Huawei cyber vulnerabilities

Agree!

Phone parts as well as computer components for Apple, Google, and a plethora of others are made in China. Do some people think because it is a US company that their chipsets are somehow miraculously protected from alteration, hackery, and malfeasance (NSA eavesdropping anyone, PRISIM etc etc etc).

If the USA want you to use a US owned product it is because they want their backdoors first in the line rather than subservient to others in the queue.

I warn you USA and Non US citizens that the US now have the legal power to procure your data from anywhere in the World with just a warrant from a US judge since the lastest funding budget went through as CLOUD was approved in that Bill.

/sarcasm > Yep Huawei are the “real” threat here, don’t go looking elsewhere as there is nothing to see, USA, Australian authorities, UK and so on are so benevolent and free and they would never spy on you or add nefarious tools to your products < /end sarcasm

8 Likes

@grahroll, I wish I could give you far more than one like for that one!

A few might miss that in CLOUD it is completely a US legal process via US courts. If a US multinational has assets in another country, governed by that country’s laws that are different from those in the US, too bad. Resistance is futile, they will be forced to comply despite doing the right thing in each of their adopted locations.

The long arm of the ‘exceptional’ US is more like an octopus that continues to grow arms. I just need to deal with FATCA, and even that is so far over the top in how it has been foisted on the world it is not funny.

7 Likes

Freedom is an illusion foisted on the US Citzenship, but not just them, to lull them into some false sense that their personal privacy, and security is of paramount importance and is protected. It is pretty much the same everywhere in the World, name any Government and they will have tentacles reaching so far into the lives of their constituents that what the “Plebs” ate for breakfast was already divined and analysed the day before they ate it.

I hastened to add not just Governments but so many businesses are doing the same, some of whom the person being mined for data has no real affiliation, or bilateral relationship with.

5 Likes

Meantime, back at Huawei…

3 Likes

A tech company caught out cheating the benchmarks. Who would have ever guessed? :laughing:

5 Likes

A post was merged into an existing topic: Should the NBN be Sold? And if the NBN is sold what Next for the consumer?

edit: love the sarcasm. :slight_smile:

Getting slightly political but that is the word from the USA, and when one goes all the way with the USA the salute to that claim is all but obligatory. If guilt by connection of Huawei’s founders is the litmus test for product security what could be said about the US companies connections to the US DoD? Could it be ‘the government’ actually caught Huawei doing the same things US companies have been doing since the beginning of time? I would be aghast knowing there was active spying over the airwaves and fibre. :laughing:

I too ‘passed’ my cynicism quiz with virtual zeros but not having signed a confidentiality agreement nor having a suitable clearance and not knowing anything but government assertions it is all conjecture not fact.

3 Likes

I’m not one for conspiracy theories, but I have no doubt we are all being spied upon, from our allies & our not-allies. We have no power to stop them.
Big Brother is watching and taking notes - read the book.

2 Likes

If there’s money to be made by spying, then money will be made by spying. It’s the new world religion. Now China & Russia have joined the religious zealotry. The final score? - Corporations: 1, Citizens: 0.

2 Likes

Our Huawei P6 perhaps gave us the best of both worlds if these posts have substance. An opportunity for Capitalist flavoured Socialism to gather data and thanks to Capitalist flavoured Alphabet-Google-Android, the dark side of our own team.

Even Telstra is guilty of a long term relationship with ZTE who is per the USA in the same team as Huawei.

There is no clear choice of who to trust. The facts are not evident or ever likely to be revealed by any government. This appears to be beyond the average consumer to influence or circumvent.

2 Likes

You cannot trust any complex hardware that you own. As mentioned in another thread, motherboards manufactured in China and destined for large US company computers have been reported to hold small ‘spy’ chips. This is simply copying what the US has been doing for years - as Edward Snowden pointed out.

The fact that we are effectively a colony of the US is shown by our prime minister’s announcement that he’ll consider moving Australia’s embassy in Israel to Jerusalem - just a week or two after the US president opened their new embassy in Jerusalem. (It’s not apartheid if friends are doing it.)

