them to be ready," he wrote.

Even though he said he planned to offer mitigation recommendations to the audience, Grutzmacher agreed to kill the talk.

"While this was understood, they still felt the information was too much of a risk and again requested I delay the talk until they could be ready," he wrote. "I'm guessing someone [at HP] woke up on Tuesday morning and went, 'Oh hell, is ToorCon this Saturday?'"

Grutzmacher said customers of H3C and Huawei network gear remain at risk, though they should already have taken measures to limit threats in light of a DefCon talk given over the summer by German researcher Felix Lindner, who also detailed vulnerabilities in Huawei routers.

"If you value your network and its data then you should already have taken steps to protect it," Grutzmacher wrote. "These protections will most likely keep you safe from me as well."

Due to its ties to the Chinese government, Huawei has been the subject of increased scrutiny in recent years. Last week, a Congressional report recommended that the U.S. government stop purchasing telecom gear from Huawei, but a White House review has reportedly turned up no evidence that Huawei poses a cyber espionage threat to the United States.

This article originally appeared at scmagazineus.com

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:

Most Read Articles

You must be a registered member of CRN to post a comment.
| Register

Poll

The channel is a juicy hacking target - are you improving security?
YES - recent attacks on MSPs spurred us to action
YES - we're ALWAYS improving our security stance
YES - we've noticed new forms of attack
NO - we're confident our past efforts are enough, but are always vigilant
NO - we don't see the need for change at this time
View poll archive

Log In

Username / Email:
Password:
  |  Forgot your password?