HP asks researcher not to reveal router bugs at ToorCon
A researcher who was planning this weekend to disclose major vulnerabilities in Huawei and H3C routers has decided to scrap the presentation.
The researcher, Kurt Grutzmacher, was scheduled to deliver the talk Saturday at the ToorCon security show in San Deigo, but agreed to can it after being contacted this week by HP, the parent company of China-based H3C and a partner of Huawei.
On Aug. 6, Grutzmacher revealed the flaws to US-CERT, which was to coordinate with the affected vendors, he said in a Thursday blog post. US-CERT's disclosure policy dictates that the researcher must then wait 45 days before going public with the vulnerability details.
A month later, he checked on the progress and learned that the companies needed more time. Grutzmacher told them they could have until ToorCon. Then, this week, he received a "very cordial and apologetic voicemail and email" from HP's software security response team, asking requesting that he not present.
"The vulnerabilities are apparently too big for them to be ready," he wrote.
Even though he said he planned to offer mitigation recommendations to the audience, Grutzmacher agreed to kill the talk.
"While this was understood, they still felt the information was too much of a risk and again requested I delay the talk until they could be ready," he wrote. "I'm guessing someone [at HP] woke up on Tuesday morning and went, 'Oh hell, is Toorcon this Saturday?'"
Grutzmacher said customers of H3C and Huawei network gear remain at risk, though they should already have taken measures to limit threats in light of a DefCon talk given over the summer by German researcher Felix Lindner, who also detailed vulnerabilities in Huawei routers.
"If you value your network and its data then you should already have taken steps to protect it," Grutzmacher wrote. "These protections will most likely keep you safe from me as well."
Due to its ties to the Chinese government, Huawei has been the subject of increased scrutiny in recent years. Last week, a Congressional report recommended that the U.S. government stop purchasing telecom gear from Huawei, but a White House review has reportedly turned up no evidence that Huawei poses a cyber espionage threat to the United States.