There has been a lot of news lately, and in the last few years, about Huawei being a security risk. Can someone explain what the basis is for the risk, other than speculation? Is there not a way to examine Huawei devices to see if there is indeed a chip, bootloader, backdoor, etc that could be exploited? What potential dangers exist in Huawei devices made in China, but not in other devices made in China, like those from Apple?
Asked
Active
Viewed 2,798 times
11
-
"What potential dangers exist in Huawei devices made in China, but not in other devices made in China, like those from Apple?" is going to be purely speculative. And it is not really connected to the core question. – schroeder Nov 24 '18 at 14:52
-
No need to, every device is a security risk. There is a lot of geopolitics on this particular subject tho. The US considers companies like apple a priority to "national security" and therefore sees their competitors as a threat to national security, even if they don't do any spying whatsoever. So this has more to do with preventing economic gains for China and directing the revenue to domestic or allied corporations. – dtech Nov 24 '18 at 15:02
-
2I think this is an interesting question and it would be appropriate here on SE, if you rephrased it to something like "are there really any security issues with Huawai that would justify what Trump said"? I'd be interested in knowing the opinion of security experts, NOT politicians or journalists. – reed Nov 24 '18 at 15:06
-
2@reed: it is more a question of control. US fears that China controls Huawai and that's why it does not trust it. It also feels that Russia has control over Kaspersky and therefore similar distrust. This also goes the other way: US hardware and software is not fully trusted outside of US because one fears that the US has some control over it. Mutual distrust, some of it probably right and other maybe exaggerated to sell more of the own stuff inside the country. – Steffen Ullrich Nov 24 '18 at 15:23
-
1Steffen, your description is exactly the type of commentary i'm frustrated with (and I say that with no malice!). It makes sense that the US's geopolitical enemies would use those avenues to conduct espionage, but where is the actual evidence? I mean, we have the devices in hand, is there a way we can physically examine them and say "ah ha! here, see!"? Can we quantify the very justified but generic "distrust" into something concrete? – BogBody Nov 24 '18 at 15:45
-
1@BogBody the US is not in the habit of providing evidence for its allegations. That's probably because most of those are groundless and only made over geopolitical interests. And they don't have to be proven to yield gains. Huawei is growing fast and poses a real danger to large US money makers, but it is not like they can ban it over those concerns, that would look anti-competitive and bad, hence the espionage concerns and allegations, which make Huawei look bad instead, even if those allegations happen to be pure lies, but they are technically true and valid for EVERY device on the market... – dtech Nov 24 '18 at 15:55
-
1@BogBody: we can at least quantify some distrust others have about products from US, i.e. [Dual_EC_DRBG](https://en.wikipedia.org/wiki/Dual_EC_DRBG) in products from RSA security, [backdoors in Juniper VPN systems](https://arstechnica.com/information-technology/2015/12/unauthorized-code-in-juniper-firewalls-decrypts-encrypted-vpn-traffic/), [backdoors in products from Cisco](https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/) ... It is just logically to assume that others will try the same. – Steffen Ullrich Nov 24 '18 at 16:02
-
1@SteffenUllrich don't forget the NSA intercepting and tampering with bulk hardware shipments, to add their own backdoors, in addition to the stock ones ;) – dtech Nov 24 '18 at 16:05
-
I am happy with my Huawei phone. which is for personal use only. If I had secrets to keep, I might worry. As it is, if Beijing is listening, it'll keep them busy. (I live in the United States.) – Bob Brown Dec 10 '18 at 00:23
-
It might be possible to examine one device to prove that device isn't a risk, but you can't examine one device to prove the next device isn't a risk. – user253751 Dec 10 '18 at 00:23
3 Answers
14
This article from the MIT Technology Review says that the U.K. has been vetting Huawei gear before deployment. It provides for only a limited level of assurance. The risks are loss of privacy, espionage, and sabotage.
