from the deep-seated-insecurities-and-paranoia dept.
Huawei's equipment poses 'significant' security risks, UK says:
The U.K. government warned on Thursday Huawei's telecommunications equipment raises "significant" security issues, posing a possible setback to the Chinese tech firm as it looks to build out 5G networks.
In 46-page report evaluating Huawei's security risks, British officials stopped short of calling for a ban of Huawei's 5G telecommunications equipment. But the assessment cited "underlying defects" in the company's software engineering and cybersecurity processes, citing "significantly increased risk to U.K. operators."
The findings give weight to warnings from U.S. officials who have argued Huawei's networking equipment could be used for espionage by the Chinese government. Huawei has repeatedly said it does not pose any risk and insists it would not share customer data with Beijing.
In a statement Thursday, Huawei said it takes the U.K. government's findings "very seriously."
"The issues identified in the OB (oversight board) report provide vital input for the ongoing transformation of our software engineering capabilities," a Huawei spokesperson said.
Other links:
Huawei Equipment Has Major Security Flaws, U.K. Says
Huawei's Perception Problem Deepens as U.K. Spies Identify Security Risks
So don't buy Huawei telecom equipment. Buy only US made telecom equipment. Because the NSA would never put bugs in for spying.
Related Stories
Huawei is 'open' to selling 5G chips to Apple for iPhones, marking a big shift in strategy
Huawei is "open" to selling high-speed 5G chips and other silicon to rival smartphone maker Apple, marking a significant shift in the Chinese tech giant's thinking toward its own intellectual property.
The world's largest networking equipment maker has been in the consumer market for a relatively short amount of time with its own-brand smartphones, but it has quickly risen to become the third-largest vendor by market share.
Huawei started by selling phones at low prices but in recent years has shifted focus to increase its market share in the high end of the market, battling Apple and Samsung. As part of that move, Huawei has developed its own chips, including a modem to give smartphones 5G connectivity, and a processor to power its devices. 5G is next-generation mobile internet, which delivers data at very high speeds.
So far, those pieces of technology have been used only in Huawei's devices. That could change. In an interview with CNBC that aired Monday, Huawei founder and CEO Ren Zhengfei said the company would consider selling its 5G chips to Apple. "We are open to Apple in this regard," Ren said. The CEO spoke in Mandarin, which was translated into English by an official translator.
Apple products (e.g. new iPhones) are likely to use 5G modems from Intel, although they won't be ready until 2020. Huawei has been shunned by U.S. companies due to warnings and pressure from the U.S. government claiming that Huawei products enable Chinese espionage. There has even been discussion of the U.S. government developing a 5G network free of Chinese influence. Given that there aren't many places in the country where you can get a "5G" connection yet, is there any point to this offer?
Related:
Intel Announces Development of 5G Modems (Due in 2019)
U.S. Intelligence Agency Heads Warn Against Using Huawei and ZTE Products
New Law Bans U.S. Government from Buying Equipment from Chinese Telecom Giants ZTE and Huawei
Australia Bans China's Huawei (and maybe ZTE) from 5G Mobile Network Project
Intel Speeds Up Rollout of 5G Modems
Washington Asks Allies to Drop Huawei
Australian Residents Reject Huawei Small Cell Boxes
Germany and the EU Likely to Embrace Huawei, Rebuff the U.S.
EU to Drop Threat of Huawei Ban but Wants 5G Risks Monitored
Huawei's Equipment Poses 'Significant' Security Risks, UK Says
(Score: 2) by realDonaldTrump on Friday March 29 2019, @07:16AM (1 child)
I want 5G, and even 6G, technology in the United States as soon as possible. It is far more powerful, faster, and smarter than the current standard. American companies must step up their efforts, or get left behind. There is no reason that we should be lagging behind on something that is so obviously the future. I want the United States to win through competition, not by blocking out currently more advanced technologies. We must always be the leader in everything we do, especially when it comes to the very exciting world of technology!
