Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

10/16/2012
05:52 PM
Thomas Claburn
Thomas Claburn
Commentary
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

What Huawei, ZTE Must Do To Regain Trust

The U.S. is not the only country scrutinizing the security of Chinese-made telecom equipment from Huawei and ZTE. Without major changes, significant contracts are at risk.

The issue of purpose is a thorny one. Even as the U.S. government decries the risk of backdoors accessible to foreign powers, the FBI is asking online service providers like Facebook and Google to "build backdoors for government surveillance," as CNET put it.

Baker suggests that the FBI may not be after installed backdoors so much as a commitment to cooperate when the agency needs information for an investigation. And he notes that the phone system from the 1940s through the 1980s was in the hands of a limited number of companies and its backdoors were administered successfully. "You were free from wiretaps unless that company carried them out for the government," he said. "There wasn't a lot of misuse of that capability by others."

But what may have worked in the telecom system of yesteryear appears to be less tenable today. Backdoors are harder to conceal in a connected world, where penetration testing can be conducted from afar all day, every day. Google offers an example: In 2010, the company reported that it had detected "a highly sophisticated and targeted attack on our corporate infrastructure originating from China that resulted in the theft of intellectual property from Google." What the company did not say, but was later revealed, was that Google created backdoor access into Gmail to assist U.S. government law enforcement and that Chinese hackers had exploited this vulnerability.

Lawful interception capability also facilitated perhaps the most successful known telecommunications hack, the compromise of the Vodafone Greece phone network, detected in early 2005. According to IEEE Spectrum, a 2003 telecom switch upgrade partially implemented an interception management system that hackers, still unknown, were subsequently able to exploit to tap about 100 phones belonging to Greek government officials.

While U.S. officials may have reason to mistrust Chinese companies with ties to the Chinese government, concerns about hardware security really should be much broader.

Woods, whose firm offers technology to scan for hardware vulnerabilities, argues that we need to look at hardware not only from China, but from the U.S. and Europe as well. "Everyone is pointing at China, but so far we have found a backdoor in a U.S.-designed chip," he said. "Could it also not be the case that U.S. manufacturers could have installed backdoors or Trojans in their chips to be used at a later date? Is there any reason they would not put in such functionality if it was known that, most likely, these devices would be used by a foreign power?"

There's an additional complication: Cybersecurity incidents remain difficult to assess. As Errata Security researcher Robert David Graham has pointed out, claims about a Russian attack on U.S. utilities and a 2007 blackout in Brazil blamed on hackers have been turned out not to be attacks at all. Graham also says the 2008 Russian cyberwar against Georgia was merely citizen-driven hacking, without the oversight of the Russian military.

Forget about whether or not to trust Huawei and ZTE. Trusting anyone about cybersecurity matters entails risk. There's a lot of misinformation out there. The only way to moderate that risk is better access to information that can be checked. We need more transparency about the source of cyberattack claims, more transparency about the source code we're using in our products, and greater access to hardware production facilities. Trust but verify. Use open source systems when you can.

Baker suggests that the woes of Huawei and ZTE may help Chinese technology companies open up in order to deal with Western businesses expectations and regulations. "I think they've kind of stepped in it for the next five years," he said. "Their name will be mud in government circles. Maybe if they engage in some trust-building, they will be able to come back. For now, I think they're out of the market."

Huawei is already working on its recovery. Woods says that in the U.K., Huawei has supplied GCHQ--the U.K. equivalent of the National Security Agency--with source code to demonstrate the integrity of the software portion of its products. "You can't offer up source for the hardware, but you can offer the designs of the hardware, which by themselves won't reveal much," he said.

It's a step in the right direction.

Despite DARPA's effort to assure the reliability of hardware through its IRIS testing program, Wood claims that the U.S. and U.K. intelligence communities aren't interested in the techniques his company has developed. "We have offered to both the U.K. and U.S. government data and technology that [are] capable to look at this problem in a way that was not possible before, but we were told by an intelligence agency in the U.K. that they are not interested in backdoors or Trojans and any attempts to get some interest from the U.S. government has fallen on deaf ears."


