1. Cisco used Open Source software (OpenDaylight), without sanitizing publicly available (GitHub) certificates and private keys.
2. The screenshot in the source article mentions the subject of the certificate. Yet, the text refers to it as the signing party.
3. Somebody used a business name and an email address that is associated to Huawei, to generate a certificate.
Observations:
- Regarding (1): If any finger pointing or suggesting should be done here, it should not be at anyone but Cisco.
- Regarding (2): Either the original source article contains incorrect information, or these certificates were self-signed, which makes any information supplied in the certificate arbitrary and meaningless.
- Regarding (2): If the information is incorrect, and the certificate was signed by an accredited party, the person who put this on GitHub sure made a stupid mistake, rendering this private key essentially useless (to anyone, Huawei and Cisco included).
- Regarding (3), just because somebody uses (either real of fake) business information to generate a certificate, does not indicate that said business had any involvement whatsoever. Not unless the certificate is signed by a party that guarantees the vetting of that info.
Final thought: The title with "Huawei cryptographic keys" appears to be very misleading at best, simple incorrect more likely. I do not see the link between Huawei and these keys, other than somebody using arbitrary information to generate a (self-signed) certificate from a private key.
There is a nice talk on youtube (sorry, tried to find a link and couldn't in less than 30 seconds) that discusses Cisco's firmware build... "process". Rest assured, "very wrong" is a nice description; allegedly, we're talking things like "random engineer builds firmware image from local checkout using personal build scripts and uncommitted code, and if it appears to work then it gets shipped to customers, either at large or on a case-by-case basis". Honestly, the presence of additional random files is completely unsurprising.
Creating a private key for test purposes and putting it in a test folder of an open source project is a quite reasonable thing to do. I am guessing the email-address is there because the tool used to create the certificate asked for it.
The key was in a test folder of an open source project. Shouldn't get into a production build but doesn't really matter if it did. This is just sloppy work by Cisco.
Bloomberg ran a story [1] about a supply chain attack against apple, amazon, and others. It made big headlines, but evidence never emerged. It is now generally believed that the story was false.
No one has found these chips and shown them, and the likes of apple and amazon have issued very direct denials (that would be very clear securities fraud if they were false). Much more direct than statements by corporations usually are.
What "media response" are you seeing, and where? From the article:
> Given the ongoing political controversy around Huawei, we did not want to speculate any further [..] According to Cisco, no attack vectors have been identified
What's wrong with that, and how would it be "different" if it was the other way around?
Likely, but that didn't happen. And "the other way around" could also mean what Chinese media would write about Cisco private keys found in Huawei gear.
seeing this more and more... open source projects pulled in as dependencies without auditing, and causing a security issue.
I predict this is going to become more and more of an issue over the next couple of years, and provoke some drastic changes to the way we do open-source software. What those changes are, I don't know...
> years, and provoke some drastic changes to the way we do open-source software.
I object to this phrasing because it makes it sounds like the FOSS software is at fault. The problem is that companies are pulling random code off the internet and sticking it in products without auditing or understanding it, so the only solution needed is for companies to actually pay attention to what they're using/shipping (possibly by holding them liable when people are paying for their products, but that could have side effects). In particular, pretty much every FOSS license I've ever seen explicitly says that the software is offered without any claim that it's good/usable/safe, and you can't limit that limitation of liability without seriously screwing up the whole FOSS ecosystem.
I totally understand and agree with that. But we don't live in a perfect world where people do the things they're supposed to do. And there are lots of developers out there who will pull in a malign FOSS library, then blame everyone else when it does exactly what the code said it would do.
Just like every other avenue of life, we're going to have to dumb down what we do so that idiots don't hurt themselves.
While that observation might be true (I doubt it will change Open Source, nor is it a new problem), what's the security issue in this particular case?
Cisco adding an already compromised (it's on GitHub) private key to their firmware, which sure isn't a smart thing to do. But the only security issue I could see here is that somebody could use it to create a "secure" outbound connection from a Cisco device, that just isn't secure at all (because anyone has access to the private key).
yes, in this instance it turned out to be "not an actual issue".
But no-one at Cisco seemed to be aware of it until alerted, and it was discovered by a product team looking specifically for IoT security vulnerabilities. It's clear that Cisco aren't auditing their third-party dependencies thoroughly. It could easily have been a vulnerability. They got lucky.
And yeah, it's not a new problem, but there does seem to be growing awareness of it, which is both good (because a solution will be found), and bad (because the bad people will be more aware of the opportunity).
> Who is gary.wu1(at)huawei.com, and why are his keys embedded in Cisco’s firmware?
.. and, lastly, why the do we care about protecting his e-mail address from harvesters with (at) if he so loose with it himself that he lets it end up in random firmware?
1. Cisco used Open Source software (OpenDaylight), without sanitizing publicly available (GitHub) certificates and private keys.
2. The screenshot in the source article mentions the subject of the certificate. Yet, the text refers to it as the signing party.
3. Somebody used a business name and an email address that is associated to Huawei, to generate a certificate.
Observations:
- Regarding (1): If any finger pointing or suggesting should be done here, it should not be at anyone but Cisco.
- Regarding (2): Either the original source article contains incorrect information, or these certificates were self-signed, which makes any information supplied in the certificate arbitrary and meaningless.
- Regarding (2): If the information is incorrect, and the certificate was signed by an accredited party, the person who put this on GitHub sure made a stupid mistake, rendering this private key essentially useless (to anyone, Huawei and Cisco included).
- Regarding (3), just because somebody uses (either real of fake) business information to generate a certificate, does not indicate that said business had any involvement whatsoever. Not unless the certificate is signed by a party that guarantees the vetting of that info.
Final thought: The title with "Huawei cryptographic keys" appears to be very misleading at best, simple incorrect more likely. I do not see the link between Huawei and these keys, other than somebody using arbitrary information to generate a (self-signed) certificate from a private key.