Forgot your password?
typodupeerror
China Security Hardware

The Chinese Telecom That Spooks the World 153

Posted by samzenpus
from the trust-us dept.
wrekkuh writes "The Economist has printed an interesting look at the concerns and speculations of the fast-growing Chinese telecom giant Huawei, and its spread into western markets. Of particular concern is Huawei's state funding, and the company's founder, Ren Zhengfei, who once served as an engineer in the People's Liberation Army (PLA). However, another article from The Economist goes into greater detail about the steps Huawei has taken to mitigate some of these concerns in England — including co-operating with the GCHQ in Britain, the UK's signals-intelligence agency, to ensure equipment built by Huawei is not back-doored."
This discussion has been archived. No new comments can be posted.

The Chinese Telecom That Spooks the World

Comments Filter:
  • by Anonymous Coward on Sunday August 05, 2012 @04:49PM (#40888717)

    How can you be absolutely sure they are not back-doored?

    • by Anonymous Coward on Sunday August 05, 2012 @04:51PM (#40888737)
      You compare the byte-code to Cisco's.
      • Re: (Score:3, Funny)

        by M0j0_j0j0 (1250800)

        But Cisco's have backdoors! i don't get it

        • by Anonymous Coward

          well, in Cisco, I can tell you, any static passwords (like root accounts with anything not set by customer), it is simply, not allowed, and if done by developer, it is fixed, and public is notified as soon as possible. (there are controls, that by mistake my fail to detect, so yes, there are examples of this)

          adding a backdoor would get the product under BIG heat from PSIRT

          • by mikael (484)

            What about that access to home routers by the cloud, set up by an auto-update. You have to give the website your password in order to get to your router.

            • hell. What about those home routers that require net access just to log-in with the damn default? I've got a Netgear unit that frankly worries me because of this exact feature and I have to wonder just how much of my traffic is being sent past their effen servers for monitoring by whatever TLA agency you care to name

            • by Anonymous Coward

              You have to give the website your password in order to get to your router.

              I can't seem to find that feature in OpenWRT.

          • by fluffy99 (870997)

            well, in Cisco, I can tell you, any static passwords (like root accounts with anything not set by customer), it is simply, not allowed, and if done by developer, it is fixed, and public is notified as soon as possible. (there are controls, that by mistake my fail to detect, so yes, there are examples of this)

            adding a backdoor would get the product under BIG heat from PSIRT

            There is a major supply chain problem though. Sure that router or PC left the manufacturer without backdoors, but you have no guarantee that someone in the supply chain didn't tamper with it. At the very least, you wipe the OS and reinstall from know good sources. There are plenty of examples of PCs arriving pre-infected with malware (not counting the standard crap that Dell and HP add on) and there have been instances of Cisco gear showing up with a tampered IOS.

      • by Luckyo (1726890) on Sunday August 05, 2012 @05:22PM (#40888967)

        Even if they did 1:1 copy software side, hardware can have its own backdoors, hidden in the chips, completely invisible from software side.

        And if you think that cisco doesn't have backdoors, I have land on the moon to sell you.

    • Faith, brother Coward, faith.
    • by umghhh (965931)
      Huawei told them that I think of all concerns backdooring is one but I think they should worry not about backdoors now but about falling china independent vendors of vital equipment. Huwaei is as evil as other chinese companies - they do not have to bribe themselves if target is strategic enuff then chinese banks will start giving the govs around the target loans etc. This is not always so but it's been long time practice. Once your industry is gone it is difficult to get it back so you are dependent on sw/
    • by Anonymous Coward

      By scanning chips.
      By watching how they work under microscope.
      Nothing can be hidden from this even with the best of technology.
      Random testing will prevent special boards from reaching testing agencies.

      It is paranoia at best. More so when it comes from the US because they already do such a thing.
      China, strangely, are completely innocent in comparison to the US.

      • by Taco Cowboy (5327)

        It is paranoia at best. More so when it comes from the US because they already do such a thing.

        China, strangely, are completely innocent in comparison to the US.

