HP asks researcher not to reveal router bugs at ToorCon

Share this article:

A researcher who was planning this weekend to disclose major vulnerabilities in Huawei and H3C routers has decided to scrap the presentation.

The researcher, Kurt Grutzmacher, was scheduled to deliver the talk Saturday at the ToorCon security show in San Deigo, but agreed to can it after being contacted this week by HP, the parent company of China-based H3C and a partner of Huawei.

On Aug. 6, Grutzmacher revealed the flaws to US-CERT, which was to coordinate with the affected vendors, he said in a Thursday blog post. US-CERT's disclosure policy dictates that the researcher must then wait 45 days before going public with the vulnerability details.

A month later, he checked on the progress and learned that the companies needed more time. Grutzmacher told them they could have until ToorCon. Then, this week, he received a "very cordial and apologetic voicemail and email" from HP's software security response team, asking requesting that he not present.

"The vulnerabilities are apparently too big for them to be ready," he wrote.

Even though he said he planned to offer mitigation recommendations to the audience, Grutzmacher agreed to kill the talk.

"While this was understood, they still felt the information was too much of a risk and again requested I delay the talk until they could be ready," he wrote. "I'm guessing someone [at HP] woke up on Tuesday morning and went, 'Oh hell, is Toorcon this Saturday?'"

Grutzmacher said customers of H3C and Huawei network gear remain at risk, though they should already have taken measures to limit threats in light of a DefCon talk given over the summer by German researcher Felix Lindner, who also detailed vulnerabilities in Huawei routers.

"If you value your network and its data then you should already have taken steps to protect it," Grutzmacher wrote. "These protections will most likely keep you safe from me as well."

Due to its ties to the Chinese government, Huawei has been the subject of increased scrutiny in recent years. Last week, a Congressional report recommended that the U.S. government stop purchasing telecom gear from Huawei, but a White House review has reportedly turned up no evidence that Huawei poses a cyber espionage threat to the United States.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

EPIC files complaint with FTC against Maricopa

The nonprofit organization alleges that the Maricopa County Community College District violated the FTC's "Safeguards Rule."

RSA fraud report examines August phishing trends

Phishing is down 22 percent from July to August, but U.S. banks experienced an increase in phishing volume.

Kevin Mitnick to sell zero-day exploits

Kevin Mitnick's new venture will develop and procure zero-day exploits, then sell them for $100,000 or more.