Vodaphone found Huawei “backdoors”

Oh dear, at Bloomie:

For months, Huawei Technologies Co. has faced U.S. allegations that it flouted sanctions on Iran, attempted to steal trade secrets from a business partner and has threatened to enable Chinese spying through the telecom networks it’s built across the West.

Now Vodafone Group Plc has acknowledged to Bloomberg that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier’s Italian business. While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China’s global technology prowess.

Europe’s biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone’s security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.

And at The Guardian:

The emergence of the security lapses – which according to Bloomberg were also found in Vodafone’s networks in the UK, Germany, Spain and Portugal – comes as the US tells the UK to ban Huawei from forthcoming 5G networks due to fears the Chinese state could use the technology to spy on western governments.

The US said on Monday that it would review intelligence sharing with the UK if Theresa May did not reverse her decision to allow Huawei’s equipment to be used in the UK’s next-generation mobile network. Robert Strayer, a deputy assistant secretary at the US state department, said the use of the Chinese company’s equipment in any area of the UK’s 5G network was “an unacceptable risk”.

Quite right. May’s stupidity is a little WWII Singapore for Australia all over again.

Comments

    • Of course! The NSA transcribes every single voice call, logs every single SMS, email and instant message for all members in the The Five Eyes alliance (which includes Australia). People like Edward Snowden and William Binney have been describing the programs to the public for years. Here’s an example: https://www.youtube.com/watch?v=SjHs-E2e2V4

      Just assume that every single thing you do or say online is being performed before a live audience of policemen and hostile journalists who are looking to blackmail you if they can.

      • Genuine question – that’s an obscenely large amount of data to store. Where would they store it, and what stops it from being attacked? I ‘m working on the assumption that the non-government technical genii know where the data storage is as presumably there would be some sort of “traffic” that can be measured? Or have I just proved my ignorance beyond any reasonable doubt?

      • @Phil
        It wasn’t such an obscene amount of data until people started getting/sending video from/to their mobile devices.
        That’s when the storage problem got out of control, it is probably reasonable to believe that know data streams aren’t being stored (like who needs to store 1M copies of GoT season 3) but this is precisely what makes these data streams such interesting places to hide other data. Like I said below hiding in plain sight is often the best plan. In the end they’ll collect absolutely everything and have no time to process any of it….makes it a bit like that fabled coldwar intercept of the Berlin -Moscow cable done in the early 60’s that was still being transcribed well into the 1980’s long long after it had been shut down

      • Wow, thanks guys (or gals!). And now the NSA knows I looked at a map of it’s datacentre!

      • Don’t worry Phil
        It all gets a lot easier to stomach when you know that you’re on their watch list rather than just wondering.
        When you know what’s happening you act accordingly, however when you’re just wondering you can invent all manner of implausible assaults on your privacy and quickly lose touch with reality chasing your own tail down the rabbit hole.

      • @fisho: they dedupe at the block level (same as cloud storage providers), so Netflix is no problem. Deduping enriches for unique streams (security camera feeds, dashcams, video calls, remote desktop sessions, stenographically modified GoT episodes ;-), etc), which is what they’re actually interested in.

        Where it becomes problematic is with something like Google Stadia. Game streaming could potentially end up generating more data than movie & music streaming combined, with the highly problematic fact that, unlike movies and music, most of the gaming streams would be unique. That would be a sensible place to hide in plain sight.

  1. I don’t particularly trust Huawei either, but I think we should be careful not to conflate “vulnerability”, with a deliberate back door.
    Vulnerabilities are a dime a dozen, come from all vendors, and range from the staggeringly complex and obscure to the just bone headed. Google “vulnerability database” and spend an hour losing any faith you might have had in IT security!

    • Vulnerabilities by design. Oops we left a ‘vulnerability’ which gives us access to the network…

      • Not at this level. Too likely to be found. Far better to leave a dormant trigger in hardware, making it effectively invisible until activated. And it’s just as likely the same kind of functions are in western systems. Sometimes they’re even sold as features.

