back to article Can you trust Huawei... or any other networks supplier for that matter?

Chinese telecoms giant Huawei may well be the world's most controversial technology company. It's also probably one of the most well-known names on the US government's "entity list", where it was placed in May this year. A placement on the effective trade blacklist – although it has since been given a reprieve until August – …

  1. Tromos

    Quelle surprise

    Man from Radware recommends manufacturers who use Radware services.

    1. J. R. Hartley

      Re: Quelle surprise

      The real reason the government hates Huawei is that they dont have the necessary backdoors for snooping by the CIA/GCHQ/MOSSAD.

      1. sanmigueelbeer

        Re: Quelle surprise

        is that they dont have the necessary backdoors for snooping

        You're close to "the ball": The Chinese Security agencies don't want to share the backdoors with the west. This bit, the west can "tolerate", however, the biggest grievances is the price of their kit.

        Huawei’s prices “were not market-based,” said an equipment industry executive who has worked for years in North America. “They made no sense.”

        Roger Entner, an analyst at Recon Analytics, estimated Huawei and its compatriot, ZTE, charged 30% to 50% less than rivals.

        LINK

        1. Kabukiwookie

          Re: Quelle surprise

          You mean they were competing on price? OMG those bloody commies, that's not how you wring the most amount out of people with the least amount of effort.

          You create a cartel, split up the market then generally charge the same price, like any real libertardian capitalist that thinks the 'market' will fix itself and self regulation works for the consumer. Competition? We don't need no stinkin' competition.

  2. Pascal Monett Silver badge

    "he doesn't think it is possible to rank them"

    Nonsense, let me give you some criteria :

    - amount of bugs discovered in software

    - mean time to patch bugs

    - overall efficiency of products

    - friendliness toward the NSA/China/Russia/Other

    - level of security implemented in software

    - level of security implemented in hardware

    There you go. It may take a bit of preperation, but I'm sure you can assign a number to those criteria and thus obtain a ranking.

    1. VonDutch

      Re: "he doesn't think it is possible to rank them"

      You forgot cost...

      All too often left with insufficient or impractical kit because there's an accountant along the procurement route.

      1. Anonymous South African Coward Bronze badge

        Re: "he doesn't think it is possible to rank them"

        All things Beancountery's the natural enemy of the BOFH/sysadmin/etc.

    2. P. Lee

      Re: "he doesn't think it is possible to rank them"

      I read one of the analysis papers on huawei.

      Lots of bad flaws, but as far as I could tell, most were in the admin interface. That's bad, but if you're an enterprise, your admin interfaces are all firewall-protected, right? So, mitigations are in place.

      Talk to me about the exploitable flaws in the routing and switching engines. The other stuff is negotiable.

      As for competing on price and using "slave labour". Check out Cisco's prices for RAM. No fancy IP involved there. Profiteering I think.

      So Trump promotes US business. That's his job. No one else needs to agree with him.

  3. Anonymous South African Coward Bronze badge

    Probably the most rigorous public testing of Huawei's equipment is carried out by the UK's Huawei Cyber Security Evaluation Centre, a Banbury-based operation known as "the Cell" run by signals intelligence agency GCHQ. As the name suggests, it only tests Huawei kit, not that of its rivals, so it's not possible to draw comparisons.

    Really, they should test kit from other peddlers as well... As a security expert you will need to do such a thing in order to compare the various aspects of all kits when measured/compared against each other.

    1. Baldrickk

      That's not really what it's set-up for though - it's really there to look for evidence of Chinese government spying, the security bugs being reported are just additional goodness to come out of the process.

    2. chuBb.

      Other manufacturers are not as pervasive throughout the UK (well BT/Openreach) telecoms infrastructure

      BT's current infrastructre has a LOT of huawei in it (often wondered if 21CN was a percentage of chinese kit in network not 21st century network....)

      Plus given that the kit is also widely used in countries we have an interest in spying on (its cheap and china will sell to just about any regime) makes sense to concentrate on knowing your enemy, the others are all a moot point due to either being owned by entities in 5i countries or have sanctioned backdoors at NSA/GCHQ's request.

      Dont confuse the "security" in the centers title for the meaning that infers protection, add the air quotes and go for the spooky cold war meaning. They are looking to pwn the kit and understand its weaknesses, neuter or contain any threat and ultimately use that knowledge for our own advantage, be it tapping comms, or saving a few billion on core infrastructure; not protect enterprises or put a kite mark on the kit....

