I, like probably most people in the IT industry, have been listening with intense interest to the news, editorials and debates about Huawei. My take, yes they most certainly could inject either hardware or firmware into their products that would intercept, and relay any and all communications from a device, be it a piece of personal tech, such as a smartphone, tablet, or laptaop or infrastructure products such as routers or bridges. The problem is that whilst they could, eventually they would be found out. Once found out the reputational damage would be universal, and permanent. It would damage any and all tech coming out of companies within the controlling State, and severely impact relations with that country, which in this case is China. Some would say that we already have proof that Huawei has installed listening and replicating chips in its hardware. My response would be, if that were proven to be the case, then there would have been an explosion from the governments and security services across the world banning the use of Chinese tech in IT.
Agreed, there has been a backlash against Huawei, and other Chinese comms manufactures, from the US, Australia, and to a lesser extent the UK, but nothing prohibative based on actual evidence. Indeed you could almost argue that the response is nothing more than that of protectionism on behalf of the Western governments against their Chinese competitors. The good thing about rumour is that you don’t have to prove it. Can Huawei, prove their innocence? Problably not. Should they need to? Well, in cases of National Security, you could argue we don’t take chances, we can only take the safe option, and with that I would agree. The problem is that whether you buy Huawei, Samsung, Apple, IBM, Cisco, BT, LG, Phillips, Ericsson ……. the chances are that some, if not all, of the components will be sourced out of China. Are the Chinese monitoring our comms through the use of hacked hardware? Maybe, but I doubt it. Ask yourself, if you were monitoring all internet traffic would you really be expending all the effort they currently are in trying to hack into sites for which they already have the admin usernames and passwords. Oh, and if you had access to some of the more intimate texts that must be out there from President Trump on his supposed multitudinous adulterous liaisons, would you not have used them by now.
How do you, in todays globally, interconnected, society, guarantee National Security? Well, National Security Organisations, figure that one out for yourselves. But don’t forget the UK spied on (at least) France: Germany spied on (at least) both the UK and the USA; and you can bet your bottom dollar the USA is spying on everyone.
GCHQ Report into Huawei
So, the report by GCHQ into HUAWEI’s development processes has been published, and, apprently it doesn’t make for good reading, if you are Huawei that is. Multiple criticisms, from being unable to identify what changes you are getting when you load a software update, to, apparently, memory ‘SAFE’ library functions being straight through wrappers onto the standard non-memory safe functions.
Well first, HUAWEI’s products are vulnerable to attack, and secondly, when you execute an update you cannot be 100% certain what you are getting, or even if its a genuine Huawei update.
No evidence of systemic backdoors for the State to infiltrate, just multiple wide open front doors for anyone to wander in.
Update – 19-Sep-2020
According to an article in The Registry, HUAWEI video encoder chips installed in DVDs, TVs, and other devices have a backdoor which provides “an administrative interface with a backdoor password (CVE-2020-24215); root access via telnet (CVE-2020-24218); and unauthenticated file upload (CVE-2020-24217), which enables malicious code execution and command injection. All of these can be exploited over the network or internet to hijack vulnerable equipment”
HUAWEI insist the vulnerabilities were not introduced by its HiSilicon chip set, nor the SDK it provides to manufacturers that use its components.
Like I said in the Implications paragraph above, the problem is their production controls are so absent, you do not know what you are getting, or even if its genuine.
They don’t need to be Chinesse State puppet company to pose a threat, they just need to be inept.