    • All modern CPUs have hardware back-doors.

      A popular way to get in is via the “management engines”, for example: https://www.howtogeek.com/334013/intel-management-engine-explained-the-tiny-computer-inside-your-cpu/

      Here’s an even more eye-opening back-door. Literally an unpublished “God Mode” instruction that gives the lowest level access you can imagine (better than root access) for x86 chips. Antivirus programs are useless at this level and it works regardless of the operating system. https://www.youtube.com/watch?v=_eSAF_qT_FY

      Pointing the finger at China and screaming about hardware back doors is the pot calling the kettle black. Western governments have been poking in to everything since always. For a catalogue of available tools, check out the Wikileaks release Vault7: https://wikileaks.org/ciav7p1/

      • Yep who exactly developed ARM into the ubiquitous mobile processor that it is today? Cambridge boys you say , hmmm absolutely no GCHQ links there, at least that much is clear.
        And what about companies like Qualcomm surely they don’t have any strong ties to the intelligence community (looking at you Andy V)

      • Spooks: that fisho guy knows too much
        Silicon Valley: we must work hard to shut down fake news and conspiracy theories
        NPC: that fisho guy is a crazy conspiracy theorist working for the RUSSIANS!!
        Fisho: I can’t get on the internet anymore, WTF?

    • @Mediocritas… what you’re saying is true, and now even with our own countries activities we’re all surveilled and it’s morphed from treat to the country to targeting us all. In the 3GPP specs and the ITU there is the legal interception so govs have a legal warrant right, but that now seem to be not the case with the bulk surveillance now. Difference with China is that they really do want to control the world in an even more unfriendly way. Just look at how they treat their own citizens. I don’t know what the answer is, but not many corp are controlled by the gov like them.

      • It seems to me that Western governments are adopting the very same strategies as the Chinese and have the same ambitions. There is already a clone of the Chinese social credit system operating in the west and I’ve personally fallen victim to it on social media. Shadow-banned and deboosted because I say and think the wrong things. It is particularly obvious in cases like Alex Jones’ de-platforming in which he was simultaneously de-platformed from every single social media platform (except Twitter). Now we have cases of socially targeted individuals being denied access to not only the public space (social media platforms), but also international travel, ride-sharing, payment processors, and even basic financial services such as daily banking

        It’s only a matter of time until what’s happening in digital services (largely operating out of silicon valley) makes its way into official government policy. Also, given the cosy relationship between silicon valley and the military (for example, Jeff Bezos is a board member of the Pentagon), then I’m quite sure that the secret social scores that we all have are integrated with our security profiles with intelligence agencies.

        So yeah, China seemed clearly worse in the short term, but it seems like our governments are trying hard to catch up in the tyranny department. I know what the solution is, but I get shut down for talking about it. You’re not allowed to talk about it.

      • @Mediocritas .. no such thing as real free speech now, but with SM in general things had to change. People seem to have forgotten the social experiment that FB did on a few hundred users feeing them depressing/bad news to see what happened. I have ex SV mates who worked for FB up to a few months ago and it’s scary how they think and more so what they get away with. I’ve worked for a few of the big US tech and it’s not all roses as is shown by the yearly surveys. It’s group think and if you don’t you’re the problem is how they see it. A lot of what I see there, the EU, and Oz is a blow up of the ecomonuic and political situation with globalist neolib policies. They’ve lost all real social conscience where the average person is being squeezed financially and the corps take less of the tax load, and we take more of it, and not just the base tax rate all the other levies and costs we have to deal with. It’s all gone crazy because inequality is rampant and non of the pollies seems to have faced that reality. The US Dems radical left has, but a massive overreach and loss of reality. There is probably more causes, but I’m too busy to be able to think about it. None of the elite are willing to accept less for themselves to build a fairer society…none of them.

  2. you honestly think that microsoft, apple, facebook, instagram etc don’t have backdoors for the FBI and CIA?