  4. Tomislav

    Not much left then...

    "Two key areas are how well a country protects its citizens' data and how much technology companies are mixed up with military and security agencies."

    ... if we rule out Cisco too.

    1. Jellied Eel Silver badge

      Re: Not much left then...

      I'd say those are not key areas. How well a country protects it's citizens data has nothing to do with typical vendor selection of tin. Mainly because that's a political issue rather than technical, ie any legislation like GDPR. You could also argue it'd rule out any US kit given Facebook, Google etc, and being mixed up with TLAs.

      It's also where security theatre and trust, or lack of trust becomes a big issue. Saying stuff has 'military grade' security can be used in marketing, but generally meaningless. Saying it meets EAL 7 may give more confidence given that's an ISO(15408). But then getting kit certified and granted an EAL rating is expensive, time consuming and may only be applicable to a specific model, or implementation.

      It's an area where the TLA's could do more to help, assuming they are trusted. So CESG does do evaluations, but could arguably do more. Problem is the usual one, funding, or lack thereof. The Huawei 'Cell' is a good example. It gives a thorough hairy eyeball to Huawei tin, but as it's a JV between CESG and Huawei, it doesn't examine other vendors. One solution could be to expand that model using some industry and government funding.

      But it's still going to face trust issues, especially when TLAs are suspected of having backdoors. Or even legislating for back doors, eg my usual example of US CALEA compliance. Mandatory for tin used in the US, and there's a trust element that any back doors will only ever be used by their intended audience. Again that's where the 'key area' is problematic given legislation in countries generally has a requirement for lawful intercept.

      Rest is part of doing business. Issue an RFP stating how tin will be used, standards it must comply with, service and support levels required etc and wait for responses. Then shortlist suppliers, possibly down to 1 and invite them to supply tin for your R&D site, where it'll be given a thorough going over by your test engineers.. Which BT did with Huawei and 21CN, so lots of compliance, interoperability and other testing. But that's expensive, time consuming and assumes you haven't RIF'd lots of engineers & flogged off your R&D site to property developers. And most non-BT's don't have that kind of luxury anyway, so often wait for an anchor customer like BT to adopt a vendor's kit before buying it yourself. Or you may be forced/better off buying that kit anyway because it needs to interoperate with Openreach.

      SDN's one example where the dream requires interoperability, along with exposing control plane functionality you'd normally want to keep hidden. Or there's stuff like optical networking and OTN ONI's for wholesale interconnects. If vendor's tin came with an NSA/GCHQ seal of approval, it may provide more confidence though.

      What doesn't help is simply saying 'This is not secure because China'. Test and tell us what is secure. Enough. At that point in time. In a given configuration.. So nice idea, but non-trivial..

  5. HmYiss

    Pick your fave fascist regime.

    Murica or China.. Simple as that. All else is illusion.

    1. Anonymous Coward
      Anonymous Coward

      @HmYss - Re: Pick your fave fascist regime.

      If you want to make an educated guess, start by looking at the amount of bombs launched by the two against foreign countries and number of innocent civilians counted as "collateral damages".

  6. Azerty

    Just a rehash of all the accusations and insinuations why you cannot choose Huawei, and even if you could, it might be more convenient to bow to US demands. It's not balanced, taking GCHQ public declarations as the highest truth, free from any geopolitical influences. It doesn't even mention that of all of the accusations there has never been actual facts found of wrongdoing such as spying for the Chinese government.

    Maybe you should consider who has been the most aggressive at spying on the world. Is it the Chinese gov? I don't think so. I think those revelations brought by Snowden are still enlightening. Its the US gov who demands to capture all of the world telecom and apparently Huawei is a serious issue for them.

    1. Anonymous Coward
      Anonymous Coward

      @Azerty - Your down-voters

      are blissfully unaware of who was spying the German chancellor's phone. Not China. Not Russia.

      1. Kabukiwookie

        Re: @Azerty - Your down-voters

        No. Not unaware, probaly just USians with their fingers in their ears shouting 'U S A' while checking their history books again to re-assure themselves that they won WW2 and without them you'd be speaking German now.

        Luckily there are a lot of Americans, who do seem to be waking up.

  7. 0laf
    Trollface

    Saved some ink

    "Can you trust Huawei... or any other networks supplier for that matter?"

    No.

    Surprised you even needed to ask.

