"no access to lawful interception data"
Does this mean that they didn't have the keys to the backdoor used by our governements or that they only had acces to unlawful interception data ?
Huawei was able to snoop on the Dutch prime minister's phone calls and track down Chinese dissidents because it was included in the core of the Netherlands' mobile networks, an explosive news report has claimed. Dutch national daily Volkskrant (behind a pay wall) reported over the weekend that mobile operator KPN, which used …
I think it's a reference to one of the allegations that Huawei could see the list of numbers under investigation by Dutch police and intelligence services. Not reported specifically in this piece, but apparently in the original Dutch news piece.
Whether that's access to just the list, or to actual call and intercept data I don't know.
The allegation they could listen to any call by anybody was separate.
Yeh why would Huawei put a backdoor into KPN's network? oh right Dutch authorities require it for their "lawful intercept".
And why would that include the Dutch PM phone? Ahhh yes, "lawful intercept" includes him too.
And why can you set the lawful intercept without any technical mechanism from the courts? Because the good guys trust the good guys to the point where trust is assumed.
And why would Huawei's kit store those intercept settings on Huawei's kit? Ahh yes because how the fook otherwise would it know what to intercept!
And why would Huawei's kit have access to the intercept files Huawei writes....oh right, that's a dumb question, of course they need to write those files.
And why would, you, KPN, give Huawei network access to their own switches on your site when you control that network access? Because KPN outsourced maintenance of the servers remotely to Huawei.
The Dutch backdoored their phone system, and there is the potential that the vendor of the hardware can misuse the backdoor which apparently has no technical checks on it and can be remotely set.
At some point, you're going to have to recognize why pier to pier encryption is essential, and opposing it, or backdooring it, weakens your own security and undermines your own country.
Dutch comms is badly compromised, the UK situation is far worse, courtesy of GCHQ and 5-eyes.
This is how close you came to losing democracy right across the west. Courtesy of you lot in Cheltenham.
>They outsourced the maintenence to Huawei and were then surprised that Huawei has access to their systems?
Modern mobile networks are so complex that vendors managing the core network is rather a rule than an exception.
But I would like to see how KPN would manage their network without Huawei having access to it. It's like explaining how to assemble a spaceship over phone, good luck with that.
Anyway, the real people to blame are whoever keeps the SS7 (the international set of telephony protocols) alive: bureaucrats at ITU-T. With SS7, the insecure protocol stack from 1975, any country can effectively wiretap a mobile phone in any other country, Dutch PM or Scotch MP, whomever. Maybe it is the need of the 'good' countries to wiretap the 'bad' countries (or occasionally a random Bundeskanzler) that keeps it alive.
I don't believe there have been any allegations of misdoing, excep for KPN granting access that appears to be problematic. But there is no allegation in the article that that access was misused. Of course, it appears to be Huawei, as the system admin, that they would rely on to verify that.
US agencies have been caught listening on German Chancelor's phone converstations and it didn't seem to have any impact. Oh, and they're still able to do that unless of course Huawei equipments stand in their way.
Something tell me that this is actually the problem: Huawei equipments might be aware of those TLS snooping and this would give the Chinese governement an advantage.
Dear El Reg,
I hope you come back to this story. Saw it this morning, and was hoping for more technical coverage.
The main points of the story appear to be:
They had full network access. Could listen into any call (including the PM's phone) and also had a list of all accounts under intercept/surveillance from both police and intelligence services. Didn't see if they'd actually done this, or if it was even possible to check.
Huawei had also accessed the network from inside China. Don't know if that was in accordance with the network management outsourcing agreement or in breach.
They'd also put in place measures to see subscriber data, and been looking at it. Including for a subsidiary company - and continued to do so even after being told to stop.
Which rather sounds like blackmail, as the company didn't release the report out of fear of exposure. So maybe Huawei played on that? Why otherwise directly ignore an instruction from your client?
Finally the translation I saw alleged that Huwawei were still managing the network, depsite the company's claim they were no longer outsourcing to them.
It's a phone system: everybody from a bloke at the box on the corner with a clip on phone, to anyone in customer server, to anyone with root access to any of the switches, to anybody in the other office who picks up an extension has access.
If you think a prime minister's un-encrypted phone call suddenly becomes secure by having the backhaul supplier being from Finland you are a GCHQ
It's a mobile phone system. 3G and 4G in this case.
I've only seen a quick translation of the Dutch report, which conflates the risk of using Huawei kit with using Huawei as outsourced network management. Assuming no backdoors in Huawei kit - those are two vastly different risks!