    Come on

    This is realpolitik

  3. johnl77MEMBER

    I’m not trying to defend Huawei, however it is possible that the Huawei scares are politically or commercially motivated. It is probable that there has never been an operating system produced that does not have vulnerabilities. Huawei routers use the Versatile Routing Platform operating system. Cisco also uses a version of this OS. This site tracks known vulnerabilities and lists one for Huawei routers detected in 2007. I don’t know if this is what Vodafone referenced?
    https://www.cvedetails.com/vulnerability-list.php?vendor_id=5979&product_id=10130&version_id=&page=1&hasexp=0&opdos=0&opec=0&opov=0&opcsrf=0&opgpriv=0&opsqli=0&opxss=0&opdirt=0&opmemc=0&ophttprs=0&opbyp=0&opfileinc=0&opginf=0&cvssscoremin=3&cvssscoremax=0&year=0&month=0&cweid=0&order=1&trc=1&sha=30a845a3a46d6ec3936a4a60417302cc87875c6f

    • Yep, everything is compromised. The Great Game being played in the geopolitical world right now is between the rising Asian empire led by China and the fading Western empire led by the USA.

      When the USSR fell and Cold War spending could no longer be justified, the MIC pivoted to the “War on Terror”, which enabled them to not only maintain spending, but raise it far higher than at the height of the Cold War. Now that China has established itself as a major global power, the MIC is pivoting back to the Cold War and nations are having to decide which side they align with. We’ve already seen what happens to nations (Syria, Libya, Ukraine, Venezuela), when they toy with both camps then decide to lean towards the axis side.

      The new Cold War is why the USA is currently shutting down oil exports from Iran and Venezuela. These countries are major oil suppliers to the axis powers, so the allies are trying to choke the axis powers out. When it comes to cyber-warfare, they’re both at it full time, nobody can claim the moral high ground.

      • axis powers

        lovely reference but the analogy is wrong way round.
        it changed when political asylum seekers changed defection destination

  4. Interesting problem to ponder what information is gained at the network transport level.
    If all traffic is end user encrypted than one would expect that very little would be revealed about the contents of the traffic but that still leaves the Metadata. Of course Australia being such a smart nation has basically outlawed encrypting data so every bit of data transported across our network can be sniffed by anyone in the right location or with access to the backdoor/vulnerability.
    IMHO The solution is to encrypt all network data and than to work on methods that will deprive network operators of the ability to sniff traffic and collect user identifiable network transport/metadata.
    Of course taking this course of action would require someone in a position of control that had half a brain and wasn’t freaked out by their own shadow.

    • It can work (temporarily) if you design your own encryption algorithm and don’t publish it. If an encryption algorithm has been published to NIST and approved by the NSA then you know they can crack it.

      The problem is that the NSA records absolutely everything that goes over the wires, so if you become a target of interest and they crack your encryption, then they can travel back to your historical messages and crack all of them too. The only truly safe way to transmit data these days is entirely non-digital and transient.

      This message will self-destruct in 5…4….actually never because the NSA just logged it and tagged it to my identity.

      • Designing your own encryption algorithm is a really stupid idea for 99.999% of the population, as for the rest they know better than to believe that they can outsmart the worlds best cryptanalysts.
        I’d rather just string together a few of the lesser know algorithms and make sure I only use very strong encryption keys. Just combining something like Twofish with a simple Elliptic curve crypto will F’up all but the best, back filling all the unused bandwidth of the transport data stream with Random data strings will definitely hide your critical data BUT this comes at the cost of having the Technical departments every major intelligence service on the planet trying to decypher what exactly it is that you’re so busy hiding.
        Sometimes you’re better off hiding in plain sight which is what makes Steganography such an interesting art form.

      • I hear you mate. I, personally, don’t even try.

        Now I don’t actually have anything to hide but that’s not the point. The point is that if you CAN’T possibly hide from a government, then there’s nothing to stop the government from becoming utterly tyrannical. Privacy and liberty are connected, and digital privacy has been eliminated, which is rather ominous for the future.

        Black-pilled.