         
        China is not completely innocent - but compare to US, in term of spying technology, true, China is like a kindergarten kid as compare to Uncle Sam, a University Professor teaching PhD post graduate students
         

    • How can you be absolutely sure they are not back-doored?

      The same way that we can absolutely be sure that you're not a pedophile. We just can't.

      It's nothing personal. It's just that proving a negative can be really difficult at times. Until we know more, let me suggest that we don't let you near any children, as a just to be safe, we really don't know, precautionary measure.

    • Re: (Score:3, Interesting)

      by Agent ME (1411269)

      They practically are backdoored: they're insecure as hell. http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf [phenoelit.org]

  • racism much? (Score:5, Insightful)

    by Anonymous Coward on Sunday August 05, 2012 @04:53PM (#40888759)

    Why is it ok that all internet equipment cc's a copy to the usa, but not ok to send the same copy to china?

    • Re:racism much? (Score:5, Insightful)

      by alexandre_ganso (1227152) <surak@surak.eti.br> on Sunday August 05, 2012 @06:19PM (#40889339)

      Why was this modded negative? It is a reasonable question. So is it fine for the NSA to spy everything, but not china? Double value.

      • I think it's modded because the implication was that it had to do with race. That if, say, Ireland were a rising superpower against a declining US, and the two were locked in industrial+government espionage, we'd be okay with Ireland getting an advantage over us.

        I think the reason we aren't as worried about the US industrial espionage as we are about chinese espionage has nothing to do with race, it has to do with the fact that we have a stake in the outcome.
      • For starters, because he labeled it racism, which is a misnomer of the highest order. Race has absolutely nothing to do with this discussion, and its exhausting to have it brought up at every opportunity.

      • by T Murphy (1054674)
        I guess we would never know for sure, but does the NSA (or related agencies) have secret backdoors only it knows about? We know all internet traffic that routes through the US should be assumed intercepted, and I believe we spy on allied nations' citizens with the knowledge or even participation of their governments, but can we make a distinction between China's trojan horse attempts and the US' strongarmed requests for permission*? Also, China's spying is often used for economic gain, not just military int
    • Even if so, that's nationalism, not racism.

  • by pathological liar (659969) on Sunday August 05, 2012 @04:55PM (#40888785)
  • by sabri (584428) * on Sunday August 05, 2012 @04:57PM (#40888799)
    So, they are being tested by the security watchdog in the U.K. Big deal, they load up a specially prepped software image (like they do for all their customers) and pass the test. Next step is to have all operators buy their heavily discounted gear for almost nothing, implement it and have them install a critical software update to avoid exploits. Have that image backdoored and they are one step closer to total world domination.
    • by Luckyo (1726890)

      Or you hide backdoor in the hardware, invisible from the actual hardware until initialized externally.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      Read this.
      http://www.theparliament.com/latest-news/article/newsarticle/cyber-security-john-suffolk/ [theparliament.com]
      CSEC get to see and test the source code (first line of penultimate paragraph). They aren't just pen-testing black boxes.

      I'm posting purely public information as Anon because I know far more about this than I'm allowed to say.

      • I would be lots more impressed with this if parliaments could even design their code (laws) without bugs or loopholes.

        • by c0lo (1497653)

          I would be lots more impressed with this if parliaments could even design their code (laws) without bugs or loopholes.

          Those aren't bugs, they are features.

      • by chihowa (366380) on Sunday August 05, 2012 @06:02PM (#40889247)

        Looking at source code is even more useless in this case than examining the black boxes that are actually being deployed. It's difficult to prove that the source they're looking at is what is on the actual sold devices. And looking at the source gives no information about backdoors implemented in hardware.

        • by mauriceh (3721)

          You are right, but:

          IF the OS and patches on these is open source, AND the users are in control of installing these items and updates, AND the source is kept on a public repository, then there is a chance it could be legit.

          • by c0lo (1497653)

            You are right, but:

            IF the OS and patches on these is open source, AND the users are in control of installing these items and updates, AND the source is kept on a public repository, then there is a chance it could be legit.

            Didn't you forget the compiler [wikipedia.org]?