But if it's true that Huawei were downloading and subscriber data, even after being told to stop, then that is definitely nefarious - even if everything else alleged is only a risk that they could have - not proof that they did.
On t'other hand, if they had the keys to manage the network, they presumably had at least some abiltiy to cover their tracks and make audit of their actual actions hard to impossible.
Did you catch the part where they said that Huawei was paid to have that access?
Strangely yes, I can read and everything. Did they hire Huawei to download susbcriber data (not needed to run the network core) and then refuse to stop after being told to?
That's a concrete accusation of wrongdoing. Much of the other stuff comes from an audit report, and is (as you say) a risk - and no more.
Also the logging into the core network from China, rather than management offices in the Netherlands may or may not be dodgy depending on the contract.
Substitute Ericsson or Nokia for Huawei in that report and absolutely nothing changes. If you can manage a network without subscriber information then fair play to you. that said, if you don't know how to manage customer confidential information securely, then you probably shouldn't put yourself into a situation where you have to. It gets very, very expensive when you get it wrong.
"if you don't know how to manage customer confidential information securely, then you probably shouldn't put yourself into a situation where you have to. It gets very, very expensive when you get it wrong."
I've heard that claim before. Are there any real-world examples where incompetence (or worse) in IT security actually ends up getting "very very expensive" for the incompetents?
Substitute Ericsson or Nokia for Huawei in that report and absolutely nothing changes.
True enough. Outsourcing core network management, rather than buying kit and managing it yourself means you've handed over the keys to the kingdom to someone else - and you're little better than an MVNO - except with all the insecurity of trying to manage a network you don't have the competence to control. It's like banks and supermarkets outsourcing their core IT - madness. A bank is just a database with branches attached, and a supermarket that doesn't control its stock control system is insane - which is why Sainsbury's had to do an emergency reverse-ferret in-source 20 years ago.
Though there is one major difference. The Swedish and Finnish governments are vegetarians, in comparison to the Chinese government carnivores (or is that wolf warriors?). Plus there aren't allegations that Ericsson and Nokia are under their governments' control - though it ought to worry the Dutch a lot less even if they were.
If you can manage a network without subscriber information then fair play to you.
The allegation in the original Dutch article, was that Huawei had put in place software to allow them to exfiltrate subscriber data, and had regularly updated this, as well as regularly using it to do so. Even after being told to stop. The manager of your systems has no excuse or legal right to steal data from your systems - though clearly they may need access to said data while operating your systems. I still think your statement above is wrong though, there should be little need for the people running the core network to ever look at individual subscriber info - that should be accessed by the customer service people.
KPN outsourced management of the core of their network to Huawei, and were then surprised by a report that said Huawei had the access to functions which KPN had given them...
Why is this a surprise or 'explosive' in any way other than for an assessment of the competency of KPN's management?
Was there any evidence that Huawei had actually used the access for 'bad stuff(tm)' ?
Pretty sad when you have to use adverbs like, "potentially" to describe what may or may not have happened more than a decade ago to smear Huawei. I trust Huawei far more than any company from American allied countries such as the 14 eyes which unsurprisingly, Netherlands just happens to be one of them. It's also not blind trust Huawei has proven to be far more transparent than any other company on the planet. So it's of no surprise that they are still churning enough profits despite American sanctions to remain as the largest telecommunications company in the world.
I will just mention two notorious cases of western countries using western manufacturers to eavesdrop on foreign communications, including government communications.
Of course Huawei could do this. And maybe they did. But every TEM can do this, and 5-eyes seem to make regular use of them to do so. There is nothing surprising about this, and all modern governments are well aware of the issue (even if they fail to convince their politicians to actually use the encrypted comms tools they provide).
it provides more than enough arguments to start a war (economic at the beginning but eventually evolving into good old, full blown one) which (why am I not surprised ?) will benefit US more than EU.
History repeats itself, first as tragedy, second as farce. -- K.Marx
Security is a joke, be it the Five Eyes (FVEY), NGA. SIS, MI5, CIA, DGSE (General Directorate for External Security),, Australian Secret Intelligence Services, Canadian Security Intelligence Service, Mossad, National Intelligence Service (South Korea), Foreign Intelligence Service (SVR/FSB-Russia), Research And Analysis Wing (India), National Intelligence Organization (Turkey), Inter-Services-Intelligence (Pakistan), Defense Intelligence Agency (USA), Department of Homeland Security (USA), National Geospatial-Intelligence Agency (USA), Air Force Intelligence, Surveillance and Reconnaissance (USA), Ministry of State Security (MSS - China) or Uncle Tom Cobley there are few secrets to be uncovered.
What a waste of resources!