Huawei Telecom Gear Much More Vulnerable To Hackers Than Rivals' Equipment, Report Says

Telecommunications gear made by China's Huawei is far more likely to contain flaws that could be leveraged by hackers for malicious use than equipment from rival companies, according to new research by cybersecurity experts that top U.S. officials said appeared credible. From a report: Over half of the nearly 10,000 firmware images encoded into more than 500 variations of enterprise network-equipment devices tested by the researchers contained at least one such exploitable vulnerability, the researchers found. Firmware is the software that powers the hardware components of a computer. The tests were compiled in a new report that has been submitted in recent weeks to senior officials in multiple government agencies in the U.S. and the U.K., as well as to lawmakers. The report is notable both for its findings and because it is circulating widely among Trump administration officials who said it further validated their policy decisions toward Huawei.

"This report supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers," said a White House official who reviewed the findings. "Huawei does not disclose this covert access to customers nor local governments. This covert access enables Huawei to record information and modify databases on those local systems." The report, reviewed by The Wall Street Journal, was prepared by Finite State, a Columbus, Ohio-based cybersecurity firm.

Re:like Cisco

[AmiMoJo]

If it were true the NSA would be demanding everyone installs Huawei equipment.

Re:

[Archtech]

So Huawei is just like Cisco

Well, perhaps not THAT bad.

The USA is wageing an illegal trade war ...

[Alain Williams]

against Huawei. I suspect that this is because the USA wants to maintain its technical lead and thus maintain sales. Under World Trade Organisation [wikipedia.org] rules discrimination is prohibited. One of the few exceptions is 'national security' (see 2nd paragraph) [wikipedia.org] which is, IMHO, why the USA is pushing security as an excuse to act against Huawei.

Yes: Huawei kit has security bugs. I am doubtful about the ''far more likely'' claim. I suspect exaggeration to provide cove for the illegal war. There are security problems in

Re:

[Archtech]

Derp. Nobody cares what you think, Chang.

I don't know which impresses me more: your well-researched facts and figures, or your rigorous logic. Although your old-world American courtesy is bound to win you friends everywhere.

If only we knew who you are.

Re:

[Anonymous Coward]

Under World Trade Organisation [wikipedia.org] rules discrimination is prohibited.

The U.S. should have never opened up trade with China because China themselves do not follow WTO rules. If you don't believe me, explain why eBay, Amazon, Google, and a host of many other non-Chinese companies have essentially no footprint in China. The current trade war is Trump's way of somewhat levelling the playing field although I suspect it's being done more for reelection purposes than the benefit of the U.S.A.

Re:

[Xenx]

Not saying China is right for doing it, but I'm pretty sure they block them for national security. Ostensibly, that would be a valid exception to the policy on discrimination.

Re:

[Aighearach]

Sorry, Ivan, the US Constitution says it is legal.

You seem to have been measuring using some sort of foreign law?

Just fuck right off with that.

Also, just a linguistic note since you bought this account on a site for nerds, when you drop the word "the" from "the USA," you just say US. "US origin equipment."

Re:

[Actually, I do RTFA]

Trump has definitely abused the national security exemptions. For instance, Canadian steel production instead of US steel production is almost certainly not a national security issue. That said, cyberwarfare, especially since it is deniable, is a large and growing threat. And it's reasonable to want telecom manufacturing at the very least in a nation that's not setting up for Cold War II.

Re:

[Actually, I do RTFA]

What you wrote doesn't make sense because I cannot which set of tariffs you are responding to (telecom or steel.) If it's steel, the reason its nonsense is that Canada is a historic ally who we can count on for steel in another major conflict, have no disruptable supply lines to (at least not more than inter-state shipping), and we have sufficient steel plants in the US anyway.

Shell Game or Whack a mole

[vlad30]

Oh you found a vulnerability heres a fix, Don't tell anyone our back door is still there and the fix just put in another couple that should keep you busy for a while

They claimed the weapons of mass destruction

[Anonymous Coward]

was credible information. They also claim credible sources of what they don't want to hear is fake news.

if vulnerabilities is a factor

[FudRucker]

then why is microsoft even in business? that vulnerable piece of crap Windows should have been banned from even connecting to the internet, and microsoft forced to halt sales until they correct the problem of ms-windows being vulnerable

Re:

[Archtech]

Do you understand intent?

It's where you stay when you're camping and it rains.

Why?

Re:

[Archtech]

Because Microsoft got serious about security the better part of two decades ago.

And when is that seriousness going to have any practical results?

Re:

[GameboyRMH]

I'd say it did within the last decade. Win7+ security is not bad.

That said, these findings threaten only to make Huawei look about as bad as Cisco, a company Americans are still free to buy from.

Re:

[Anonymous Coward]

Windows XP SP2. There is a reason that the primary vector for exploitation changed from the OS to applications.

Re:

[drinkypoo]

Because Microsoft got serious about security the better part of two decades ago.

Really? I don't remember this happening. I remember them blowing a bunch of smoke up various asses, though.

Re:

[lactose99]

In what universe was this?

Re:

[pbhj]

Agreed.

What's more every telecoms company around the World buying large swathes of kit from Huawei has presumably done their due diligence and considered that the vulnerabilities weren't sufficient to warrant buying from a different company -- until Trump declared it was anti-USA to do so and started telling other countries who they were allowed to buy their telecoms equipment from (hint: it begins with U and ends in SA).

More than likely it's just to ensure that USA have access and other state actors don't.