  8. 4whatitsworth

    So we're not giggling in the corner about a certain Woody Johnson then?

    Memories of Austin powers.

    Just me.....

  9. Anonymous Coward
    Devil

    "what appeared to be great security to tempt organisations in"

    That's not how it works - they already tempt organizations in the West with the most powerful weapon - cheap price... they know where manager/beancounters and technicians fight, the formers always win...

  10. Anonymous Coward
    Anonymous Coward

    I don't get all the fuss about Huawei. Surely you'd always encrypt "end-to-end" if you wanted privacy anyway?

    1. Anonymous Coward
      Anonymous Coward

      It's not just a matter of spying - even the ability to disrupt someone else's network on demand can be quite useful. Anyway end-to-end encryption may still have flaws you can exploit if you can be the man in the middle.

  11. ZolaIII

    Look out kid you gonna get hit.

    The simple answer is no you can't.

    While Huawei doesn't have a stellar nor good for that matter record about patching CVE's even the best one Google is always at least two steps behind caring good maintained developer community.

    This is still on the half acceptable level as at least it relies on open source Linux stack where at least you can snoop around & see what's going on.

    What about dominant users space vendor such as Qualcomm whose modems work on property RTOS (which orginalni whose open source but ain't anymore ) & you only have property binary blobs? Well that's just triple A security threat!

    The other side of the mirror reflection is a hardware. Somehow it showed so far how most security co processors had a design flows which contained security exploits that could be used as backdoor's. That's hard printed, property and hard to both find and fix. On the other hand there ware a lot of similar issues with even very popular & licensable general purpose CPU core's (ARM A53 erratums) & we are witnessing a numerous new find popping out one's regarding out of orde core's on all architectures (while Intel leads a pact). In fact it's so serious that good old (welcome back) Linus broke the code of conduct in adresing them. At the end seeing is believing & the future should be based on both sides of the glass in open & transparent designs/code. With RISC V we are at least a step closer to our own security regarding the hardware side. There is no such thin as a trust worthy government or good honest corporation so don't follow leaders & watch your parking meters.

  12. kartstar

    Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

    "More broadly, China passed a law in 2017 which obliges its companies to co-operate with the state."

    Hmmmm, sounds like another country I'm very familiar with...

    https://www.theregister.co.uk/2018/10/20/cryptobusting_is_only_bad_if_youre_a_commie_and_were_not/

    1. NetBlackOps

      Re: You can read my SMSs but you can take my WhatsApps from my cold dead hands

      "Hemmings said that while plenty of western technology companies get involved with military and security work, the difference is that they can choose not to – unlike Chinese ones."

      When I read that, first thought was Patriot Act, especially in light of the fact that non-compliance with a National Security Letter, let alone a FISA Court warrant, results in prison time without the benefit of even going to court. We've already seen companies shut themselves down rather than even try to fight. The only reason Microsoft is still in their fight is that it was a federal judge overreaching and that's percolating up the judicial process. If the federales has used either of the above, Satya would be staring through jail bars right now and neither he, nor his lawyers, would even be able to say why.

      A related observation, what is Freedom House smoking/dropping? I do pay attention to Australian news (APAC is my favorite beat) and they should be farther down the list, closer to the US, on the basis of what's happened recently. Typical NGO.

  13. NeilPost Silver badge
    Happy

    H5O?

    Controversial, rule breaker, some suspect practices ??

    Huawei-5-O anyone ??

  14. Dominic Sweetman

    An opportunity...

    I'm guessing that router software is complicated, but well understood. The trick would be to use Huawei hardware with the firmware rebuilt from source code by a team of open-source-world programmers, under Ross Anderson's supervision. If you could negotiate and build such a thing, you'd have everything the UK needs. If you could keep GCHQ out of it, it might also be an international hit.

  15. warmndry

    I see no mention of the price of licensing or other services. If 5G dominance goes to suppliers outside USA it might have a serious impact on the USA's trade balance numbers. I think I would like to know more about the money before worrying too much about the spying, which everybody does anyhow.

  16. Yes Me Silver badge
    Holmes

    Well, let's do some fact checking...

    "The report makes the case that Huawei is effectively government controlled, and that its 98 per cent ownership by a trade union committee..."

    Funny that, since the employees believe that employees own all the shares. Let me see, who do I believe? Chinese people who actually work there and claim to own shares, or some committee of blimps in England who claim to know better?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like