CHOICE membership

Huawei cyber vulnerabilities

A post was merged into an existing topic: Should the NBN be Sold? And if the NBN is sold what Next for the consumer?

edit: love the sarcasm. :slight_smile:

Getting slightly political but that is the word from the USA, and when one goes all the way with the USA the salute to that claim is all but obligatory. If guilt by connection of Huawei’s founders is the litmus test for product security what could be said about the US companies connections to the US DoD? Could it be ‘the government’ actually caught Huawei doing the same things US companies have been doing since the beginning of time? I would be aghast knowing there was active spying over the airwaves and fibre. :laughing:

I too ‘passed’ my cynicism quiz with virtual zeros but not having signed a confidentiality agreement nor having a suitable clearance and not knowing anything but government assertions it is all conjecture not fact.


I’m not one for conspiracy theories, but I have no doubt we are all being spied upon, from our allies & our not-allies. We have no power to stop them.
Big Brother is watching and taking notes - read the book.


If there’s money to be made by spying, then money will be made by spying. It’s the new world religion. Now China & Russia have joined the religious zealotry. The final score? - Corporations: 1, Citizens: 0.


Our Huawei P6 perhaps gave us the best of both worlds if these posts have substance. An opportunity for Capitalist flavoured Socialism to gather data and thanks to Capitalist flavoured Alphabet-Google-Android, the dark side of our own team.

Even Telstra is guilty of a long term relationship with ZTE who is per the USA in the same team as Huawei.

There is no clear choice of who to trust. The facts are not evident or ever likely to be revealed by any government. This appears to be beyond the average consumer to influence or circumvent.


You cannot trust any complex hardware that you own. As mentioned in another thread, motherboards manufactured in China and destined for large US company computers have been reported to hold small ‘spy’ chips. This is simply copying what the US has been doing for years - as Edward Snowden pointed out.

The fact that we are effectively a colony of the US is shown by our prime minister’s announcement that he’ll consider moving Australia’s embassy in Israel to Jerusalem - just a week or two after the US president opened their new embassy in Jerusalem. (It’s not apartheid if friends are doing it.)

Back to the hardware front, anything you connect to the Internet can be mined for data. I suspect we are only now realising why the US government allowed the Internet to be ‘privatised’ - to the cost of us all.


Second half of the article talks about excluded vendors, and adds some colour (and a little hair) to the picture …

“Historically, we have protected the sensitive information and functions at the core of our telecommunications networks by confining our high-risk vendors to the edge of our networks.

“But the distinction between core and edge collapses in 5G networks. That means that a potential threat anywhere in the network will be a threat to the whole network,” Burgess continued.

“In consultation with operators and vendors, we worked hard this year to see if there were ways to protect our 5G networks if high-risk vendor equipment was present anywhere in these networks.

At the end of this process, my advice was to exclude high-risk vendors from the entirety of evolving 5G networks,” Burgess said.

The comments add a new layer of context to the decision by the government to exclude the Chinese suppliers that came on the last day of Malcolm Turnbull’s Prime Ministership.

“5G technology will underpin the communications that Australians rely on every day, from our health systems and the potential applications of remote surgery, to self-driving cars and through to the operation of our power and water supply,” Burgess said.

“The stakes could not be higher.”

Sounds like a risk trade-off of quantity (limiting) over quality …


Interesting commentary on how 5G technology is expected to be pivotal.

In a previous work life one of our key risks was the potential for plant and equipment control systems to be hacked or compromised. These systems were until quite recently (ten years prior) rigorously separated from business/commercial and external networks.

Gradually the ability of more sophisticated systems to be monitored and controlled from afar typically using SCADA technology have become common place. These systems often also share access with other business systems over more general Ethernet and wireless linked networking.

There may be a lot more at risk than privacy and bank account details if future networks develop as suggested.:thinking:

However if Huawei is a concern, how can any one be sure their competitors are dependable and secure?


I think stories like this are often like icebergs. Consider the implications of what is known, then the implications of what is not common knowledge, either becoming known, or even just that the knowledge itself is known, becoming known. How deep the rabbit hole goes. I guess it isn’t knowledge if it’s not known, but you get the idea.

I reckon there would be a few people working ‘the issues’ …

The first three things on any list of must-have for a secure system - air gap, air gap, air gap - then theres list items four through twenty-something of other externalities - before getting to system, network and device intrinsic’s … it’s a fun game as you and many others I suspect know :wink:


Huawei continues to pop up in the news as the American’s worry; Australia has dutifully saluted.

My cynical nature is beginning to think the real problem with Huawei is that their products are at or above the top of the US manufacturers (or ‘friendlies’) and the US government will not tolerate that as a matter of national security or maintaining its commercial interests.

My suspicion is fuelled by being involved a trade dispute in the 1990’s whereby the underlying issue was a foreign manufacturer had a very high end computer product well beyond what the US manufacturer could produce; by banning the foreign product from the US through punitive taxation its potential market was less than halved. The goal was pushing the foreign vendor out of that business. It worked. It also set a certain US science back about 5 years since they could not get access, but that was another topic.

At the same time the US government poured its money into a competing technology and ‘changed the market’ to one it could win. 20 years later China is pushing the US aside as both a response to the US as well as flexing its own expertise in developing state of the art.

This thing about Huawei smells quite similar to me, excepting the US cannot change the communications market but they can severely handicap players. Research the company and products vis a vis those from the US and make up your own mind what it is probably about. Security? or dominance?


I’m not sure the logical operator needs to be ‘or’. The question of primary intended outcome ‘and’ welcome by-product might be part of the answer … ‘or’ ‘not’ :joy::rofl::joy::rofl:


6 posts were split to a new topic: BYO Routers Not Allowed for VOIP by Some RSPs

Something of which I was ignorant until just now. I have an old Y300 that I wanted to play around with and so began researching ‘rooting’ options. Huawei, it turns out, has locked their bootloaders. They used to provide unlock codes on request, but that stopped several months ago.