    • by Zocalo (252965)
      I think the credibility of that security audit has just been seriously undermined given the recent revelations that Huawei's routers are riddled with security problems [slashdot.org]. GCHQ was supposed to be auditing these things to ensure that they were fit for use on the UK's national infrastructure; things like 3G/LTE networks, airports, highways, powerstations, railways, and so on. So, which is it? Either they failed to find the vulnerabilities, even with the advantage of access that Felix Lindner presumably didn't
    • by arkhan_jg (618674) on Sunday August 05, 2012 @06:57PM (#40889581)

      GCHQ is hardly a security watchdog - the closest US equivalent would be the NSA.

      They're the signals intercept and codebreaker agency of the UK government. One presumes they know their shit when they're looking for backdoors planted by the chinese intelligence servives.

      • by Ash Vince (602485) *

        GCHQ is hardly a security watchdog - the closest US equivalent would be the NSA.

        They're the signals intercept and codebreaker agency of the UK government. One presumes they know their shit when they're looking for backdoors planted by the chinese intelligence servives.

        This the interesting thing about GCHQ's remit. It is actually twofold. They are tasked with securing the UK's government communications and also breaking other peoples.

        The most interesting story I ever heard about them involved the guy who is currently their chief mathematician: http://en.wikipedia.org/wiki/Clifford_Cocks [wikipedia.org]
        Particularly relevant is that when they figured out the Public Key Cryptography was actually possible, they expressly did not let anyone else know what they had found even though they decid

    • and have them install a critical software update to avoid exploits.

      I love how Cisco did something along these lines recently, [slashdot.org] including the siphoning off of web history, along with a slew of other privacy violations completely in the clear, with no permission whatsoever.

      Another possible point of hypocrisy is the CIA's partial funding of Facebook, [zdnet.com] which seems to suggest that if a foreign company wants to build a network in the US, that is government funded, it's a National Security issue... but if a domestic company, which is funded by the US government, wants to build a

    • So, they are being tested by the security watchdog in the U.K. Big deal, they load up a specially prepped software image (like they do for all their customers) and pass the test. Next step is to have all operators buy their heavily discounted gear for almost nothing, implement it and have them install a critical software update to avoid exploits. Have that image backdoored and they are one step closer to total world domination.

      If they do what you suggest they may do, and they are found out, their market will become negative, with customers leaving like flies

  • The reason (Score:5, Interesting)

    by phantomfive (622387) on Sunday August 05, 2012 @05:04PM (#40888837) Journal
    The Reason the US is concerned about other countries using telecommunication equipment for spying is because they have done it already. A lot.

    If you don't want to be spied on, encrypt it.
    • Re:The reason (Score:5, Insightful)

      by ShanghaiBill (739463) on Sunday August 05, 2012 @05:29PM (#40889011)

      If you don't want to be spied on, encrypt it.

      Even if you encrypt your communications, they can still see who you are talking to. Sometimes knowing who you are talking to can be almost as valuable as knowing what you are saying.

    • Not just the US (Score:2, Informative)

      by Anonymous Coward

      post WW2, the UK sold enigma-based encryption machines to Empire/Commonwealth countries. Of course, they didn't tell the recipients that the UK could crack enigma encryption with ease.... Its why the wartime decoding of enigma remained a state secret until the early 70s, when even the most poverty-stricken Commonwealth countries had moved onto something a bit more sophisticated!

      Its important to know what both "friends" and enemies are saying about you!

    • by Anonymous Coward

      If you don't want to be spied on, encrypt it.

      Doesn't help if you've been backdoored with Windows Update and the equivalents on other OS'

  • backdoors (Score:2, Insightful)

    When we buy stuff from China without a corresponding increase in our own exports, they've already backdoored our economy.
    • by Anonymous Coward

      To quote Mankiew: What's your trade deficit with your barber?

  • by dszd0g (127522) on Sunday August 05, 2012 @05:09PM (#40888871) Homepage

    The Chinese Telecom That Spooks the Spooks

  • underhanded code (Score:5, Insightful)

    by Anonymous Coward on Sunday August 05, 2012 @05:14PM (#40888907)

    As anyone familiar with the underhanded code contest [xcott.com] knows, it's possible to create code that looks fine, easily passes reviews from people even who are on the lookout for back doors, yet still contains back doors.

