I’ve been thinking about the security issues of working with Huawei equipment and Huawei the company. I’ve spoken with a number of people who, off the record, talk of working with Huawei as customers and their experiences of the product have been less than excellent but the price is low. What I’ve realised is concerning. The security risks are not in the hardware, it’s the tech support engineers that are the security risk.
Some of largest telcos in Europe have chosen to take on Huawei as a hardware supplier of telecoms equipment because the price is low. Often less than half the cost of competitors. Almost immediately after deployment these buyers have discovered bugs in the equipment. Some of these bugs are hardware, some of them are software. Recently, Recurity Labs performed some basic security scanning (PDF) on the Huawei gear, and widely reported “The code quality is pretty much from the ’90s”. It’s mostly well-known among engineers that the Huawei software architecture is very poor, lacks robustness and quite a few vulnerabilities (although it’s improving).
This is a business security risk. Many of these companies have now built testing and validation divisions to validate Huawei code and products against a baseline. It’s still cheaper to invest in a massive testing operation and lab than to change strategy to buy Cisco or Juniper equipment.
Technical Support as a Security Risk
The actual information security risk or breach occurs when Huawei acts to solve the customer problems. Huawei typical response for large customers is a team of engineers shipped out from China to cut code and fix the problems. I’ve been told anything from 20 to 100 engineers at a time, at Huawei’s expense, will work through the identification of the bugs, make code changes and commit them back to the main team and receive new code overnight for testing.
I’ve confirmed this has occurred with three large service providers in Europe. Lets leave aside the fact that your products should be tested, have good software quality, and be reasonably bug free and even that Cisco and Juniper did similar actions in mid 1990′s when networking was in its infancy.
The security risk is the team of engineers. They will be physically located in the middle of the telecommunications infrastructure for your country. To identify and resolve the issues, they will gain full access to network architecture and design - a security risk for network reconnaissance. They are likely to have full access to installed equipment, including the existing equipment in addition to the Huawei assets – a security risk since they will have full knowledge of the current configuration. Those engineers will be integrated into the corporate structure where they can measure and map the tactical response to security events and the overall security resilience of the network.
Knowledge is the key to attacking a network.
What Security Actions are Possible ?
It seems unlikely that the Huawei equipment is insecure because that’s hard to hide. Far easier for a foreign government to slip a few key people into the support team and then export documents, diagrams and network configurations. In practice, there is very little security inside a telco or service provider to prevent such data theft from trusted personnel.
With this information, an attacker could easily map out the telecommunications network. As an attacker, knowing weak points, physical locations, logical layouts, what the target response plan is, and what equipment is all just marvellous intelligence. Many external hackers spend vast resources researching targets to find vulnerabilities and weak points in telco networks. Having internal knowledge would be invaluable.
Keep in mind, that ongoing support for the network and equipment means that the Huawei also continually updated as to the network design and deployment. The tech support team needs to know the data to keep the close support on an ongoing basis.
Having full knowledge of the internal network for a national carrier, its configuration, the corporate support, the security regime and tools seems quite close to a major compromise of national security to me.
All development is performed in China and any background check of Chinese nationals from Huawei’s offices would obviously be suspect. And note that performing background checks on US nationals in China would also be hard to validate.
It would be very difficult to build information barriers to prevent data leakage to the your equipment provider. They simply cannot help you without that information.
The EtherealMind View
The hype around Huawei having back doors in their network equipment is fanciful. If I was the CTO for a telco, I’d be much more concerned about service integrity and operational cost of poor software quality since Huawei product quality is widely discussed among engineers as poor or sub-standard.
People are right to be concerned about National Security but only because Huawei engineers could gain access to a lot of data about the telecommunications infrastructure that underpins modern life. This is the same a security reconnaissance for “cyber attack”. But I’d also note companies with Cisco products will equally have the same risk. I imagine that sales of Cisco equipment to Chinese government is limited for exactly the same reasons but we just aren’t hearing about that in the major press in the Western world.
To measure the national security risk, consider that for recent project for a very large Point of Sale network, I was informed that three days without electronic transactions would lead massive economic failure and probably rioting and potential societal collapse within five days since nothing could be paid for. Commercial services are critical infrastructure like electricity and water.
As an attacker, knowing where to focus to create an event like this is exactly the information I want. And that’s the sort of information that engineers could easily obtain when located at customer sites and resolving their problems. On this basis, we are right to be concerned about security and ensure that oversight is applied to Huawei as a business but not as a product. And, conversely, US network vendors like Cisco & Juniper should have the same security applied to their engineers in certain geographies.
The issue is Information Security not physical security.
References: Risky Business #250 — Hack it like it’s 1999