Cyber Security: UK Int Panel warns against Huawei...

#2
Here's another story on it from a popular UK based IT news site.
Huawei savaged by Brit code review board over pisspoor dev practices
Long story short - no sign of Chinese back doors or other nefarious activity, but plenty of evidence of shit software and poor working practices. You could probably say the same about most of the rest of the industry.

Here's a summary by a third party security expert contacted by the reporter. His conclusion is that the UK government has been presented with an "interesting dilemma" - finding problems with buggy software from one vendor is all very well, but there is no assurance that products from competing vendors are any better. Given the history of security related bugs from other major vendors, it is probably safe to say that they're all equally as bad in that respect.
Commenting on the NCSC's vital conclusion that none of these cockups were the fault of the Chinese state’s intelligence-gathering organs, Rob Pritchard of the Cyber Security Expert told The Register: "I think this presents the UK government with an interesting dilemma - the HCSEC was set up essentially because of concerns about threats from the Chinese state to UK CNI (critical national infrastructure). Finding general issues is a good thing, but other vendors are not subject to this level of scrutiny. We have no real (at least not this in depth) assurance that products from rival vendors are more secure."
Huawei has promised to up their game and improve their software.
"A high-level plan for the [software development transformation] programme has been developed and we will continue to work with UK operators and the NCSC during its implementation to meet the requirements created as cloud, digitization, and software-defined everything become more prevalent."
 
#3
The following blog gives some background to the introduction of Huawei kit by BT and of oversight over said kit, leading up to more recent concerns.

Security, complexity and Huawei; protecting the UK's telecoms networks
With 5G set to transform mobile services, Ian Levy explains how the UK has approached telecoms security, and what that means for the future.

NCSC

Other vendors have issues too, which can lead to potential exploitation by third parties.
 
#4
The government has been warned long ago, even when we get down to domestic applicances, you've had Chinese kettles with wifi sniffers let alone commercial telecoms and networking kit

Letting them near our critical infrastructure is just asking for trouble, irrespective of whether they've found any back doors yet.

I wouldn't want any Chinese kit used not just Huawei, play the long game we don't want to open ourselves upto to cyber warfare just to save a few pennies now
 
#7
Further to my previous post, here's some examples of the sort of problems HCSEC are talking about.

I this example, they mention that the kit contained several different versions of the industry standard OpenSSL library. That is a library used to provide communications encryption.
In the first version of the software, there were 70 full copies of 4 different OpenSSL versions, ranging from 0.9.8 to 1.0.2k (including one from a vendor SDK) with partial copies of 14 versions, ranging from 0.9.7d to 1.0.2k, those partial copies numbering 304. Fragments of 10 versions, ranging from 0.9.6 to 1.0.2k, were also found across the codebase, with these normally being small sets of files that had been copied to import some particular functionality.
Ideally, you should always use the latest version and always have the same version across all your programs. In practice though this is rarely done for a variety of reasons revolving around not "fixing" stuff that isn't broken and what version different third party software vendors agree to support in their contracts. Huawei get marked down for poor style, but its not necessarily a "bad" thing unless any of those copies have known security vulnerabilities which have not been patched. The main real problem with doing this is the difficulty for the vendor of keeping track of what they've used and comparing it to announcements by the OpenSSL developers of any security alerts.

Here's another example. They have used older "less safe" versions of library functions in place of newer "more safe" versions. What is meant by "safe" is there are more checks built into the software to look for programmer mistakes that could lead to bugs. One of the most common security problems is what are known as "buffer overflows", which the "safe" version is meant to help prevent.
Analysis of relevant source code worryingly identified a number pre-processor directives of the form "#define SAFE_LIBRARY_memcpy(dest, destMax, src, count) memcpy(dest, src, count)", which redefine a safe function to an unsafe one, effectively removing any benefit of the work done to remove the unsafe functions.
Using the older versions is commonly a result of re-using older software which doesn't support it. Typically this is done to support third party libraries that were written some years ago. This doesn't necessarily mean there is a problem, it just means that the programmer has to be more careful. The alternative may be to rewrite proven third party software, which presents the risk of introducing new bugs (security holes) of your own.

In this example Huawei is criticized for using an older version of an unnamed third party operating system. "Mainstream" support for that OS will end soon, but Huawei has bought extended support from the vendor.
Huawei's use of "an old and soon-to-be out of mainstream support version" of an unnamed real time operating system (RTOS) "supplied by a third party" was treated to some HCSEC criticism, even though Huawei bought extended support from the RTOS's vendor.
This is very common in the embedded field, and I would expect that many other vendors of similar kit are using the same OS.