    It's essentially impossible to prove that your equipment is NOT backdoored, unless you designed and built it in-house and believe that your own engineering staff is trustworthy (its own problem, when there is a history of governments buying off employees within companies that have access to critical data and processes).

  • I thought it was ZTE that really scared the world. I'm pretty sure ZTE's management was tied to the People's Liberation Army.
  • by Anonymous Coward on Sunday August 05, 2012 @05:29PM (#40889025)

    I normally don't post anonymously but my employer deals with Huawei.

    According to Recurity Labs they don't need a back door when the front door is locked with a piece of masking tape that says in faded yellow ink "Do not enter". Huawei's security is a joke. Their software is riddled with buffer overflows, including buffers allocated on the stack making hacking their stuff trivial. Huawei has virtually zero security. Much of their stuff runs on VxWorks which is quite insecure. (I spent many years writing software for VxWorks). All you have to do is get to the T-shell and you're basically god. In the T-shell you can look at and modify variables and memory and call C functions directly, passing whatever arguments you want.

    Even without the T-shell it looks like it's easy to get to the shell with full admin privileges on Huawei's boxes. See their DEFCON presentation at: http://www.phenoelit.org/stuff/Huawei_DEFCON_XX.pdf [phenoelit.org]

    If you value security, stay far away from Huawei. Their stuff is cheap but you get what you pay for. I guess it's good for the US that Huawei is mostly used in the Middle East and Asia. It makes life easy for the NSA.

  • co-operating with the GCHQ in Britain, the UK's signals-intelligence agency, to ensure equipment built by Huawei is not back-doored

    Sure, eliminating eavesdropping opportunities is just the kind of business that SigInt spooks kindly engage in all the time...

  • http://www.fiercetelecom.com/story/huawei-banned-making-equipment-bids-australias-nbn/2012-03-26 [fiercetelecom.com]

    Not just a handicap against them, and no reason given. It's not like there are a lot of world class Australian router companies. They are buying Taiwanese, French-ish, and US-ish, so it isn't nationalism. Just seems to be anti-China sentiment, with no substance backing it up, in this case, or the Aussie NBN.
  • How Israeli Backdoor Technology Penetrated the U.S. Government's Telecom System and Compromised National Security
    An Israeli Trojan Horse
    http://www.counterpunch.org/2008/09/27/an-israeli-trojan-horse/ [counterpunch.org]

  • We do not distrust you, we do not dislike you.

    We distrust and dislike your authoritarian government. We do not want your government to have more power in the world. Not because we are afraid of or oppose the empowerment of China on the world stage, or have anything against Chinese culture or Chinese people. But because we oppose authoritarian government, of any kind, from any part of the world.

    We DO have a built in prejudice against your government (not against you), because your government clearly attempts to control and manipulate communication channels. Yes, they also manipulate communication channels in the West, but not for state control of political dialogue.

    We in the West believe the ability to express our political opinions freely is very important to the health of our society, that is how and why we call our society free (despite the fact some of our media companies are trying to hurt our freedoms on our communication structure in the effort to prop a media business model that only works in a world without the Internet: don't worry, they will clearly fail, their efforts are the death throes of a dying way of business).

    You will see some responses to this comment of mine attempting to falsely equate Chinese authoritarian control of political opinion with various vile things the West does. Don't get me wrong: the West does plenty of evil things and there is plenty I criticize about my government. The difference is: they can express this political opinion of theirs freely, here in the West, and ironically, as they indulge false equivalency, they do not admit or do not know they would experience fear and intimidation if they tried to equally criticize Beijing, from within China.

    I myself disagree with those who falsely believe that the West is just as bad as China in regards to suppression of freedoms, but I fully support their right to spout their nonsense, unhindered by fear of government backlash. Here in the West, we believe that the natural competition of ideas that only comes from every single one of them being freely expressed, NATURALLY leads to the flawed opinions sinking and the good opinions rising. Only in this natural competition of ideas do good ones endure the test of criticism and one fail it. If the state attempts to impose its own idea son the people, the state itself might wind up imposing ideas that are flawed, because they are unexamined. The people know better than the state, in this way. In other words, state control of politicla thought is a form of weakness that will eventually harm China.