Re:

[skids]

Another bright side: now that we so readily assign malicious motives to every software security bug, producers might actually put more resources into QA and proper design validation. Because "Company X may have intentionally left their product vulnerable to spies" is worse publicity than "Company X goofed and then issued a fix."

Whether or not a vulnerability is intentional is a case-by-case thing but I think treating all of them this way might be a productive way to force standards writers, coders, and pro

Big Claims, Little Proof

[Anonymous Coward]

More big claims, but still no proof. And if this was to be taken at face value, wouldn't the US be *encouraging* people to use the Huawei gear so they could exploit it for intelligence gathering? Surely it makes no sense at all to tip off an adversary that you can exploit their equipment?

Re:

[Cipheron]

These vulnerabilities are easily discovered as well. That means China's gear has them, too, and would allow American access. Why would China deliberately backdoor their own gear in *obvious* ways which other people could use against them?

Re:

[Cipheron]

i.e. if they want proof, lets see an article showing that the Chinese government refuses to allow Huawei gear in their network, and then they have a possible case.

Re:

[drinkypoo]

These vulnerabilities are easily discovered as well.

Okay, so?

That means China's gear has them, too, and would allow American access

LOL, no. It doesn't mean that at all. They could literally have a build option for backdoors that they only enable for export nations.

Re:

[Aighearach]

You're not going to get the "proof" you fucking idiot.

If you want to understand the problem, become a security professional.

The people who need to know are the ones who will have access to the proof. What you will get are conclusions. Because you don't need to know.

My goodness people are fucking stupid on this site these days. Under no circumstances is the government going to give you "proof" of things relating to national security. It isn't your job to evaluate it.

The same goes for private security. If I h

Damn communists!

[fbobraga]

/sarcasm

saving money

[lkcl]

Telecommunications gear made by China's Huawei is far more likely to contain flaws that could be leveraged by hackers for malicious use than equipment from rival companies,

you may have heard the phrase, "never attribute to malice that which may be attributed to sheer incompetence, instead"? i do not believe that we have malice at play, here: simply the expectation that, by developing a proprietary system and not providing the full source code, we're seeing the exact same usual complete lack of security focus and review exhibited by *any* company.

it's "admin, admin" all over again, where lower cost of equipment results in Huawei *not being able to afford good security experts*. it's not *deliberate* that they're providing back-doors, it's *just down to lower costs*

unfortunately, Trump is so hyped up on racist nationalistic ignorant paranoia that he's quite happy to make it look like China Govt Is Involved.

the reality is: this is down to *proprietary software*. we *know* that proprietary software is insecure. the solution: laws that make it mandatory that, for public mission-critical infrastructure the *software* to be public and published under Libre Licenses. *not* paranoid Executive Orders.

Re:saving money

[Cipheron]

Yup, those backdoors are concentrated in the Chinese networks after all, meaning the NSA probably knew about them beforehand and is using *them* to snoop on China.

appeared credible

[dromgodis]

by cybersecurity experts that top U.S. officials said appeared credible

To what extent did the US officials themselves appear credible?

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ghoul]

You mean 15% of the American voters. Only 30% voted and more than half of those voted for the Chinese candidate but the Russian candidate won due to the electoral college.

Re:

[account_deleted]

Comment removed based on user account deletion

Report: Smear campaign much more effective

[Anonymous Coward]

when sponsored by a government.

"Covert access"?

[jbmartin6]

I can't read the article due to paywall, nor the cited report. I sincerely doubt there was anything like "covert access". Likely they mean "unpatched vulnerability" or something like leaving the telnet port open. That would be more in line with the findings of the UK's Huawei cyber security evaluation centre oversight board [www.gov.uk].

And they're willing to stand by that?

[Archtech]

"...research by cybersecurity experts that top U.S. officials said appeared credible".

Could they qualify and weaken that any more? "Credible" means that someone - not everyone, but at least one person - MIGHT believe it. And "appeared" suggests that it might actually NOT be "credible" even to that one person. Appearances are proverbially deceptive, after all.

In topUS government official, we trust

[hackingbear]

So instead of accusing Huawei put backdoors in the products, the narrative has been changed to Huawei products are buggy.

by cybersecurity experts that top U.S. officials said appeared credible.

In the other news, Iraq has massive amount of WMDs.

Re:

[Aighearach]

Sorry, Ivan, you might have not understood all the claims. It is quite possible to have intentional actions that are disguised as mistakes. There is no "changed" involved in the claims here.

That you claim to perceive a "change" merely indicates that you're full of shit and not communicating honestly.

Re:

[Aighearach]

Dude. "hackingbear" LOL uh, yeah. Sure, Ivan.

This is required, Comrade

[WCMI92]

Because the KGB insists!

Re:

[Aighearach]

Punctuation in English does not have a space before it. See, you do it like this!

Also, the word "tech" is really general. Nobody claimed that they copied all the software binaries. So no, this tells you nothing at all about software at any other company, including the companies that Huawei stole the technology from. Even where the technology they stole was software source code, they would have had to make changes to adapt it to their hardware, so it wouldn't be the same and wouldn't have the same vulnerabil

Link to the Report

[radicimo]

Here is the actual report, for those so interested --> https://finitestate.io/wp-cont... [finitestate.io]

To those of us who try to secure internet-connected products, none of it comes as a surprise. To be fair, it all seems potentially attributable to lazy and insecure software practices rather than nefarious intentions (not to say those are not also at work). Securing devices is difficult, and as long as the incentives for software development weigh heavily on features and schedule rather than security or quality, these