(Score: 2) by DannyB on Friday March 29 2019, @03:07PM
I can assure you Mr. President that the marketing departments of AT&T and Verizon are working hard, very hard, the hardest, I promise, on developing 6G. Honest. Good old fashioned American work they are doing. To bring us new and better advertisements and billboards touting 6G! 6G will be the best. Fantastic! Terrific I tell you! It will be the best, the very best. People call all the time and ask how soon can we have 7G.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 2, Insightful) by Anonymous Coward on Friday March 29 2019, @08:26AM (7 children)
If any US-made equipment has built-in spying, it is because tech companies in the US are dumb enough to allow foreign-connected employees into their workplaces. If the engineer's aunt is arrested in China, possibly on nonsense charges, the engineer could find that his aunt is stuck there unless he provides a bit of help to the Chinese government. That is how it works: leverage applied to family members.
The UK really isn't even slightly safe without gear made by trusted people. While the UK would obviously be best off with UK gear made by UK people with 100% UK relatives, they get along well with the US. Going with Chinese gear would be really boneheaded.
(Score: 0) by Anonymous Coward on Friday March 29 2019, @09:33AM
Some would consider their own efforts as simply being helpful.
(Score: 1, Touché) by Anonymous Coward on Friday March 29 2019, @12:27PM (2 children)
So you don't think there is any built-in spying put there by "loyal" Americans who have put those there at the behest of the TLAs? The NSA would never stoop that low!
Excuse me until I stop rolling on the floor laughing my guts out.
(Score: 0, Disagree) by Anonymous Coward on Friday March 29 2019, @08:05PM (1 child)
Unlike many countries, the US doesn't even have anything set up for this. The US simply doesn't trust corporations to keep such secrets. Remember, US corporations are full of foreign nationals and anti-American fools. With some very limited exceptions for defense contractors, the US doesn't even manage to share stolen trade secrets with industry. The US just doesn't have the needed trust between industry and government.
It's not as if the NSA would need built-in spying. They kick ass. They don't need cooperation from anybody.
(Score: 0) by Anonymous Coward on Saturday March 30 2019, @02:25PM
I'm inclined to think that if the NSA wanted a backdoor, they would just do what they did to those cisco routers and intercept shipments and modify them en route. A lot smarter than building in backdoors for everyone to see. They also have companies like Intel putting backdoors everywhere for them.
(Score: 0) by Anonymous Coward on Friday March 29 2019, @03:33PM (2 children)
The CIA have long had a listening post (whose name and location escapes me at present) connected to the UK phone network for expressly listening in to UK phone conversations, and then there's Menwith Hill...
The US haven't trusted the UK since the time of your revolution, considering some of the shenanigans we got up since then (e.g. meddling in your civil war etc.) I don't blame you, mind you, we don't trust you lot either..
(Score: 0) by Anonymous Coward on Friday March 29 2019, @03:45PM
But we blew our bank account in WW2, and you saved us, but when we tried to pillage a third world country, you embarrassed us by cutting down our credit.
Since then we've been your loyal and obedient Airstrip One. Just like children returning to care for their parents.
(Score: 0) by Anonymous Coward on Friday March 29 2019, @08:00PM
That listening station is just the US helping the UK get around local laws. They return the favor. If either country wants to spy on its own citizens, the other one does it and then passes along the intelligence. No laws have been violated!
(Score: 3, Informative) by MostCynical on Friday March 29 2019, @08:50AM (5 children)
https://asia.nikkei.com/Economy/Trade-war/Huawei-blacklisting-bites-5G-carriers-in-the-wallet [nikkei.com]
"I guess once you start doubting, there's no end to it." -Batou, Ghost in the Shell: Stand Alone Complex
(Score: 0) by Anonymous Coward on Friday March 29 2019, @12:07PM (1 child)
Of course they charge less for their products. They make up for it by selling the data they harvest.
(Score: 2) by DannyB on Friday March 29 2019, @03:10PM
Of course they charge less for their products. The Chinese government subsidizes them in order to extend the reach of it's intelligence gathering operations. They can't over-subsidize it, or give it away for free, or pay you to take their equipment. So they must act with some restraint so that it at least seems plausible that the government doesn't have its fingers in everything domestically produced.
