CHOICE membership

Huawei cyber vulnerabilities


#81

Scratch the surface though and things are not so robust.

Firstly I did write “reverse engineered” and I get the impression that that is not what the UK authorities are doing. I get the impression that they are examining the source code and then attempting to verify that the deployed binary came from that source code.

The report appears to concede that they have not so far succeeded in doing that! (largely due to flaky control in the build environment)

Access to the source code is likely to be far more efficient in terms of time and effort, but provides no assurance unless they can reliably produce the binary (and even then only if they trust or have in turn verified the toolchain needed to produce the binary from the source).

Secondly, it seems likely that the third party real-time operating system is outside the scope of the above process, which means there may be a loophole large enough to drive a bus through. (The report notes a future plan to migrate to a Linux kernel, which would mitigate that to a large extent but that would have to actually happen.)

Thirdly, with such a buggy software process, there is a risk that even without Chinese state interference there could still be Chinese state exploitation of the resulting bugs, the assumption being that if the UK government can demand that Huawei allow UK inspection of its source code (as appears to have happened) then the Chinese government can demand the same.

An ideal report would conclude “we have examined the product extensively and not found any vulnerabilities”.

Instead it basically concludes “we found heaps of vulnerabilities but we think they are due to incompetence rather than malice”. :slight_smile:


#82

Then any phone is able to be written off as to it’s security, lack of, or more properly amount of, vulnerabilities, loopholes that can and are exploited…and these are done by any number of “agencies” in almost if not all countries whether made in that country or not. Intel etc have their chipsets mostly manufactured in Chinese facilities so how do you know that even they are safe from programmed faults or exploits? You can’t! Who you use is perhaps about who you first give your data to in the line-up but it is still siphoned off by every sticky finger out there. When a die/design is sent to China for manufacture who thinks that the Chinese Govt doesn’t get access and why couldn’t they easily alter the specs to build in exploits (they have very smart minds there too). If you rely on a country you don’t trust to make your own electronic goods then who is the fool in that equation. Home grown in house isn’t even safe just look to the Nuclear weapon plans sent to Russia from the USA many years ago.

If you really want to limit the Chinese/Russian/Korean/Iranian/… influence to the barest minimum build it at home and hope you have picked trustworthy staff to do it, but don’t send it to those “suspect” countries to make it and expect it to be clean.

Perhaps Apple’s iPhone is also questionable in it’s integrity as it is wholly manufactured in China, then we have the Korean influence with Samsung and others.


#83

Which is what the report would have found in examining Microsoft Windows, any number of Adobe products, Cisco firmware and so forth. No software is perfect, and even Apple has had problems with an extra space in an iOS argument meaning that a security check was not conducted!

It’s not incompetence, it’s human nature. Software is complicated, and companies like to do things on the cheap.


#84

Indeedy. You don’t. You have to pick your battles.

(Intel chips come with that designed in - before the design gets to the fab in China. :slight_smile: )


#85

Did you read the report though?


#86

Chinese surveillance app reverse-engineered by HRW highlights monitoring of Xinjiang residents


#87

Yep similar apps abound in Western society, not phone specific or even a vulnerability but rather using the vast amounts of available collected data from many sources. Privacy related for sure, only Huawei phone linked…nope other than some phone records probably were by users of Huawei products.


#88

I often find it amusing to read Ken Thompson’s ‘Turing Award Lecture’, where he reflects:

The moral is obvious. You can’t trust code that you did not totally create yourself. (Especially code from companies that employ people like me.) No amount of source-level verification or scrutiny will protect you from using untrusted code.

The rest of the lecture is well worth a read. This appeared in Communications of the ACM, August 1984 … (and has been quoted here before) - only 35 years or so ago …


#89

It might be self evident to others. The extent of imbedded micro-controllers beyond basic IOT devices is rapidly increasing.

They provide both back door opportunities and as noted more generally another source of data.

LG washing machines that talk to your mobile phone, down load wash cycle updates and report on your washing. Solar PV multipoint tracking inverters that data log every 5 minutes, adjust performance in micro second time intervals and can adeptly manage WiFi or ethernet communications (WAP or router clever). And they can also connect to your mobile phone which connects as a client using apps provide by the Inverter manufacturer/designer.

The Huawei discussions appear only as a more direct, obvious and easily highlighted area for concern?

P.s.
The Exotic Genie is unlikely to go back into the lamp or bottle until it has been given its three wishes? What they might be could be another topic?