I left the electronics/computer industry years ago but I think the following views are still applicable to the state of the art.
If espionage is intended, the manufacturer can make a device's code hard to access and inspect. A flash memory device might be part of a system-on-chip or system-in-package that obviates the need to present memory lines on the surfaces of the package. This would make code very inconvenient to access. In the extreme you may resort to using a scanning electron microscope (SEM). Courbon et al used a SEM to read a 210 nm flash memory. (The article is not dated but the most recent reference is from 2015 so the paper is at least as recent.) If you can access the code, you may then find that it was obfuscated. Obfuscated code is created when the programmer uses a program to turn the original code into a Rube Goldberg machine. Whether this is effective in hiding backdoors is debatable.
A custom chip can be a mystery. A chip "normal" in every way except identification looks like a mystery. A manufacturer can simply print phony or confusing identification on one or more of the devices on a board. A device can be made to look standard when it is in fact not. If any well funded entity were to invest in hiding or disguising functionality, it would take a huge amount of research to determine the "true circuit" of any single design . Until you know the true circuit, any inspection of the code provides no real assurance.
If you believe you need to go to much trouble to determine the true circuit and inspect code for a backdoor you may be better off just designing and building your own telecommunications equipment. More realistically you would install intrusive oversight in design, manufacturing, support, and updates and perhaps take over corporate governance through the nationalization of a maker.
If you are not going to be intrusive you are implicitly accepting a certain amount of risk and you are perhaps relying on commercial pressures to keep the manufacturer honest.
If updates are disabled, you might conclude that a particular design is not a security risk after a certain amount of effort. You would not know if the effort made is insufficient and that a larger effort is needed. It may not be practical or even safe to disable updates. As soon as the code is updated you do not have any assurance. You may not be aware of the event of an update if the manufacturer tries to be stealthy.
H2ONaCl
- 924
- 3
- 10
- 21
-
@BogBody I want to add that users can choose to encrypt data. In that case the residual risk might be limited to sabotage or denial of service. – H2ONaCl Dec 11 '18 at 16:20
7
There is a lot of speculation based on intelligence that has not been explained. That's not nothing, but it also isn't something.
Can the phones be inspected? Yes, but only based on function. The problem is not a backdoor or a bootloader, and there would be no need to add a suspicious chip because malicious functionality can be baked in. Any regular calls home would also be detected.
The problem is with "sleeper" functions. Imagine the phone has a "dump all data to home" function that was not enabled until an update was applied by the manufacturer. The update itself need not be malicious, just configured in such a way to turn the sleeper function on. Then the phone contents are uploaded. It might be detected, but by that time, the damage is done.
Security depends a lot on trust, and if a vendor cannot be trusted, then it almost doesn't matter if it is possible to inspect the product; there are too many ways that the vendor can break whatever trust was granted.
schroeder
- 123,438
- 55
- 284
- 319
-
1I believe "sleeper" functions in hardware can actually be a threat to start worrying about. They are extremely hard to discover by researchers, and if nobody is using them maliciously the authors can always find some excuses (bug, feature yet to implement, etc.) and so scandals are less likely. Plus I'm sure lots of governments would consider them an awesome cyber-weapon to invest in. A "secret command" to massively brick devices is going to be useful during the highly-technological third world war. – reed Nov 24 '18 at 15:32
-
Ahh, okay. I wasn't aware (and none of the articles i've read have addressed) that these "sleeper" functions are undetectable. Could you walk me through a hypothetical undetectable "sleeper" function? Where would it exist within the phone or laptop? I guess I'm still a bit confused, because, for example, a Huawei laptop can have a fresh copy of Win10 reinstalled on it, yet it still remains a security risk, right? What parts of the laptop make it vulnerable? Where would the vulnerability be hiding, waiting for the wakeup call? – BogBody Nov 24 '18 at 15:50
-
1@BogBody: one common way to hide such functionality is by reacting only to some magic network packets or packet sequence. A [simple search](https://www.google.com/search?q=magic+packet+backdoor) will find many examples for this. Apart from that such backdoors can also be hidden as a bug which can be *"unfortunately"* give a remote user access to this system. Such bugs get regularly known in software, phones, routers, firewalls... But, only the ones who know these bugs can use these and with access to the source code it is more likely to find (or introduce) such bugs. – Steffen Ullrich Nov 24 '18 at 17:03
-
A sophisticated sleeper routine can be tuned to aim for specific target phones than mention "administration/ senator/ CEO/ ambassador/contract/ uyghur/ south china sea/ladakh/depose/Jinping" and only wake sleepers for phones based in specific regions like administrative districts of Washington, Brussels, Delhi, London, at least that's what i would do if I was a spy Teeheehee. – LifeInTheTrees Dec 14 '20 at 11:26
1
Your best bet is to monitor the network activity while the Huawei device is connected through your router/modem. If data is passing from your device to the internet for unknown reasons, particularly to IP addresses that you and your apps haven't requested, then there's good reason to suggest backdoor spyware.