To transfer files: right-click on file, pick Copy. Unplug mouse, plug mouse into other computer. Right-click, paste.
(Score: 3, Interesting) by The Shire on Friday March 29 2019, @02:39PM (2 children)
The solution to this is actually quite simple. You put out an advisory confirming that Huawei's hardware is insecure and that companies which use it for public infrastructure are liable for breaches as a result of knowingly deploying it. Suddenly the 20% (chinese government subsidized) savings are no longer savings at all.
(Score: 2) by hendrikboom on Friday March 29 2019, @04:07PM (1 child)
So Huawei's processes don't seem to be in accord with the current, best-known processes. Are anyone's?
(Score: 2) by The Shire on Saturday March 30 2019, @05:15PM
The difference here is their processes were reviewed, found insecure, a list of things they had to change was created and agreed to by them, and then they didn't do it. So now not only are their security practices seriously in doubt, so are their oversight processes as well as any confidence that they do what they say they will do. Add to this all that they are beholden to their communist leaders who have a long history of pressuring chinese companies and employees to steal trade secrets and other information from other nations.
That's not the sort of company you want providing hardware for your critical communications infrastructure.
(Score: 4, Insightful) by FatPhil on Friday March 29 2019, @09:33AM
Right, so does MS, so does IBM, so does Cisco, so does Oracle, so does TI, so does Qualcomm, so does fucking everybody.
Any "security" concerns are no more than "we can't prove there aren't back doors, so THERE MIGHT BE BACKDOORS!!!!11!!1".
I know for a fact that a very large US semiconductor company specifically put undocumented security-breaching functionality into some of its chips at the behest of a very large US telecomms company (almost certainly at the behest of the US government, obviously, but I have no evidence of that).
The UK is just doing this because the US did it. We're back into yappy sidekick mode again.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Interesting) by pTamok on Friday March 29 2019, @10:30AM (4 children)
If you want to know more about the Huawei Cyber Security Evaluation Centre, which is located in Banbury in the UK, then you could do worse than read this Guardian article:
The Guardian: The Chinese firm taking threats to UK national security very seriously [theguardian.com]
And the UK Government oversight board reports:
gov.uk: Huawei cyber security review [www.gov.uk]
gov.uk: Huawei Cyber Security Evaluation Centre: Oversight Board annual report 2015 [www.gov.uk]
gov.uk: Huawei cyber security evaluation centre: oversight board annual report 2016 [www.gov.uk]
gov.uk: Huawei cyber security evaluation centre: oversight board annual report 2017 [www.gov.uk]
gov.uk: Huawei cyber security evaluation centre oversight board: annual report 2018 [www.gov.uk]
gov.uk: Huawei cyber security evaluation centre oversight board: annual report 2019 [www.gov.uk]
If that's all tl;dr, then the recent Ars Technica article is briefer: asr Technica: UK cyber security officials report Huawei’s security practices are a mess [arstechnica.com]
It would be interesting to see a similar security evaluation of Cisco, or Nokia, or Alcatel equipment as a comparison. Are Huawei worse, or are their failures more public?
(Score: 2, Interesting) by Anonymous Coward on Friday March 29 2019, @12:17PM
Huawei's are more public I'd say.
I'm subscribed to Cisco's security notifications for their various products, since I maintain a number of them in local government estates here in the UK, and the security notices from Cisco are frequent. The usual privilege escalations, buffer overflows, not checking input correctly etc., spanning across a wide range of products from networking gear to telephony to software-based management platforms. To be fair, a lot of the alerts are due to bugs in upstream open-source products where they re-use code. But there are still massive failures in their own code, such as 2 years ago, their ASA firewall software had a remote exploit which allowed an unauthenticated untrusted attacker to gain the equivalent of root from over the Internet. Not something you want in a firewall product connected directly to the Internet with a public routable IP address. But it's not just Cisco, I'm pretty sure Juniper's also had an equally severe issue in their firewalls as well.
So no, I wouldn't necessarily say Huawei is worse, just the "normal" level of software quality of what we're currently seeing in the market from various big name vendors (I include Microsoft in this list).