Back to the hardware front, anything you connect to the Internet can be mined for data. I suspect we are only now realising why the US government allowed the Internet to be ‘privatised’ - to the cost of us all.

4 Likes

Second half of the article talks about excluded vendors, and adds some colour (and a little hair) to the picture …

“Historically, we have protected the sensitive information and functions at the core of our telecommunications networks by confining our high-risk vendors to the edge of our networks.

“But the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network,” Burgess continued.

“In consultation with operators and vendors, we worked hard this year to see if there were ways to protect our 5G networks if high-risk vendor equipment was present anywhere in these networks.

At the end of this process, my advice was to exclude high-risk vendors from the entirety of evolving 5G networks,” Burgess said.

The comments add a new layer of context to the decision by the government to exclude the Chinese suppliers that came on the last day of Malcolm Turnbull’s Prime Ministership.

“5G technology will underpin the communications that Australians rely on every day, from our health systems and the potential applications of remote surgery, to self-driving cars and through to the operation of our power and water supply,” Burgess said.

“The stakes could not be higher.”

Sounds like a risk trade-off of quantity (limiting) over quality …

4 Likes

Interesting commentary on how 5G technology is expected to be pivotal.

In a previous work life one of our key risks was the potential for plant and equipment control systems to be hacked or compromised. These systems were until quite recently (ten years prior) rigorously separated from business/commercial and external networks.

Gradually the ability of more sophisticated systems to be monitored and controlled from afar typically using SCADA technology have become common place. These systems often also share access with other business systems over more general Ethernet and wireless linked networking.

There may be a lot more at risk than privacy and bank account details if future networks develop as suggested.:thinking:

However if Huawei is a concern, how can any one be sure their competitors are dependable and secure?

3 Likes

I think stories like this are often like icebergs. Consider the implications of what is known, then the implications of what is not common knowledge, either becoming known, or even just that the knowledge itself is known, becoming known. How deep the rabbit hole goes. I guess it isn’t knowledge if it’s not known, but you get the idea.

I reckon there would be a few people working ‘the issues’ …

The first three things on any list of must-have for a secure system - air gap, air gap, air gap - then theres list items four through twenty-something of other externalities - before getting to system, network and device intrinsic’s … it’s a fun game as you and many others I suspect know :wink:

4 Likes

Huawei continues to pop up in the news as the American’s worry; Australia has dutifully saluted.

My cynical nature is beginning to think the real problem with Huawei is that their products are at or above the top of the US manufacturers (or ‘friendlies’) and the US government will not tolerate that as a matter of national security or maintaining its commercial interests.

My suspicion is fuelled by being involved a trade dispute in the 1990’s whereby the underlying issue was a foreign manufacturer had a very high end computer product well beyond what the US manufacturer could produce; by banning the foreign product from the US through punitive taxation its potential market was less than halved. The goal was pushing the foreign vendor out of that business. It worked. It also set a certain US science back about 5 years since they could not get access, but that was another topic.

At the same time the US government poured its money into a competing technology and ‘changed the market’ to one it could win. 20 years later China is pushing the US aside as both a response to the US as well as flexing its own expertise in developing state of the art.

This thing about Huawei smells quite similar to me, excepting the US cannot change the communications market but they can severely handicap players. Research the company and products vis a vis those from the US and make up your own mind what it is probably about. Security? or dominance?

5 Likes

I’m not sure the logical operator needs to be ‘or’. The question of primary intended outcome ‘and’ welcome by-product might be part of the answer … ‘or’ ‘not’ :joy::rofl::joy::rofl:

4 Likes

6 posts were split to a new topic: BYO Routers Not Allowed for VOIP by Some RSPs

Something of which I was ignorant until just now. I have an old Y300 that I wanted to play around with and so began researching ‘rooting’ options. Huawei, it turns out, has locked their bootloaders. They used to provide unlock codes on request, but that stopped several months ago.