#90

I would say that it is two different motivations

a) corporate surveillance for profit

b) government surveillance for control

I don’t want either, thanks. Only (b) is really relevant to this discussion - the implication of this discussion being that Huawei is, either voluntarily or under compulsion, a tool of the Chinese government.

Cutting across both of the above are all of the unintentional security problems that will be exploited by criminals and mischievous pimply teenagers in basements.

Maybe so, but you don’t have to just take it.


#91

Of course we don’t. :wink:
If only it were my Genie instead of being part of a pass the parcel game played in Canberra?


#92

An interesting twist from Google. It shows how trustworthy commercial relationships can be under political duress. One has to conclude China is accelerating its development of home-grown operating systems to protect itself and its companies. Huawei might or might not be a security risk for one reason or another, but my educated guess is that this will not end well for google or the US, longer term.


#93

If this is the case, doing such may pose a greater potential risk and may backfire on Trump’s restrictions on US companies dealing with Huawei in order to maintain ‘security’.

The easiest way to breach security is via software. Allowing Google to continue to provide Android to Huawei may have reduced one potential additional risk.

I agree that this is unlikely to end well for Google or the US…it may have just (unintentionally) opened the door that they think they are trying to close.

What next, banning all phones or IoT make in China to prevent software/firmware security issues. How about banning Chinese made chips/processors (including US companies which manufacture in China) as these could have backdoors introduced by the Chinese production.

I think it would be better to interrogate devices made in Chine to assess their vulnerabilities … and highlight these to the consumer/user rather than take a American firewall/trade ban type approach. The US or other countries are yet to provide definitive evidence of security issues with any Chinese IoT and the rhetoric is about potentials risks rather than actual risks.


#94

The Chinese PC OS.

NeoKylin has long been part of the Chinese government’s hopes that a successful domestic OS would emerge. This has been driven by Microsoft dropping support for Windows XP—still widely used in China—and the government’s push to limit dependence on foreign technology, primarily for security reasons.

Note the underlying dependence on open source as a common thread, including by most (all?) network companies and even Microsoft these days. ‘The genie’ is running free.


#95

Many economists are now of the opinion that new tariffs threw the US from recession to Great Depression in 1930. Global trade 90 years ago was a tiny fraction of what it is today, and the US would almost certainly be the primary victim of most potential trade wars today.

It is absolutely crazy to say “China’s stealing our intellectual property”, and then give them no options but to ramp up this activity. The modern US economy is largely driven by financial speculation and by ideas (intellectual property in the form of IT software and hardware). A decision that leaves China without the option of purchasing your IT software and hardware simply encourages more copying of your ideas. China copies them, gives them a coat of paint, and when the trade war ends the US has lost a market and control of a lot of IP, and gained…?

Apparently Huawei will continue to be able to access security patches for its current phones, but will not have access to the next version of Android - Q. Presumably it will not get Google’s assistance in developing new phones that use Android Pie, either.

Australia will of course fall in line with its commander in chief, as the informal 51st state.

Microsoft PowerToys is now open source! (Strangely, most of the old ones are now an integral part of Windows.)


#96

I wonder how many solar PV systems installed in the USA have Inverters manufactured and designed in China?

No need to wonder about Australia PV systems? Ours came from a factory somewhere in China, along with the Solar panels.

The computing and communication capabilities of modern Inverters exceed most IOT devices.

Huawei may raise the exposure risk to a higher level. It is just a more visible product.


#97

There is also ‘interesting’ data being collected from this Chinese origin IoT. Warning: About adult product & privacy in the US courts.

But Huawei, WeChat, and … are probably droll in comparison. Do you think they have a simulator to play back the data?


#98

They may for example fork the open source parts of Android. Longer term they may develop something themselves.

Logically Huawei shouldn’t use the other parts of Android for the exact same reason that Americans shouldn’t use Huawei equipment.

China already has (or had?) a Linux distribution called Red Flag Linux, a name presumably chosen without intentional irony. :slight_smile:


#99

From my experience in Australia, it would be difficult for a third party to walk into a development shop and ask for any changes without the managers & staff getting a management OK. However China is different. There is the required resident CPC staff member - attaché or what ever you want to call them - who have their own government agenda. Authority comes from their position. People will do what they are told. Not only that, using the backdoor is a normal way people network & get things done. The result is that plausible deniability is easy for the management. They can promise all they like. They wouldn’t be told.
If anything, it surprises me the list of companies in focus is so narrow.


#100

Another brilliant piece of reportage from The Register.