 

Recommended Reading:

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
MyW0r1d
50%
50%
MyW0r1d,
User Rank: Apprentice
10/22/2012 | 4:05:32 PM
re: What Huawei, ZTE Must Do To Regain Trust
Sounds like fodder to justify import/export negotiations or help american firms. Almost all the vendors (Chinese and Western alike) build in backdoors. Publicly the answer is for technical support of their product, but only the naive wouldn't suspect there is the possibility for it to be used for other purposes, repurposed for causes such as law enforcement (remember Govt requests for monitoring and backdoor access), or misused. Govts need to err on the side of caution and consider it as a fact that happens in a competitive, free enterprise economy not as a vague possibility and that China, with greater govt control of its industries, uses it to achieve their national objectives.
ANON1255554460131
50%
50%
ANON1255554460131,
User Rank: Apprentice
10/19/2012 | 7:56:37 PM
re: What Huawei, ZTE Must Do To Regain Trust
Western countries have been known to initiate Cyber attack of other countries' facilities. China is using a lion share of US companies hardware and software (HP, Windows, INTEL, AMD,etc). On security grounds China could ban western hardware and software products. How many western companies do not have veterans working for them? Also which IT company has not been involved in intellectual properties (pattern) disputes?
vuil
50%
50%
vuil,
User Rank: Apprentice
10/17/2012 | 10:54:20 PM
re: What Huawei, ZTE Must Do To Regain Trust
When reading this article one can't help feeling soft violins should be playing in the background. Here's Claburn asking how a company that has ransacked and stolen ideas and intellectual property from the major network equipment houses (and even found guilty in a Chinese court) and Claburn wonders how they can be rehabilitated.

Well what about a less politically correct article saying we want nothing to do with Huawei and ZTE otherwise we are simply rewarding bad behavior.

There is still strong evidence that China is using network technology to spy on all and sundry both inside and outside China. Indeed there is evidence that there have been instances when China has rerouted network traffic for who knows what purpose.

Consider the following article:

http://www.nationaldefensemaga...

Come on Thomas, stop being so politically correct, grow some balls and state the reality as it is. You cannot trust these Chinese network companies.

COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/14/2020
Omdia Research Launches Page on Dark Reading
Tim Wilson, Editor in Chief, Dark Reading 7/9/2020
Why Cybersecurity's Silence Matters to Black Lives
Tiffany Ricks, CEO, HacWare,  7/8/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-11083
PUBLISHED: 2020-07-14
In October from version 1.0.319 and before version 1.0.466, a user with access to a markdown FormWidget that stores data persistently could create a stored XSS attack against themselves and any other users with access to the generated HTML from the field. This has been fixed in 1.0.466. For users of...
CVE-2020-5246
PUBLISHED: 2020-07-14
Traccar GPS Tracking System before version 4.9 has a LDAP injection vulnerability. It occurs when user input is being used in LDAP search filter. By providing specially crafted input, an attacker can modify the logic of the LDAP query and get admin privileges. The issue only impacts instances with L...
CVE-2019-12773
PUBLISHED: 2020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/help/help_popup.jsp, the helpURL parameter can be changed to embed arbitrary content inside of an iFrame. Attackers may use this in conjunction with social engineering to embed malicious scripts or phishing pages on a site where this product ...
CVE-2019-12783
PUBLISHED: 2020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the rd parameter can accept a URL, to which users will be redirected after a successful login. In conjunction with CVE-2019-12784, this can be used by attackers to "crowdsource" bruteforce login attempts on the targe...
CVE-2019-12784
PUBLISHED: 2020-07-14
An issue was discovered in Verint Impact 360 15.1. At wfo/control/signin, the login form can accept submissions from external websites. In conjunction with CVE-2019-12783, this can be used by attackers to "crowdsource" bruteforce login attempts on the target site, allowing them to guess an...