US mistrust of Huawei linked in part to malware update in 2012 • The Register

Suspicions about the integrity of Huawei products among U.S. government officials can be traced in part to a 2012 incident involving a Huawei software update that compromised a large Australian telecommunications firm’s network with malicious code , according to a report released by Bloomberg.

The report, based on interviews with seven former officials, some identified and some not, claims that Optus, a division of Singapore Telecommunications Ltd., saw its systems compromised by a malicious update in 2012 – a claim that the company disputes.

“The update looked legitimate, but it contained malicious code that functioned much like a digital bug, reprogramming the infected equipment to record all communications that passed through it before sending the data to China,” [the sources] said, ”the Bloomberg report explains.

After several days, the spy code would have been removed, but Australian intelligence decided that Chinese intelligence was responsible, “having infiltrated the ranks of Huawei technicians who helped maintain the equipment and pushed the updating of telecommunications systems “.

Australian intelligence reportedly shared details of the incident with U.S. intelligence agencies, who later identified a similar attack from China using Huawei hardware in the United States.

The report seeks to provide an evidence base for efforts by the United States and other governments to avoid Huawei hardware as part of global 5G network upgrades and to outsource this activity to non-Chinese companies.

Notably absent is any claim that Huawei management was aware of this supposed effort to subvert the Optus network. “Bloomberg found no evidence that senior Huawei management was involved or aware of the attack,” the report said.

In short, the claim is that Chinese intelligence agencies have compromised an Australian network by placing agents inside Huawei, an ongoing risk for a number of leading global technology companies.

“The Australian Slander”

China has denied “Australia’s slander.” It may be worth noting that The register is not aware of any nation with recent intelligence activity. Even Russian President Vladimir Putin, faced with convincing evidence unearthed by the investigative news service Bellingcat of the FSB’s attempt to poison opposition leader Alexey Navalny, refuse that the Russian agents had something to do with the near-fatal poisoning of Navalny.

But the Chinese Foreign Ministry’s statement is unusual in that it suggests mutual guilt more than hurt innocence: “Australia’s slander against China leading cyber attacks and espionage penetration is purely a gesture like a thief crying to catch a thief. “

In other words, everyone is spying and Australia has bad ways of expressing their grievances in public. Consider that the United States National Security Agency had already entered Huawei’s network in 2010 to spy on founder Ren Zhengfei and his associates, due to fears that Huawei could create backdoors in its equipment. It depends documents made available by former NSA contractor Edward Snowden.

The register asked Huawei for comment, and a spokesperson provided us with a copy of the remarks John Suffolk, Huawei’s global cybersecurity manager, made to Bloomberg.

“[W]Without details it is not possible to give you a detailed assessment because every operator is different, “Suffolk said in an emailed statement. Want, without anyone knowing. It does not work that way. “

“It is fanciful to suggest that engineers can reprogram the code because they don’t have access to the source code, can’t compile the source code to produce binaries, and the binaries contain tamper-proof mechanisms. We are leaders in encouraging governments, customers and the security ecosystem to review our products, look for design weaknesses, provide feedback on vulnerabilities or poor code examples and it is this openness and this transparency which acts as a great protector. “

“Finally, no tangible evidence has ever been produced of any intentional wrongdoing of any kind.”

But this is not evidence presented in a public forum or in a courtroom. Huawei is not on trial, at least in this context.

Yes, there was this affair with its CFO, determined to avoid a serious diplomatic row, the US government trade secret theft lawsuit against Huawei based on T-Mobile’s civil lawsuit, and claims that Huawei flouted a Californian IT consultancy and hijacked a network in Pakistan.

I can’t take a break

Even so, Huawei’s guilt or innocence when it comes to helping spy on China is largely irrelevant. When it comes to the United States, Huawei cannot be trusted because the Chinese government could, in theory, make requests that the company could not refuse. The feds are worried about pre-criminality, to use the terminology of Philip K. Dick Minority report, the story of a police unit that apprehends people at risk of committing crimes.

The United States Federal Communications Commission recently used future concerns, along with past behavior and covert accusations, to ban another Chinese company from operating in the United States. In October, the FCC announced that China Telecom Americas could no longer do business in America. The agency said it based its decision [PDF] partly on classified evidence provided by national security agencies.

But he also said that “the entire vast unclassified file alone” was enough to justify his decision. The agency concluded that China Telecom Americas could potentially be forced to comply with Chinese government demands, and company officials have shown a lack of openness and reliability to US officials.

And trust is the key. The changing nature of software and the possibility of hidden hardware functions make it inherently risky to accept computer systems from untrusted sources. The risk can be mitigated by source code inspection, auditing and other precautions, but not completely.

Trust is an issue for everyone involved. In February, Bloomberg followed up on its controversial 2018 report on secret spy chips by claiming that similar spy hardware was found in 2015 on the motherboards of servers made by US computer maker Supermicro. , a claim disputed by the company. The register At the time, he spoke to a former executive at a leading chipmaking company who insisted on the existence of such devices and that he personally owned some of them. We trust our source but still, more concrete proof would be nice.

In retrospect, it seems obvious that any intelligence agency with sufficient funds and know-how would want such a thing. And it’s hard to believe that no one has ever successfully deployed a surveillance chip or hijacked a system intended for a geopolitical rival. But the lack of samples that have been publicly dissected and analyzed means once again that we have to interpret the National State shadow theater with hints and whispers.

Coincidentally, this state of affairs – where lack of trust means national IT stacks – works very well for companies based in countries where they can claim to spy behind closed doors and see government funding that puts their products in the shoes of ousted. competitors.

We can only imagine the joy that erupted among network switch vendors when the FCC announced it would pay U.S. telecom providers to tear up and replace their Huawei equipment. And given the ways in which China has inclined its market to local businesses, it might be fair to say that the turnaround is fair play, if anyone really cared about fair play. ®

Comments are closed.