HCSEC gives the OS itself some stick for not being that great, but again, it's probably in widespread use across the embedded hardware industry.
HCSEC said: "The underlying cyber security risks brought about by the single memory space, single user context security model remain," warning that Huawei has "no credible plan to reduce the risk in the UK of this real time operating system."
The most significant criticism that I can see though isn't one where you can point to a specific problem and say "this is bad". It has to do with the management and organisation and how well they follow what are considered to be software development best practices.
It also criticised Huawei's "configuration management improvements", pointing out that these haven't been "universally applied" across product and platform development groups.
This does line up well with criticisms that I have heard about Huawei over the years, which is that the kit seems reasonably sound, but the software is a bit crap. Again though, that is all too common in the IT industry.

As a security expert quoted in my previous post said, if this sort of things worries you, then you need to be looking at every other vendor equally closely.
 
#8
This is not meant to be a throw away comment, but in choice of comms and kit provider it is a choice of who you wish to make yourself most vulnerable to.
 
#9
Here's the actual HCSEC (GCHQ) report.
Huawei cyber security evaluation centre oversight board: annual report 2019

I've read over the report (I skipped the irrelevant management stuff). An overall summary is that there is no evidence of anything dodgey going on. The actual problems are related to poor management, poor quality control, and cowboy programmers. Think of it as being like the worst of what you hear about Windows or anything from Adobe.

Huawei have committed to spending several billion on upgrading their processes and instilling more professionalism, but HCSEC said that will be a major undertaking.

There is evidence of improvement, such as the following where they show a reduction in the number of problems in a newer software version. The initial version was referenced in one of my previous posts.
In the first version of the software, there were 70 full copies of 4 different OpenSSL versions, ranging from 0.9.8 to 1.0.2k (including one from a vendor SDK) with partial copies of 14 versions, ranging from 0.9.7d to 1.0.2k, those partial copies numbering 304.

(...) In the later version, there were only 6 copies of 2 different OpenSSL versions, with 5 being 1.0.2k and one fork from a vendor SDK. There remained 17 partial copies of 3 versions, ranging from 0.9.7d to 1.0.2k.
They are also working to deal with the problems presented by the third party OS which I also mentioned in a previous post. They are porting their software to Linux, whose more modern design mitigates some of the security concerns which HCSEC had about the older OS.
The first piece of work was around Huawei’s intent to move off the operating system that is soon-to-be out of mainline support to their own real time operating system, based on the open source Linux kernel.
However, porting the software to Linux presents risks due to the software having been originally designed for a different OS, and there is also the risk that older kit may not be upgradable enough to support the new OS.
There are integration risks with the existing application code being ported to a more modern operating system memory and security model. This gives rise to a cross-operator risk which needs careful attention to remediate, especially as new hardware may be required in some cases. Work needs to be done to weigh the known risks of a dated operating system with the risks of a change to a different operating system and all that entails.
Much of the rest of the report is like this. Huawei are trying to improve their internal processes and bring more professionalism to their staff, but they have a long way to go before they can be considered a standard of excellency.

Unfortunately, much of the rest of the software industry are no better.
 
#11
Are Nokia, Ericsson and Cisco presenting their source code to HCSEC for inspection?
Assuming that your question is not rhetorical, then no, just Huawei. Huawei provide telecoms kit to something like 45 out of the world's top 50 operators. A lot of operators though use a mixture of kit from different suppliers to perform different functions.

Some years ago Ericsson had a reputation for advanced software technology at the R&D level, but I don't know how well that translated into the sort of good organised working practices down in the trenches that HCSEC are concerned with here.

Cisco is the one vendor we know for sure has kit that has come with deliberate backdoors, courtesy of the NSA, as was widely reported in the press several years ago. Their kit has also been a shit show of run of the mill bugs and security holes.

The biggest known issue in telecoms at this time is actually one that not many in the industry want to talk about despite it being known for more than a decade. Signaling System 7 (SS7) is the control protocol used by telecom systems around the world. It has massive security holes built into the protocol definition, which are basically unfixable and are being actively exploited by the bad guys.
Statement on continuing coverage‎ related to SS7 | Communications Security Establishment
SS7 vulnerabilities and attack exposure report, 2018 - Membership
Hackers only needed a phone number to track this MP's cellphone | CBC News
This report reveals the results of SS7 security analysis. Today the signaling network is not isolated, and this allows an intruder to exploit its flaws and intercept calls and SMSs, bypass billing, steal money from mobile accounts, or affect mobile network operability.
Newer 4G (LTE) protocols carry the same vulnerabilities forward.
Newer Diameter Telephony Protocol Just As Vulnerable As SS7
Security researchers say the Diameter protocol used with today's 4G (LTE) telephony and data transfer standard is vulnerable to the same types of vulnerabilities as the older SS7 standard used with older telephony standards such as 3G, 2G, and earlier.
Oddly enough, there doesn't seem to be the same degree of panic about this from the same people who huff and puff about Huawei. Some people think that the GCHQ/NSA type organisations happen like having those holes and don't want them closed. I couldn't offer an opinion on that however.
 