    So Chinese people: since you cannot likewise criticize your own government freely within China, do you not have a problem with this fact? If you are proud to be Chinese, as you should be, do you not believe you should be free to speak your mind like I can in your effort to make China strong as a Chinese patriot?

    Chinese people: please understand that we in the West respect the Chinese people and wish you prosperity and freedom. And so we await the day you respect yourselves as well to not be treated like slaves by your own government, and to throw off the yolk of the efforts at mind control which exists in Beijing, pointed against the Chinese people and the free expression of your own thoughts, an effort whose only purpose is to serve the continuation of a power structure that is not necessarily good for China, only good for a few rich and connected Chinese at the detriment of all other Chinese.

    Sure, this authoritarian power structure has done great things for you economically. But growth doesn't last forever, and when your economy fully matures, I am confident you finally turn your attention to freeing yourselves from the authoritarian government who wants to control your mind and your thoughts.

    • Dear USA people: (Score:4, Insightful)

      by Anonymous Coward on Sunday August 05, 2012 @05:53PM (#40889175)

      We do not distrust you, we do not dislike you.

      We distrust and dislike your authoritarian government. We do not want your government to have more power in the world. Not because we are afraid of or oppose the empowerment of USA on the world stage, or have anything against USA culture or USA people. But because we oppose authoritarian government, of any kind, from any part of the world.

      We DO have a built in prejudice against your government (not against you), because your government clearly attempts to control and manipulate communication channels. Yes, they also manipulate communication channels in Europe, but not for state control of political dialogue.

      • from the comment you are responding to:

        You will see some responses to this comment of mine attempting to falsely equate Chinese authoritarian control of political opinion with various vile things the West does. Don't get me wrong: the West does plenty of evil things and there is plenty I criticize about my government. The difference is: they can express this political opinion of theirs freely, here in the West, and ironically, as they indulge false equivalency, they do not admit or do not know they would experience fear and intimidation if they tried to equally criticize Beijing, from within China.

        I myself disagree with those who falsely believe that the West is just as bad as China in regards to suppression of freedoms, but I fully support their right to spout their nonsense, unhindered by fear of government backlash.

        see how I inoculated my comment against yours?

        it's so easy to see you braindead false equivalency idiots coming a mile away. i'm sure you didn't even read my comment before formulating your useless mental vomit

        • Re: (Score:2, Interesting)

          by Anonymous Coward

          see how I inoculated my comment against yours?

          It doesn't make what you say true. At least China only censors within China, while the USA censors within the whole world.

          So there is no equivalence indeed: the USA is widely considered the larger threat.

        • by gmhowell (26755)

          Oh, the AC read it. Copy pastaed it in fact. The first two 'graphs. Right up until continuing would have appeared even dumber than what he did copy.

        • by T Murphy (1054674)
          His comment wasn't false equivalency. You said you don't trust China's government, he said he doesn't trust the US government. Note he never refutes anything you said, especially the parts where you call out China as worse than the West.

          i'm sure you didn't even read my comment before formulating your useless mental vomit

          I'm sure he would be happy to throw your words right back at you.

    • by Anonymous Coward

      Wow, this is just rich coming from the country of "extraordinary rendition", torturing its political enemies, locking up its whistle blowers, and planting false crimes against people who embarrass it.

      • false equivalency

        find where i mention that concept in the comment you are responding to

        understand the stupidity of it

        thank you

  • by ohnocitizen (1951674) on Sunday August 05, 2012 @05:55PM (#40889193)
    ZDNet [zdnet.com], CNN [cnn.com].
  • They can't catch Chinese athletes that are doping, I doubt they can tell if Huawei gear is not back-doored.

  • by Anonymous Coward on Sunday August 05, 2012 @07:43PM (#40889903)

    I work for a telco supplier, so have had glimpses into the weird world of what happens behind the shonky service and bills.