Among other things, unlocking allows the knowledgeable to poke around a 'phone’s innards.
[parania mode]
What is Huawei hiding?

2 Likes

Could be something, or just as likely the code that causes them to be accused of recognising benchmarks and upping performance and power drain to get that performance. So many possibilities, including just a new ‘policy’ so they no longer have to deal with code requests. Another possibiity is they are simply wanting to protect their so-called AI component.

3 Likes

Some interesting bedtime reading …

Hilighting mine…

  1. The Oversight Board has now completed its fifth full year of work. In doing so
    it has covered several areas of HCSEC’s work over the course of the year. The
    full details of this work are set out in Part II of this report. In this summary, the
    main highlights are:
    i. New secure premises for HCSEC completed - the previously reported
    acquisition of new premises for HCSEC had experienced some
    commercial delays, but has now completed successfully and the new
    facilities are fully operational;
    ii. The NCSC Technical Competence Review found that the capability
    of HCSEC has improved in 2018, and the quality of staff has not
    diminished, meaning that technical work relevant to the overall mitigation
    strategy can be performed at scale and with high quality;
    iii. The fifth independent audit of HCSEC’s ability to operate
    independently of Huawei HQ has been completed, with – again – no
    high or medium priority findings. The audit report identified one low-rated
    finding, relating to delivery of information and equipment within agreed
    Service Level Agreements. Ernst & Young concluded that there were no
    major concerns and the Oversight Board is satisfied that HCSEC is
    operating in line with the 2010 arrangements between HMG and the
    company;
    iv. Further significant technical issues have been identified in
    Huawei’s engineering processes, leading to new risks in the UK
    telecommunications networks;
    v. No material progress has been made by Huawei in the remediation
    of the issues reported last year, making it inappropriate to change the
    level of assurance from last year or to make any comment on potential
    future levels of assurance.

… and …

  1. The key conclusions from the Oversight Board’s fifth year of work are:
    i. In 2018, HCSEC fulfilled its obligations in respect of the provision of
    software engineering and cyber security assurance artefacts to the
    NCSC and the UK operators as part of the strategy to manage risks to
    UK national security from Huawei’s involvement in the UK’s critical
    networks;
    ii. However, as reported in 2018, HCSEC’s work has continued to
    identify concerning issues in Huawei’s approach to software
    development bringing significantly increased risk to UK operators,
    which requires ongoing management and mitigation;
    iii. No material progress has been made on the issues raised in the
    previous 2018 report;
    iv. The Oversight Board continues to be able to provide only limited
    assurance that the long-term security risks can be managed in the
    Huawei equipment currently deployed in the UK;
    v. The Oversight Board advises that it will be difficult to appropriately
    risk-manage future products in the context of UK deployments, until
    the underlying defects in Huawei’s software engineering and cyber
    security processes are remediated;
    vi. At present, the Oversight Board has not yet seen anything to give it
    confidence in Huawei’s capacity to successfully complete the
    elements of its transformation programme that it has proposed as a
    means of addressing these underlying defects. The Board will require
    sustained evidence of better software engineering and cyber security
    quality verified by HCSEC and NCSC;
    vii. Overall, the Oversight Board can only provide limited assurance that
    all risks to UK national security from Huawei’s involvement in the
    UK’s critical networks can be sufficiently mitigated long-term.

… of course there is a response from Huawei …

https://huawei.eu/media-centre/press-releases/statement-huawei-huawei-cyber-security-evaluation-centre-hcsec-oversight

… putting a rather different emphasis on the report to how I read it.

The 2019 OB report again recognises the effectiveness of the HCSEC. As the report says, “The oversight provided for in our mitigation strategy for Huawei’s presence in the UK is arguably the toughest and most rigorous in the world. This report does not, therefore, suggest that the UK networks are more vulnerable than last year.”

The 2019 OB report details some concerns about Huawei’s software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the OB report provide vital input for the ongoing transformation of our software engineering capabilities. In November last year Huawei’s Board of Directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2bn.

A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.

Fun times indeed …

2 Likes