1. Cisco used Open Source software (OpenDaylight), without sanitizing publicly available (GitHub) certificates and private keys.
2. The screenshot in the source article mentions the subject of the certificate. Yet, the text refers to it as the signing party.
3. Somebody used a business name and an email address that is associated to Huawei, to generate a certificate.
Observations:
- Regarding (1): If any finger pointing or suggesting should be done here, it should not be at anyone but Cisco.
- Regarding (2): Either the original source article contains incorrect information, or these certificates were self-signed, which makes any information supplied in the certificate arbitrary and meaningless.
- Regarding (2): If the information is incorrect, and the certificate was signed by an accredited party, the person who put this on GitHub sure made a stupid mistake, rendering this private key essentially useless (to anyone, Huawei and Cisco included).
- Regarding (3), just because somebody uses (either real of fake) business information to generate a certificate, does not indicate that said business had any involvement whatsoever. Not unless the certificate is signed by a party that guarantees the vetting of that info.
Final thought: The title with "Huawei cryptographic keys" appears to be very misleading at best, simple incorrect more likely. I do not see the link between Huawei and these keys, other than somebody using arbitrary information to generate a (self-signed) certificate from a private key.
Something is very wrong with that firmware generating process.
Why would anyone do that? Even accidentally?
It's simply a marketing team leveraging the current threat environment to raise the profile of their product.
Fired: Huawei routers have Chinese backdoors!
Inspired: Cisco routers have Huawei backdoors!
Reality is often stranger than fiction...
No idea what the private key is used for, but doesn't look like you can use it to log into the device.
Dial down the conspiracy-factor brother.
> Given the ongoing political controversy around Huawei, we did not want to speculate any further [..] According to Cisco, no attack vectors have been identified
What's wrong with that, and how would it be "different" if it was the other way around?
I predict this is going to become more and more of an issue over the next couple of years, and provoke some drastic changes to the way we do open-source software. What those changes are, I don't know...
I object to this phrasing because it makes it sounds like the FOSS software is at fault. The problem is that companies are pulling random code off the internet and sticking it in products without auditing or understanding it, so the only solution needed is for companies to actually pay attention to what they're using/shipping (possibly by holding them liable when people are paying for their products, but that could have side effects). In particular, pretty much every FOSS license I've ever seen explicitly says that the software is offered without any claim that it's good/usable/safe, and you can't limit that limitation of liability without seriously screwing up the whole FOSS ecosystem.
Just like every other avenue of life, we're going to have to dumb down what we do so that idiots don't hurt themselves.
Cisco adding an already compromised (it's on GitHub) private key to their firmware, which sure isn't a smart thing to do. But the only security issue I could see here is that somebody could use it to create a "secure" outbound connection from a Cisco device, that just isn't secure at all (because anyone has access to the private key).
But no-one at Cisco seemed to be aware of it until alerted, and it was discovered by a product team looking specifically for IoT security vulnerabilities. It's clear that Cisco aren't auditing their third-party dependencies thoroughly. It could easily have been a vulnerability. They got lucky.
And yeah, it's not a new problem, but there does seem to be growing awareness of it, which is both good (because a solution will be found), and bad (because the bad people will be more aware of the opportunity).
A cunning plot by Huawei to distribute private keys in Cisco firmware?
.. and, lastly, why the do we care about protecting his e-mail address from harvesters with (at) if he so loose with it himself that he lets it end up in random firmware?