    Huawei when they started out produced kit that was 'very similar' to Cisco. Now you suggest that perhaps they were paying too much homage to their US competitor, but it did mean their kit was pretty easy to deploy. You can setup a VPN in IOS, you can switch to Huawei kit and barely notice the difference.

    Next bit of their success was how they engaged with the customer. Legacy vendors have whole stacks of sales all hell-bent on shafting the telco for as much money as possible. Huawei wanted a foothold, kit was cheaper, but they really put in some effort to push the sale - Buy your new network from us, and we'll let you buy it on lease over a decade, our engineers will install/config/support it for you, we'll tweak stuff if it currently doesn't do what you want etc. Legacy vendors might have got a bit of a kicking from the dot.com crash, but they still dragged in the overly-complex vendor structure that makes that makes the proposal of similar flexible solutions somewhat difficult. Simply meant that if you were a small player with a valid business model, picking Huawei allowed you to very easily work out what the kit was going to cost you.

    With regards to spying, if they were, it wouldn't be let anywhere near the tier zeros. As far as I can make out, there's no real evidence of China using Huawei to spy and most of the allegations come from the incumbents/vested interests, trying to come up with a reason to oppose the shift in purchasing.

    If you're worried about back-doors - don't. They're already everywhere. I've been in plenty of offices which have the 'special room' that everything has to go through and telco employees don't even have the keys to. So just to carry on with this, if your kit DOESN'T have a back-door, it ain't going to be deployed. The only real topic of interest is just working out who holds the back-door-keys.

    • There are the backdoors you know about, and then there's the backdoors you don't. The concern isn't really china eavesdropping. The fact of the matter is, they've got the talent to just hack their way in with or without a backdoor. The concern is that China is producing a large percentage of the networking equipment in the world right now, and it would be very easy for them to introduce something far smaller, and far more dangerous. For example, a kill switch. They broadcast some per-determined signal or so
      • Re: (Score:2, Interesting)

        by Anonymous Coward

        it would be very easy for them to introduce something far smaller, and far more dangerous. For example, a kill switch.

        They could, sure. And some people think the CIA has AES cracked. These people didn't think before forming an opinion. You don't put a backdoor on a sytem you yourself use, because if you do an enemy (who might not use your system) will be able to shut you down once it finds the backdoor.

        A private, for-profit company would never invest in such things

        Oh, boy, aren't you naive. Companies will do anything for money. A big company is not much different from a big government - both have great power and a great urge to abuse that power. Search for Room 641A.

        • by c0lo (1497653)

          A private, for-profit company would never invest in such things

          Oh, boy, aren't you naive. Companies will do anything for money. A big company is not much different from a big government - both have great power and a great urge to abuse that power. Search for Room 641A.

          Whaaat? But of course they are diferent... in terms of the efficiency they can screw you... the big companies will do it faster, with a lower cost and potentially at a larger scale.
          Why, you only need to look on how US rednecks defaulting on their loans make all world's retirement funds worth nothing: even if they'd try the hardest they could, the US govt would have taken decades for the same outcome.

  • by dgharmon (2564621) on Sunday August 05, 2012 @07:53PM (#40889949) Homepage
    "another article from The Economist goes into greater detail about the steps Huawei has taken to mitigate some of these concerns in England â" including co-operating with the GCHQ in Britain, the UK's signals-intelligence agency, to ensure equipment built by Huawei is not back-doored".

    Shouldn't that be the steps Huawei has taken to ensure equipment built by Huawei can be back-doored by GCHQ as easily as the spooks can back-door western companies.

    "Internet Security Systems researcher Tom Cross unveiled research on how easily the "lawful intercept" function in Cisco's IOS operating system can be exploited" Feb 2010 [forbes.com]
  • I suspect the concerns of the British intelligence community would be around having their own back door to Huawei equipment. The Chinese won't be worried because they probably already have complete access to everything the GCHQ do anyway. There is no such thing as privacy anymore. All major governments have back doors to this gear....and have done for many years. Illegally, of course, in most cases, though 9/11 let them pass laws making legal what they had been doing illegally for quite some time. Governm

The first Rotarian was the first man to call John the Baptist "Jack." -- H.L. Mencken

Working...