I, like probably most people in the IT industry, have been listening with intense interest to the news, editorials and debates about Huawei. My take, yes they most certainly could inject either hardware or firmware into their products that would intercept, and relay any and all communications from a device, be it a piece of personal tech, such as a smartphone, tablet, or laptaop or infrastructure such as routers or bridges, to a monitoring server. The problem is that whilst they could, eventually they would be found out. Once found out the reputational damage would be universal, and permanent. It would damage any and all tech coming out of companies within the controlling country’s government, and severely impact relations with that country, which in this case is China. Some would say that we already have proof that Huawei has installed listening and replicating chips in its hardware. My response would be, if that were proven to be the case, then I would have expected an explosion from the governments and security services across the western world banning the use of Chinese tech in IT.
Agreed, there has been a backlash against Huawei, and other Chinese comms manufactures, from the US, Australia, and to a lesser extent the UK, but nothing prohibative based on actual evidence. Indeed you could almost argue that the response is nothing more than that of protectionism on behalf of the Western governments against their Chinese competitors. The good thing about rumour is that you don’t have to prove it. Can Huawei, prove their innocence? Problably not. Should they need to? Well, in cases of National Security, you could argue we don’t take chances, we can only take the safe option, and with that I would agree. The problem is that whether you buy Huawei, Samsung, Apple, IBM, Cisco, BT, LG……. the chances are that some, if not all of the product, is sourced out of China. Are the Chinese monitoring our comms through the use of hacked hardware? Possibly, but ask yourself, if you were monitoring all internet traffic would you really be spending all the effort they currently are expending in trying to hack into the websites for which they already have the admin usernames and passwords. Oh, and also, would you not have released some of the more intimate texts that must be out there from President Trump on his multitudinous adulterous liaisons.
Finally, how do you, in todays globally, interconnected, society, guarantee National Security? Well, National Security Organisations, figure that one out for yourselves. But don’t forget the UK spied on (at least) France: Germany spied on (at least) both the UK and the USA; and you can bet your bottom dollar the USA is spying on everyone.
So, the report by GCHQ into HUAWEI’s development processes has been published, and, apprently it doesn’t make for good reading, if you are Huawei that is. Multiple criticisms, from being unable to identify what changes you are getting when you load a software update, to, apparently, memory ‘SAFE’ library functions being straight through wrappers onto the standard non-memory safe functions.
Implications: Well first HUAWEI’s products are vulnerable to attack, and secondly, when you execute an update you cannot be 100% certain what you are getting, or even if its a genuine Huawei update.
Conclusion: No evidence of systemic backdoors for the State to infiltrate, just multiple wide open front doors for anyone to wander in.