Among other things, unlocking allows the knowledgeable to poke around a 'phone’s innards.
[parania mode]
What is Huawei hiding?


Could be something, or just as likely the code that causes them to be accused of recognising benchmarks and upping performance and power drain to get that performance. So many possibilities, including just a new ‘policy’ so they no longer have to deal with code requests. Another possibiity is they are simply wanting to protect their so-called AI component.


Some interesting bedtime reading …

Hilighting mine…

  1. The Oversight Board has now completed its fifth full year of work. In doing so
    it has covered several areas of HCSEC’s work over the course of the year. The
    full details of this work are set out in Part II of this report. In this summary, the
    main highlights are:
    i. New secure premises for HCSEC completed - the previously reported
    acquisition of new premises for HCSEC had experienced some
    commercial delays, but has now completed successfully and the new
    facilities are fully operational;
    ii. The NCSC Technical Competence Review found that the capability
    of HCSEC has improved in 2018, and the quality of staff has not
    diminished, meaning that technical work relevant to the overall mitigation
    strategy can be performed at scale and with high quality;
    iii. The fifth independent audit of HCSEC’s ability to operate
    independently of Huawei HQ has been completed, with – again – no
    high or medium priority findings. The audit report identified one low-rated
    finding, relating to delivery of information and equipment within agreed
    Service Level Agreements. Ernst & Young concluded that there were no
    major concerns and the Oversight Board is satisfied that HCSEC is
    operating in line with the 2010 arrangements between HMG and the
    iv. Further significant technical issues have been identified in
    Huawei’s engineering processes, leading to new risks in the UK
    telecommunications networks;
    v. No material progress has been made by Huawei in the remediation
    of the issues reported last year, making it inappropriate to change the
    level of assurance from last year or to make any comment on potential
    future levels of assurance.

… and …

  1. The key conclusions from the Oversight Board’s fifth year of work are:
    i. In 2018, HCSEC fulfilled its obligations in respect of the provision of
    software engineering and cyber security assurance artefacts to the
    NCSC and the UK operators as part of the strategy to manage risks to
    UK national security from Huawei’s involvement in the UK’s critical
    ii. However, as reported in 2018, HCSEC’s work has continued to
    identify concerning issues in Huawei’s approach to software
    development bringing significantly increased risk to UK operators,
    which requires ongoing management and mitigation;
    iii. No material progress has been made on the issues raised in the
    previous 2018 report;
    iv. The Oversight Board continues to be able to provide only limited
    assurance that the long-term security risks can be managed in the
    Huawei equipment currently deployed in the UK;
    v. The Oversight Board advises that it will be difficult to appropriately
    risk-manage future products in the context of UK deployments, until
    the underlying defects in Huawei’s software engineering and cyber
    security processes are remediated;
    vi. At present, the Oversight Board has not yet seen anything to give it
    confidence in Huawei’s capacity to successfully complete the
    elements of its transformation programme that it has proposed as a
    means of addressing these underlying defects. The Board will require
    sustained evidence of better software engineering and cyber security
    quality verified by HCSEC and NCSC;
    vii. Overall, the Oversight Board can only provide limited assurance that
    all risks to UK national security from Huawei’s involvement in the
    UK’s critical networks can be sufficiently mitigated long-term.

… of course there is a response from Huawei …

… putting a rather different emphasis on the report to how I read it.

The 2019 OB report again recognises the effectiveness of the HCSEC. As the report says, “The oversight provided for in our mitigation strategy for Huawei’s presence in the UK is arguably the toughest and most rigorous in the world. This report does not, therefore, suggest that the UK networks are more vulnerable than last year.”

The 2019 OB report details some concerns about Huawei’s software engineering capabilities. We understand these concerns and take them very seriously. The issues identified in the OB report provide vital input for the ongoing transformation of our software engineering capabilities. In November last year Huawei’s Board of Directors issued a resolution to carry out a companywide transformation programme aimed at enhancing our software engineering capabilities, with an initial budget of US$2bn.

A high-level plan for the programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent. To ensure the ongoing security of global telecom networks, the industry, regulators, and governments need to work together on higher common standards for cyber security assurance and evaluation.

Fun times indeed …


The statement in the report “NCSC does not believe that the defects identified are a result of Chinese state interference” seem to reflect more on the ability or perhaps better said inability of the Huawei company to produce good code and sustain a level of good practice.


While OT, about 40 years back the Japanese manufacturers (Fujitsu, NEC, HItachi) got access to IBM’s mainframe OS source. It set Japanese software technology back at least a decade. Maybe Huawei got a copy too?


That’s funny … I wonder if IBM’s source has changed much in 40 years? Probably not, all in the name of stability … HP-UX is much the same, buy other peoples tech and watch it walk out the door when you sacrifice progress for ‘stability’ … it’s made HP what it is today, four separate companies - three of which holding hands as they spiral down the S-bend while the fourth makes bucket loads selling PC’s and ‘Ink’ … There’s conspiracy, and then there is utter ineptitude …


The plot thickens …

Or just cold feet?

NOTE: At this time, based on this enhanced review, MIT is not accepting new engagements or renewing existing ones with Huawei and ZTE or their respective subsidiaries due to federal investigations regarding violations of sanction restrictions. The Institute will revisit collaborations with these entities as circumstances dictate.


The US has sanctions on so many countries it’s probably hard for companies to keep track of them! In fact, it has sanctions/tariffs on Chinese imports at the moment, so…

Off topic: why is it that one country imposes sanctions based upon its own messed-up internal politicking and the rest of the world is expected to follow?