Did Huawei Hide Backdoors in Telco Kit? Or Is This More Bloomberg BS?
Today’s revelation that Huawei put backdoors into telecom equipment is perfectly shocking. But is the story all that it seems?
Yes, it’s Bloomberg again, trying to sound authoritative about security. But, some say, failing spectacularly.
Remember last year’s hilarious “spy chip” story? In today’s SB Blogwatch, we don’t forget.
Your humble blogwatcher curated these bloggy bits for your entertainment. Not to mention: halfgiraffe’s offcuts.
Useful Idiots are Useful
What’s the craic? Bloomberg Businessweek’s Daniele Lepido, Tommaso Ebhardt, Tom Giles, Thomas Seal, Frank Connelly and Patricia Suzara tag-team to try, “Hidden Backdoors in Huawei Equipment”:
Europe’s biggest phone company identified hidden backdoors … that could have given Huawei unauthorized access to the carrier’s fixed-line network. … Vodafone asked Huawei to remove backdoors … and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained.
…
While backdoors can be common in some network equipment and software because developers create them to manage the gear, they can be exploited by attackers. … Vodafone said it found vulnerabilities with the routers in Italy in 2011 and worked with Huawei to resolve the issues that year. [It] also identified vulnerabilities with the Huawei-supplied broadband network gateways in Italy in 2012 and said those were resolved the same year. [And] vulnerabilities in several Huawei products related to optical service nodes … and said the issues were resolved.
…
“There’s no specific way to tell that [a vulnerability] is a backdoor and most … would be designed to look like a mistake,” said Stefano Zanero, an associate professor of computer security at Politecnico di Milano University. … “The vulnerabilities described … have all the characteristics of backdoors: deniability, access and a tendency to be placed again in subsequent versions of the code.”
Yikes, that sounds doubleplusungood. Rebecca Falconer reminds us—“Why it matters”:
The U.S. has warned allies using Huawei equipment in 5G networks puts states at risk. In February, Secretary of State Mike Pompeo went as far as saying the U.S. wouldn’t be able to work with nations using the Chinese technology:
“We can’t forget these systems were designed by — with the express work alongside the Chinese PLA, their military in China. They are creating a real risk for these countries and their systems, the security of their people.”
But were they really “backdoors”? One Charlie Osborne lugs in “Huawei denies existence of ‘backdoors’”:
Vodafone has confirmed that vulnerabilities were found. … Described as “hidden backdoors” by Bloomberg, [they] could have been utilized to give the Chinese networking giant unauthorized access to Vodafone infrastructure, the publication reported.
…
[But] a Huawei spokesperson denied that the issues found in Vodafone’s equipment could be described as “backdoors,” given the implication that the security weaknesses were intentionally implanted. … “The accepted definition of ‘backdoors’ is deliberately built-in vulnerabilities that can be exploited — these were not such. They were mistakes which were put right.”
Still, y’know, China. Amirite? Zak Doffman says it risks “Unauthorized Access To Network”:
The debate around Huawei’s inclusion in 5G networks around the world has weaved its way through many months, with claim and counter-claim being made. … Huawei is a ‘national champion’ technology company … in China, exporting networking equipment around the world, including to countries against which China is engaged in aggressive espionage activity.
…
FBI Director Christopher Wray said … “China seems determined to steal its way up the economic ladder, at our expense. … They’re strategic in their approach—they actually have a formal plan, set out in five-year increments, to achieve dominance in critical areas. … We have economic espionage investigations that almost invariably lead back to China in nearly all of our 56 field offices. … It’s illegal. It’s a threat to our economic security. And by extension, it’s a threat to our national security.”
…
What on earth are we thinking? … Staring at the truth of the situation we have created through years of looking the other way on Xinjiang and closed procurements and soft loans and state subsidies.
…
This isn’t a Vodafone issue, this is a Huawei issue. Vodafone did the right thing.
Wait. Pause. Joxean Koret—@matalaz—ponders the truth:
All software has vulnerabilities. To call a bug a backdoor you must have proof: Publish bug analysis, CVEs, binaries and/or sources or it is a fairytale and/or ****ing propaganda.
…
Publish details of the vulnerabilities and the reason why they are considered backdoors so we security professionals can independently verify it. It smells like blatant propaganda with no real basis.
…
Also, wasn’t Huawei one of the companies that NSA was hacking into to put backdoors in the source code? … Yes, it was. … The irony!
Oh. Right. Daniel Armak grades Bloomberg’s report a D:
A backdoor is a deliberate remote-access vulnerability that the creator intended to use for illegitimate access.
The same code, but unintentional, is a … vulnerability, but not a backdoor. Same security implications, but a big difference [with respect to] culpability, appropriate punishment, and expectations of future behavior.
…
Many routers have had remote access vulnerabilities, but there’s a clear reason to write about 2012-era vulns about Huawei and not some other manufacturer.
Really though? This Anonymous Coward offers a whatabout:
Some manufacturers, like Cisco, have several hundred CVEs against them for hard coded credentials. Why aren’t the governments of the world clamouring to rid their networks of Cisco?
…
Cisco has a long history of accidentally shipping equipment with undisclosed ports/accounts left enabled. Then that whole thing with the NSA intercepting routers in the mail. Loving the manufactured outrage here.
…
Funny how we don’t get to see the same damaging and dishonestly implicating headlines about Cisco equipment, which has been revealed to have multiple actual, real back doors in the last few years. … The whole premise of western … media is to spin everything to make the East look … evil, but as soon as we look past the flimsy facade, it’s in fact the American equipment which is exactly as … subverted as their media’s claims about the competitors’ equipment.
…
You don’t want to buy Huawei? Fine. It is not your business what everyone else is buying.
Food for thought experiment. Here’s steve19:
Hard to know from the article … if the ‘backdoor’ was a vulnerability, an unwanted feature, or an actual backdoor. Imagine a Chinese headline: … “US firm Intel backdoors every CPU.”
Meanwhile, John Gruber repeatedly reminds us to consider the source:
Bloomberg, of course, is the publication that published “The Big Hack” in October — a sensational story alleging that data centers of Apple, Amazon, and dozens of other companies were compromised by China’s intelligence services.
The story presented no confirmable evidence at all, was vehemently denied by all companies involved, has not been confirmed by a single other publication (despite much effort) … and has been largely discredited by one of Bloomberg’s own sources.
By all appearances “The Big Hack” was complete bull****. Yet Bloomberg has issued no correction or retraction, and seemingly hopes we’ll all just forget about it.
I say we do not just forget about it. Bloomberg’s institutional credibility is severely damaged, and everything they publish should be treated with skepticism until they retract the story or provide evidence that it was true.
And Finally:
William “halfgiraffe” Garratt’s offcuts
Trigger warnings: fruit fondling, baboons, freak scarf accidents.
You have been reading SB Blogwatch by Richi Jennings. Richi curates the best bloggy bits, finest forums, and weirdest websites… so you don’t have to. Hatemail may be directed to @RiCHi or [email protected]. Ask your doctor before reading. Your mileage may vary. E&OE.
Image source: Cliff Johnson (cc:by-sa)