#12
@terminal

Cisco routers have eye watering issues! Whether that is due to unbiquity or other issues, I wouldn't know.
 
#13
Assuming that your question is not rhetorical, then no, just Huawei. Huawei provide telecoms kit to something like 45 out of the world's top 50 operators. A lot of operators though use a mixture of kit from different suppliers to perform different functions.

Some years ago Ericsson had a reputation for advanced software technology at the R&D level, but I don't know how well that translated into the sort of good organised working practices down in the trenches that HCSEC are concerned with here.

Cisco is the one vendor we know for sure has kit that has come with deliberate backdoors, courtesy of the NSA, as was widely reported in the press several years ago. Their kit has also been a shit show of run of the mill bugs and security holes.

The biggest known issue in telecoms at this time is actually one that not many in the industry want to talk about despite it being known for more than a decade. Signaling System 7 (SS7) is the control protocol used by telecom systems around the world. It has massive security holes built into the protocol definition, which are basically unfixable and are being actively exploited by the bad guys.
Statement on continuing coverage‎ related to SS7 | Communications Security Establishment
SS7 vulnerabilities and attack exposure report, 2018 - Membership
Hackers only needed a phone number to track this MP's cellphone | CBC News


Newer 4G (LTE) protocols carry the same vulnerabilities forward.
Newer Diameter Telephony Protocol Just As Vulnerable As SS7


Oddly enough, there doesn't seem to be the same degree of panic about this from the same people who huff and puff about Huawei. Some people think that the GCHQ/NSA type organisations happen like having those holes and don't want them closed. I couldn't offer an opinion on that however.
I recall a warning about 6 years ago that a significant percentage of Cisco routers were Chinese counterfeit devices with all sorts of iffy back doors.
 
#14
Here's another story on it from a popular UK based IT news site.
Huawei savaged by Brit code review board over pisspoor dev practices
Long story short - no sign of Chinese back doors or other nefarious activity, but plenty of evidence of shit software and poor working practices. You could probably say the same about most of the rest of the industry.

Here's a summary by a third party security expert contacted by the reporter. His conclusion is that the UK government has been presented with an "interesting dilemma" - finding problems with buggy software from one vendor is all very well, but there is no assurance that products from competing vendors are any better. Given the history of security related bugs from other major vendors, it is probably safe to say that they're all equally as bad in that respect.


Huawei has promised to up their game and improve their software.
More Huawei software and hardware on the Asian market that does not work, as opposed to that which performs as promised.

Buy cheap, buy twice, as the saying goes.
 
#15
Assuming that your question is not rhetorical, then no, just Huawei. Huawei provide telecoms kit to something like 45 out of the world's top 50 operators. A lot of operators though use a mixture of kit from different suppliers to perform different functions.

Some years ago Ericsson had a reputation for advanced software technology at the R&D level, but I don't know how well that translated into the sort of good organised working practices down in the trenches that HCSEC are concerned with here.

Cisco is the one vendor we know for sure has kit that has come with deliberate backdoors, courtesy of the NSA, as was widely reported in the press several years ago. Their kit has also been a shit show of run of the mill bugs and security holes.

The biggest known issue in telecoms at this time is actually one that not many in the industry want to talk about despite it being known for more than a decade. Signaling System 7 (SS7) is the control protocol used by telecom systems around the world. It has massive security holes built into the protocol definition, which are basically unfixable and are being actively exploited by the bad guys.
Statement on continuing coverage‎ related to SS7 | Communications Security Establishment
SS7 vulnerabilities and attack exposure report, 2018 - Membership
Hackers only needed a phone number to track this MP's cellphone | CBC News


Newer 4G (LTE) protocols carry the same vulnerabilities forward.
Newer Diameter Telephony Protocol Just As Vulnerable As SS7


Oddly enough, there doesn't seem to be the same degree of panic about this from the same people who huff and puff about Huawei. Some people think that the GCHQ/NSA type organisations happen like having those holes and don't want them closed. I couldn't offer an opinion on that however.
The rot in SS7 stems from the introduction of IP to SS7 signaling gateways, a good 15-20 years ago.