The only way to truly know whether an operating system is spying on you is from monitoring your own network, unless you have access to the full source code of the operating system and are able to understand whether there is backdoor spyware code within the source. However, even with full source code of open source operating systems, it's very possible that there are backdoor spyware within the code that has gone undetected by thousands of developers who have read the code. This is simply because it's possible to make a backdoor function so undetectable that no one would even realize that it's there.
However, if you're not detecting data leaving your phone to unknown sources then it's unlikely that a backdoor is in place. It can still be hard to detect small bytes of data leaving your phone, which is enough to steal your notes, documents, emails, browsing history, passwords and other small files.
If the Huawei operating system has code in place to transfer your passwords over to its servers, it would require that you send 8 bytes of data over the network for a password that is 8 characters long. With so many apps, website addresses and other software constantly passing data to and from your device, detecting suspicious transfers for data that small becomes incredibly difficult. Even the most savvy of IT specialists might have difficulty proving whether the device is spying on them or not.
Also worth noting is the concern that even if it were somehow proven that Huawei isn't spying on users, they could always update their operating system remotely and then with each update, it would have to be reproven that they are not spying. Because every OS update could have included code that transfers your data to their servers.
It has become so easy for software to spy on you that people should become aware of the issue that any and all of your computer's data can be accessed at any time by software and operating systems that you have installed by bad actors who choose to spy on you.
What the world really needs to have are operating systems that make it easier to monitor all of your network activity while giving users the ability to block any network requests from sources that have not been approved. In other words, people need devices where their data cannot be sent over the network except for exactly the data that they want to send. The reason the world needs this is because currently, there's no reason to believe that major US tech companies and government aren't spying on users already. Even some small app developers are doing it. It's just too easy, and too tempting for many not to do it. And the problem of spying will likely get worse as developers begin to understand the programming mechanisms to implement such spying. Unless ample measures are taken to prevent spying on these devices, people in the future should safely assume that everything they are doing is being collected and stored, usually for AI algorithms to process. If people want the internet to have any amount of privacy, large steps have to be taken to ensure it. And there's almost no way to know whether or not Huawei provides privacy or if it's spying on its users.
The U.S. government is terrified of Huawei controlling and implementing 5g networks because it understands that telecommunication providers have access to everything that users do on the network. The telecommunication companies in America literally can see everything that everyone is doing. Luckily, despite these telecommunication companies having an almost all-knowing power, it doesn't seem that the power has been terribly abused as of yet. The U.S. government is rightly afraid of any other country having such a power over our own citizens.
Michael d
- 487
- 5
- 8
-
What if the device is only programmed to upload information for phones in the administrative zones of washington/brussels/london/delhi/and so forth, quarterly and to a trusted destination site which is temporarily controlled by a trojan? – LifeInTheTrees Dec 14 '20 at 11:58