Have a nice weekend!
Your skills will still be needed Tuesday.
It's a bumper three-day weekend in the US and UK, so we won't keep you long. Here's a rapid summary of information security news from the past week beyond what El Reg has already covered. Baltimore ransomware misery deepens: The US city of Baltimore's government websites and online services remain offline, and its computer …
Baltimore city hall, the mayor's homes and her attorney were raided by the FBI & IRS in April this year as part of an investigation into what can be best described as creative accounting and now much of the evidence and email correspondance has been scrambled by ransomware.. Just seems a bit hinky
I'm not taking their side, but has anyone seen any actual evidence of their embedded spying or backdoors? It's notable by its absence.
By way of definitions, I mean for example a hard coded URL or IP address traced to a suspicious server in China, and combined with Wireshark traffic logs of significant and suspicious outbound data that are something other than harmless checks about firmware updates.
You'd think that somebody would have documented some specific details by now. Firmware dumps, Wireshark logs.
Previously the stated concern was backdoors were being made at the chipset level rather than the software level, which would be much hard to find or prove.
All seems total bollocks though and until we see some solid evidence, will treat the claims as such. All the time we continue to find intentional or not backdoors in US products, such as Cisco hard coded credentials, SSH keys etc or Intels various weird patents for ways that allow executing code beyond ring 0 which seem to only have uses as a backdoor.
Lots of backdoors which could have plausible deniability but are actually there and reported on, compared to not many Huawei bugs like that in comparison.
Give me a Huawei phone without Broadcom radio and with Kaspersky AV on any day over the US alternatives!
“I'm not taking their side, but has anyone seen any actual evidence of their embedded spying or backdoors? It's notable by its absence”
The only issues I’ve seen or read about for Huawei are typical across all vendors:
- consumer kit has had admin vulnerabilities. This is largely down to being developed cheaply and is a wide spread issue across CPE devices that don’t get patched. Ie it’s not Huawei-specific and the manufacturers doing a good job on this are generally 5-10x more expensive
- the use of old libraries leading to security issues. Again, not vendor specific
- weak control channel security. This is usually a customer requirement (ie management tools need SNMPv2/HTTP/telnet although SNMPv3/HTTPS/SSH is supported by the equipment)
The closest Huawei gets to embedded spying in equipment is publicly available documents is having a US-developed hacking kit for older firewalls. Outside of equipment, Huawei staff have been accused of spying, but the cases are generally treated by expelling Huawei employees rather than making the details known.
I would suggest that you could put a Huawei product and products from two western competitors on a test network with IDS monitoring attempts to access resources outside the network and wireshark catching all communications and you would see nothing suspicious even attempting to leave the network if it was setup correctly. And with minor configuration changes you could see very suspicious traffic (ie dump syslog traffic to a public IP in China) But neither of those would indicate one way or the other whether there were attempts at spying.
The reality is that all kit from all vendors could be a low level firmware update away from embedding vulnerabilities even after a code review. A simple example would be using known weak keys for TLS if firmware X was installed.
TL;DR: you are dependent on a third party not spying on you or you catching them before harm is done regardless of the vendor. And that threat continues to evolve over time as situations change.
It's interesting reading this lot.
Most of the linked stories are about data leaks, security SNAFUs and the like. Private and corporate data being taken by miscreants or being available to incompetence or mistakes.
And yet the list is led by one on Huawei, a firm accused of letting PRC "spy" but not one shred of evidence. Why would the PRC (or any gubbermint) need to spy on us when all they have to do is follow the leaks?
(NOT a Huawei fan/user either BTW, but there is a better than average chance I'll own one of their phones or some of their networking kit in the foreseeable future)
Biting the hand that feeds IT © 1998–2022