Prior to those things, you needed a big-iron switch to generate SS7 traffic, and the companies that made them were the likes of Ericsson, GEC-Plessey, Nortel, Siemens, Lucent etc. Not the kind of organizations that were open to dodgy dealings in their codebase.

But then you got companies like Dialogic, which made single cards with a couple E1/T1 interfaces on them, and the ability to generate and monitor SS7 signaling. Once you can do that, you can inject whatever you like into the network with little more than a PC and an add-in card for a couple grand. Still need an E1/T1 or optical connection to the network however.

Enter SIGTRAN. Transport of SS7 datagrams in IP packets. Hmm. Now you've got SS7 signaling packets traversing the internet. It uses SCTP rather than TCP or UDP, but if you can generate the SCTP transport wrapper, you're off to the races. Things like this don't make it any easier to defend against: Open Sigtran - Open Source SCTP and M3UA modules

Some of the SS7 functions that would have used TCAP (an SS7 component) to transfer user data like SMS and billing data in the past have been migrated to purely IP-based systems, but that's not really much help, because they're even easier to spoof.

I agree that this shit's been known about for years. And there's really not much to be done about it now, without breaking everything. Control access to the network is about all you can do. But if you're say Vodafone UK and you do a bang-up job of doing exactly that, you're no better off, because Gupta is undermining your efforts in India*, and without cutting India off, you're fcuked. *Other countries available.
 
#16
A company that shall remain nameless put this stuff into their data centre and connected it to the police national computer. It was live for a short period of time before it was unceremoniously removed and out in skips. That’s about 7 years ago.
 
#17
@terminal

Cisco routers have eye watering issues! Whether that is due to unbiquity or other issues, I wouldn't know.
Cisco's problems come from several sources. One is the same sort of problems that HCSEC outlined with Huawei, which as I said are ubiquitous in the software industry to varying degrees. You could argue that Cisco are somewhat better, but that doesn't mean they are great. They also have a long legacy of software which was built to lesser standards but which will never get replaced for the foreseeable future due to economic reasons.

Another is they buy up other smaller companies to add those product lines to their own, and many of those companies have truly crappy software. This kit continues to get sold while the original developers have long left and there is no one really looking after it or even looking into in the first place. A lot of the routine back doors (as opposed to the known NSA ones) that have been found in Cisco kit are blamed on product lines that came as part of corporate acquisitions.

Ironically, a lot of embedded software used by Western companies gets developed by outsource contractors in China and Russia. Nobody seems to be raising a panic over that however.

There seems to be several general problems in the embedded software field. One is the business attitude of shipping a physical product, where once the physical kit has gone out the door it's no longer seen as being the manufacturer's problem. Firmware is looked at as being just another bill of material item, rather than as something that has to be maintained. The result is to outsource it to the lowest bidder in a low wage country and then "ship it and forget it". Very often the manufacturer has lost the software source code but doesn't care because they have no intention of maintaining it anyway.

Another problem is there are many programmers in the embedded field who think that being "embedded system programmers" means that they are an elite to whom the rules simply don't apply. The end result is an even worse cowboy attitude than you see with people who work in the social media tech field.

There are also what I suspect are systemic problems in the Chinese software industry. It would take longer to explain this than I am prepared to spend on this post at this time, but I think that they have much less exposure to the latest systematic development practices and are more focused on "ship it and forget it". They also likely have fewer old hands who have seen multiple projects through from beginning to end and have the experience to set up their processes correctly and make sure that people use them.

I'm not sure how much senior management at Huawei realise that having HCSEC tell them what they are doing wrong is doing them a massive benefit, and not just in terms of mollifying customers. Properly dealing with the issues that HCSEC has raised in this report will make Huawei a much better run company who will put out better products and make them more successful in the end.
 
#20
Cisco's problems come from several sources. One is the same sort of problems that HCSEC outlined with Huawei, which as I said are ubiquitous in the software industry to varying degrees. You could argue that Cisco are somewhat better, but that doesn't mean they are great. They also have a long legacy of software which was built to lesser standards but which will never get replaced for the foreseeable future due to economic reasons.

Another is they buy up other smaller companies to add those product lines to their own, and many of those companies have truly crappy software.
Cisco bought their way into the home router market by acquiring Linksys in 2003.
 

Similar threads


Latest Threads

Top