A researcher who was planning to disclose major vulnerabilities in Huawei and H3C routers at a security show this weekend has decided to scrap the presentation.
Researcher Kurt Grutzmacher was scheduled to deliver the talk on Saturday at the ToorCon 14 security show in San Diego, but agreed to abandon it after being contacted by HP, the parent company of China-based H3C and a partner of Huawei.
Grutzmacher revealed the flaws to the US computer emergency readiness team (US-CERT) in August and it said it would coordinate with the affected vendors, he said in a blog post. US-CERT's disclosure policy dictates that the researcher must then wait 45 days before going public with the vulnerability details.
A month later, Grutzmacher checked on the progress and learned that the companies needed more time. Grutzmacher told them they could have until ToorCon. This week he received a "very cordial and apologetic voicemail and email" from HP's software security response team, requesting that he does not present at the show.
“The vulnerabilities are apparently too big for them to be ready,” he wrote. Even though he said he planned to offer mitigation recommendations to the audience, Grutzmacher agreed not to do the talk.
“While this was understood, they still felt the information was too much of a risk and again requested I delay the talk until they could be ready,” he wrote. “I'm guessing someone [at HP] woke up on Tuesday morning and went, 'Oh hell, is ToorCon this Saturday?'”
Grutzmacher said customers of H3C and Huawei network gear remain at risk, though they should already have taken measures to limit threats in light of a DefCon talk given over the summer by German researcher Felix Lindner, who also detailed vulnerabilities in Huawei routers.
“If you value your network and its data then you should already have taken steps to protect it,” Grutzmacher wrote. “These protections will most likely keep you safe from me as well.”