GitHub password dump, UK watchdog report expose holes in Huawei’s cybersecurity

5 min read
The GitHub public post (redacted) that shows Huawei’s LDAP credentials for a Splunk app. (Image credit: Victor Gevers)

Two recent examples of poor cybersecurity practices could weigh heavily on Huawei, as the Chinese tech giant tries to cast itself as a reliable purveyor of international telecom infrastructure to gain ground in the race to 5G.

On March 9, Dutch cybersecurity researcher Victor Gevers revealed that he had discovered a publicly available trove of what appears to be Huawei enterprise network credentials on the open-source software development platform GitHub. The type of credentials posted, which typically grant access to potentially sensitive company data, may have been posted late last year.

Less than a month later, on March 28, the UK’s Huawei Oversight Board (HCSEC) said in its annual report that Huawei’s cybersecurity suffers from “underlying defects” in software development, “bringing significantly increased risk to UK operators.” HCSEC is Huawei’s self-evaluation subsidiary in the UK, working under the oversight of British authorities.

The US government alleges that Huawei poses a national security threat because of its ties to the Chinese government. Any question regarding the company’s ability to competently handle cybersecurity issues could further complicate Huawei’s efforts to win the trust of key governments and potential partners overseas—something it is increasingly trying to accomplish.

“The issue identified applies only on an isolated, virtual test environment. No Huawei or customer networks or data has or will be affected by this issue,” a spokeswoman for Huawei told TechNode in response to queries about the GitHub leak.

Regarding the HCSEC report, a spokesman for Huawei countered some of the claims in the report in an emailed statement that, saying the document had attested that “Huawei’s equipment has no backdoors.”

The same statement highlighted that, in November, the company’s board of directors had set aside $2 billion for a “transformation program” to enhance Huawei’s software engineering capabilities.

Still, the HCSEC report noted that, more than three months since it was announced, the transformation plan remained short on details, describing it as “a proposed initial budget for as yet unspecified activities,” and added that it hadn’t found any evidence to inspire confidence in Huawei’s capacity to successfully carry out the transformation program.

Network access

In the GitHub case, both the post and related account were deleted soon after Gevers publicized his findings on Twitter.

GitHub repositories can only be removed by the author or the site’s moderators. The open-source software development platform only removes content if it infringes on copyright or trademark, or if it “poses a security risk.”

The code posted on GitHub showed the password of an administrator account of a Lightweight Directory Access Protocol (LDAP) for a Splunk app.

LDAP is an open directory standard that provides an interface to access and structure data. The database can contain anything, such as contact lists, but it is commonly used to manage passwords, said Nils Weisensee, founder of Frontier Intelligence, a Shanghai-based cybersecurity consultancy.

The Splunk platform is a big data analytics and visualization tool that companies can use to tailor apps to their purposes. The front-end of a Splunk app is a user-friendly web-style interface that visualizes data analyzed in the back-end, which connects directly to applications and devices to collect, index, analyze, and correlate big data.

The code could not be examined directly by TechNode.

Splunk is commonly used in IoT, business analytics, and security. It has a wide range of applications, including using AI to analyze the data that a company collects, Weisensee explained.

The code on GitHub indicates that the credentials granted access to Huawei’s enterprise network, not a separate test domain. Huawei.com, the enterprise network, is named as the domain controller, the server that controls access to resources; the user shown has admin privileges, meaning it handles all security requests to access the network.

According to standard security practices, if the app were a test, the directory would have identified a separate test network, Gevers said. “You do this because accidents like this can happen. You don’t want anyone to access the enterprise network, because you lose all control,” he added.

“Either they were sloppy and testing in their enterprise network or their enterprise credentials were found online,” he said.

Taken together, the GitHub incident and the HCSEC report shed further light on how security breaches can and do take place, pointing to a lack of understanding of basic cybersecurity principles, even by tech leaders like Huawei.

“These incidents are not inspiring for a company that claims to be secure,” Gevers told TechNode, referring to the GitHub post.

Gevers, the co-founder of the Dutch NGO GDI Foundation, has been the source behind many recent revelations about security lapses involving well-known Chinese companies like Huawei, Alibaba, and SenseNets, as well as a cache of data on 1.8 million Chinese women that included information about their “breedready” status.

The GDI Foundation says that because its aims are to address security flaws with responsible disclosure, not provide hackers with paths into sensitive information, they neither attempted to log onto Huawei’s Splunk app nor publicly revealed the credentials.

Since neither Gevers nor anyone else—to the extent that could be determined by TechNode—tried to use the credentials, there is no way of knowing exactly what doors the data credentials opened.

Screenshots from Gevers show that the file was created on Sep. 1, 2018. It is likely that they were posted around that time on GitHub, said Gevers, meaning that by the time he discovered them they could have been available online for as long as four months. “Those files were there for a long time,” increasing the security risk posed to Huawei, Gevers said.

On March 7, two days before Gevers’s revelations, Huawei sued the US government. In a press conference held at Huawei’s Shenzhen headquarters, the company’s rotating chairman, Guo Ping, claimed that the US government had hacked into the company’s servers and “stolen emails and source code.”

Guo was alluding to a 2014 New York Times investigation that revealed that the US’s National Security Agency was spying on the conversations of Huawei’s top executives and accessing proprietary information about its network equipment.

Lack of understanding

Gevers’s main concern is not backdoors or malicious attacks, but the fact that people employed in positions that touch on security—not only at Huawei—may not be properly versed in cybersecurity principles.

In its report, HCSEC said Huawei’s systems exhibit “extensive non-adherence to basic secure coding practices, including Huawei’s own internal standard,” severely increasing cybersecurity risk. System vulnerabilities may be obscured because Huawei suppresses warnings from static analysis tools, which check source code against programming rules before software is run, and does not properly manage or update software.

Moreover, the HCSEC report found that Huawei uses an old version of a well-known third-party operating system for the key function of processing incoming data flows in real-time, a function similar to Splunk apps. This attracts risk and a single point of failure can compromise the entire OS, the report stated.

According to Weisensee, out-of-date software is a common problem in China. “There is a lot of outdated software in China—pirated software—that is not properly patched,” he explained.

Weisensee pointed out that for companies of Huawei’s size, it is difficult to ensure perfect security. A combination of factors exposes them to high security risks, he said. Most security breaches are due to human error, and Chinese tech giants like Huawei work with many complex databases, departments, and high employee turnover, which makes it easy for things to slip through the cracks.

In Weisensee’s view, it is too big a logical leap to assume that Huawei purposefully left the LDAP credentials on GitHub. “If someone wants to leak access to data, they will do it in a more obvious way.”

Gevers added, “Someone used the Git repository without actually knowing how it works. It’s like having the key to your front door sticking [out from] under the doormat.”