The US Fears Huawei Because It Knows How Tempting Backdoors Are

Credit to Author: Lily Hay Newman| Date: Wed, 12 Feb 2020 00:13:37 +0000

US officials allege that Huawei has backdoors in its technology. The US knows firsthand how powerful those can be.

After publicly pressuring its allies to ban Huawei equipment in their 5G networks, US officials are now publicly accusing the Chinese telecom giant of being able to spy on mobile data. The allegations, reported by the Wall Street Journal on Tuesday, represent the first specific concern the US has articulated about Huawei after months of conceptual arguments.

The details around the accusation remain vague, indicating that Huawei may be able to spy on access points meant for law enforcement. US officials speaking to the Journal apparently declined to say whether the company had actually done so. But while suggesting a potential mechanism for improper surveillance does heighten the debate between the US and Huawei, it also hints at a deeper self-awareness on the part of US officials. In truth, the intelligence community fears Huawei for a fundamental reason: China will take whatever advantage it can, not unlike the US has done in the past.

US officials have previously said they didn't need to justify their reservations about Huawei and the potential that the company's equipment could contain Chinese government backdoors. But a number of US allies are taking a different approach to dealing with the telecom giant, hoping to manage the potential risks rather than banning Huawei equipment altogether. The United Kingdom, for example, has maintained an auditing facility in China for years adjacent to Huawei's headquarters. And a UK security analysis from last year found that Huawei has more pressing security issues from sloppy, flawed code than from Chinese espionage. Meanwhile, the German legislature will soon vote on a bill that would allow Huawei equipment in German 5G infrastructure if the telecom makes promises about the integrity of its security protections.

Still, researchers say that it's unclear what exactly the US is alleging on a technical level with its new allegations that Huawei maintains network access that other manufacturers don't.

"We would need to have more details to be able to draw any conclusions," says Lukasz Olejnik, an independent cybersecurity researcher and advisor. "We know that forms of technical lawful intercept are a feature of all generations of cellular telecom specifications. But it's unclear what officials in the Wall Street Journal story are referring to exactly."

If Huawei has been abusing law enforcement access capabilities to clandestinely gather or funnel user communication data, it would be an example of the types of backdoors US officials have warned against. Huawei has vigorously denied that it conducts wrongful surveillance or that it cooperates with the Chinese government by creating backdoors in its network systems. But US government officials have pointed out that China is an authoritarian state that maintains laws about corporate cooperation with government demands.

Furthermore, the US knows all too well that private companies can be infiltrated for espionage or technical control. Take the Swiss secure communications and equipment firm Crypto AG, which operated for decades under secret US intelligence control. Components of the scheme came to light over the years, but Crypto AG continued to operate until 2018, selling security tools with weakened encryption to foreign governments. In the most comprehensive expose on the operation to date, the Washington Post reported on Tuesday that Crypto AG was co-owned and managed from the 1940s by the CIA and West German intelligence (later the German agency, the BND) until the early 1990s, when the BND sold its stake to the CIA.

Crypto AG had a strong business selling security equipment to more than 120 countries, according the Washington Post, including India, Pakistan, and Iran. The Soviet Union and China never bought Crypto AG equipment, presumably over concerns about links to Western governments.

Even with the new layer of accusations, the case against Huawei still comes down to how countries plan to manage "supply chain" security issues. If you don't trust the entity producing technical tools or the environment they were made in, you must consider the possibility that the equipment was created with a hidden backdoor or other foundational flaw. Again, look no further than the US: Reports in 2013 revealed that the US National Security Agency physically intercepted and added technical backdoors to enterprise IT equipment, like Cisco and Juniper Networks products, to enhance data access.

This is why it's so difficult to manage risk with a private company through partial mitigations like those the UK is using. It's very difficult to vet market-ready devices for intentional backdoors, especially those designed to weaken encryption algorithms in near-imperceptible ways. You need to both reverse engineer the code accurately to understand exactly how a system functions and then conduct an exhaustive mathematical analysis of the cryptography. No matter how thorough this process, it's always possible that well-engineered flaws can evade detections.

"Every organization should understand and accept that they can't fully audit the encryption code on the devices they use to secure their data," says Jake Williams, a former NSA analyst and founder of the security firm Rendition Infosec. "And there's a history of potential hardware tampering by government agencies around the world. So organizations need to choose equipment that, if backdoored, presents the least risk. Supply chain security is a bear."

So the Huawei debate continues to go in circles. Regardless of the latest revelations, the question remains whether the risk is manageable, or if the US and its allies should forego Huawei altogether.

"Technology is a matter of national security as never before," Olejnik says. "Generally, what matters is control over hardware and software, bottom up, the full stack. Who do you trust? It's a question of digital sovereignty."

When it comes to equipment sitting in the heart of US wireless networks, you can start to understand the US government's fundamental concerns with Huawei. Especially given the US's own history of planting backdoors in technologies around the world.

https://www.wired.com/category/security/feed/