Interestingly, we've actually been in discussions with Huawei for various network-related projects recently, and one of the selling points they were touting was that if there's a new missing technical feature we want in their product e.g. some obscure multicast behaviour, they can get the dev resources onto it and have a turn-around of days to implement the feature, if not next day. On one hand this speaks something about their dev resources available; on the other hand, it doesn't paint a good picture of their testing processes or potential code quality behind what they're churning out. I guess the latter agrees with the reports.
(Score: 3, Informative) by hendrikboom on Friday March 29 2019, @04:02PM (1 child)
There' a lot of repetitive administrative verbiage in the 2019 report.
Actual code-level problems are presented starting about halfway through:
* The difficulty in checking that particular source code is actually what is used to produce the executable images -- the builds are not easily reproducible; not is the build system itself.
* There is a lot of copied code; including obsolete and bug-prone versions alongside current ones. For example, copies of SSL code with known vulnerabilities.
* There is a lot of use of dangerous memory and string functions, such as memcpy and strcpy. It's not clear to what extent these specific uses are actually safe for contextual reasons.
* Some of these uses are hidden within ad-hoc macros, making the security analysis more difficult. The report wonders whether this is a deliberate attempt to hide them from analysis.
-- hendrik
(Score: 1) by pTamok on Friday March 29 2019, @06:10PM
There is nothing there that is unusual in the industry, which is sad.
On the other hand, the security evaluation is spot on: Huawei are making big promises about changing their processes, but similar big promises made in the past have not been delivered upon. I see this a possibly a simple plan to get their kit bought, then 5 years later, say "Sorry, we failed in our plan to change our processes" - leaving purchasers with expensive kit that has no security assurance at all, and a huge bill in both time and money to replace it all.
Given that this can be used for 'Critical National Infrastructure', it strikes me that any country that doesn't mandate repeatable builds using up-to-date and carefully enumerated toolchains compiling software that conforms to good security programming practices doesn't take national security very seriously at all. Huawei get away with it because very few people are pushing for it.
I fully expect major markets eventually to ban binary distributions from the vendors for this reason. The process will be that the vendor sends the source to the National Security Centre, which builds using a clean set of tools, and the binaries distributed by the security centre to customers within its jurisdiction. We are not there yet.
(Score: 1) by pTamok on Saturday March 30 2019, @10:24AM
Just to reply to myself as a pointer to others, the comments on the 'The Register' article are worth reading, as usual.
The Register: Huawei savaged by Brit code review board over pisspoor dev practices [theregister.co.uk]
But, to add some balance, there is also this: The Register: Cisco emits 25 security bug fixes for IOS, takes second crack at patching WAN router SNAFUs [theregister.co.uk]
Code quality is an issue generally in IT, as (to use other people's insights here), generally faster-to-market and cheaper offerings beat slower-to-market, higher-quality, more expensive offerings - so there is strong selection pressure for just-good-enough code that works so long as you don't look at it funny. Discussing that would take a whole submission and reams of comments. Just barely adequate code wins most of the time.
(Score: 0) by Anonymous Coward on Friday March 29 2019, @12:41PM
The cell network is a really big monitoring engine
Who ever builds may have a great deal of control over that
I'm not sure who to trust on that front
Nobody seems the right answer
One of the goals of 5G is to make the network more open to prevent being locked into a particular equipment vendor.
That means breaking the system into simpler pieces and making parts open source s/w.
Naturally, the equipment vendors don't especially like this, so it may not happen.
The result would be an overall more complex system, but with simpler, perhaps auditable pieces.
I wonder if that could be a solution to this mess, with ironically China leading the way?
Naturally, what is being offered today for 5G is far from this.
(Score: 2, Informative) by Anonymous Coward on Friday March 29 2019, @05:04PM (1 child)
No comparative study been conducted against other suppliers.
In short, it's cold out so bring an umbrella.
(Score: 2) by All Your Lawn Are Belong To Us on Friday March 29 2019, @09:44PM
With a very strong frisson of "Well, the US told us this so we're buying it because our lunch is tied to theirs, doubly so thanks to Brexit."
This sig for rent.