Reply to post: Re: Huawei spying

Millions of personal files exposed by insurance biz, serial web hacker strikes again, and more from infosec land

Anonymous Coward
Anonymous Coward

Re: Huawei spying

“I'm not taking their side, but has anyone seen any actual evidence of their embedded spying or backdoors? It's notable by its absence”

The only issues I’ve seen or read about for Huawei are typical across all vendors:

- consumer kit has had admin vulnerabilities. This is largely down to being developed cheaply and is a wide spread issue across CPE devices that don’t get patched. Ie it’s not Huawei-specific and the manufacturers doing a good job on this are generally 5-10x more expensive

- the use of old libraries leading to security issues. Again, not vendor specific

- weak control channel security. This is usually a customer requirement (ie management tools need SNMPv2/HTTP/telnet although SNMPv3/HTTPS/SSH is supported by the equipment)

The closest Huawei gets to embedded spying in equipment is publicly available documents is having a US-developed hacking kit for older firewalls. Outside of equipment, Huawei staff have been accused of spying, but the cases are generally treated by expelling Huawei employees rather than making the details known.

I would suggest that you could put a Huawei product and products from two western competitors on a test network with IDS monitoring attempts to access resources outside the network and wireshark catching all communications and you would see nothing suspicious even attempting to leave the network if it was setup correctly. And with minor configuration changes you could see very suspicious traffic (ie dump syslog traffic to a public IP in China) But neither of those would indicate one way or the other whether there were attempts at spying.

The reality is that all kit from all vendors could be a low level firmware update away from embedding vulnerabilities even after a code review. A simple example would be using known weak keys for TLS if firmware X was installed.

TL;DR: you are dependent on a third party not spying on you or you catching them before harm is done regardless of the vendor. And that threat continues to evolve over time as situations change.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2022