Cyber Security: UK Int Panel warns against Huawei...

#42
Consider this. You're a major manufacturer of mobile phones (not Huawei) based outside the USA which is basically all of them.

You've just seen Google pull the rug out from under Huawei.

Might you not start to consider protecting yourself from similar interference from Google by developing your own ecosystem just in case Uncle Donald takes a dislike to you too?

I suspect this latest move may have unintended consequences for Google.

SailfishOS - Sailfish OS
There are industry rumours that Huawei's OS is in fact Sailfish, although nothing is officially confirmed. However, in 2017 Jolla (the company behind Sailfish) announced that they had a deal with a Chinese consortium who have committed $250 million to building up the Sailfish ecosystem in China. It's not known who is in the consortium, but Jolla claim there are very big players involved. Chinese investors were involved in Jolla from the early days. However, keep in mind that there is so far no official confirmation that Huawei is involved.
https://jolla.com/wp-content/uploads/2017/02/China_announcement_MWC2017_FINAL.pdf?x39789&x12599

For those not familiar with it, Sailfish OS is a smart phone operating system that is descended from Nokia's Meego. Meego was a highly regarded Linux based phone OS (Android by the way is also Linux based) that was selling quite well and was to be Nokia's smart phone OS to replace Symbian. However, at around this time Nokia had already come to the conclusion that they wanted out of the phone handset business due to the increasing competition and the difficulties in transitioning sales from Symbian and System 60 to a new platform.

So they sold that end of the business to Microsoft, who saw their future as being one of the dominant smart phone players and needed hardware to run it on. They killed off all Nokia phone options other than Windows, including Meego. Some of you may remember that Windows 8 for PCs was brought out to look like the Windows phone UI in order to have the two cross-promote each other.

The original Nokia are still in existence and focus on mobile phone infrastructure. They are one of the three main players in the 5G business.

To the surprise of few, Microsoft proceeded to power dive their newly acquired Nokia phone handset business into the ground, leaving nothing but a smoking crater. This together with Blackberry also exiting from the handset market (they concentrate on management software and security today) opened holes in the market which Android filled to achieve the same degree of almost total dominance on phones which Microsoft Windows has on the desktop.

This in turn left the independent phone manufacturers feeling rather unhappy, as they didn't like the idea of Google having the same sort of grip on their nads which Microsoft does with PC makers. Some of them starting making their Plan 'B', just in case. The best known of those is Samsung, who came up with Tizen, another Linux based phone OS. The recent direction by Google to make more and more of Android proprietary instead of open source has made phone manufacturers increasingly uncomfortable.

Huawei also started their own Plan 'B', but kept it fairly low profile and we don't know anything about it other than Huawei did confirm a while ago that it was ready to use. Huawei were holding back on deploying it though, as they were doing very well selling Android phones and didn't want to provoke a split with Google. One interesting thing we do know though is that one of Huawei's main phone OS R&D centres is in Finland and includes a number of former Nokia employees.

When Microsoft bought Nokia's handset business and killed Meego, a group of Nokia employees in Finland bailed out and took the open source bits of Meego and turned it into what became known as Sailfish OS. They have been getting continual funding from somewhere, but from whom isn't clear. From the early days they placed a lot of emphasis on the Chinese market.

Sailfish is Linux based, like Android is, and will run Android apps. That means that developers who want to make apps for Sailfish should be able to port their Android versions over fairly readily. That won't connect a Sailfish phone with the Google Play app store, but it does mean that apps for Sailfish don't have to be written from scratch, and the main issue will be getting enough critical mass in a Sailfish app store to make it attractive for both buyers and developers.

To go back to whether Huawei's phone OS is Sailfish, or a de-Googlized Android, or something else, there is no hard evidence yet. However, some have drawn connections between Huawei being known to have a confidential Plan 'B', their also having one of their phone software development centres in Finland using ex-Nokia employees, and Jolla (Sailfish) also being in Finland and composed of ex-Nokia employees and deciding that Huawei's phone OS is actually Sailfish.

Personally I would have placed a higher likelihood of it actually being just a de-Googlized Android, but we shall have to wait to see how this turns out.
 

Sarastro

LE
Kit Reviewer
Book Reviewer
#44
This is not meant to be a throw away comment, but in choice of comms and kit provider it is a choice of who you wish to make yourself most vulnerable to.
This is really the crux. "Backdoors" and the like have always been a Hollywood distraction. The real, and most difficult to manage, threats are exactly the ones described in this report. Enumeration: understanding exactly what vulnerabilities exist for any implementation of software or kit provides all the adequate vectors needed to execute attacks. So the real issue is: who understands what those vulnerabilities are?

If I were a cyber department in any intelligence service, I would never engineer a vulnerability while I could, instead, simply take advantage of vulnerabilities that already exist. The former puts my fingerprints all over it. The latter is inherently unattributed. Even better, they are perfectly explicable as "bad coding practice". All I need to do the latter is to perform or get access to an internal vulnerability assessment, or hire and lean on previous employees who know what they are. That's the risk that using Huawei incurs. We, the UK, have insisted that our SIGINT agency have access to conduct such a vulnerability assessment on UK-deployed kit, and they have agreed. What is the likelihood that if the Chinese government demands the same, they will say no? Not high. If we can work this stuff out, it is reasonable to assume that the Chinese have as well.

This definitely applies to other companies. But it's a lot harder for the Chinese state to lean on, re-employ, or otherwise compel non-Chinese companies and citizens to get that information. It's that simple.

It's not whether you believe trout as a species is edible, but whether you trust the river you caught it from is clean.
 
#45
This is really the crux. "Backdoors" and the like have always been a Hollywood distraction.
That's a shame, another qualification wasted.

Back Doors.jpg


Sorry feeling childish today.

But your point about off the shelf vulernability is essential.

Why use signature kit or engineered vulnerability, when there is so much already about that can be deployed with at least semi-plausible deniability?
 
#46
Companies starting to get cold feet, and assisting POTUS with his trade war with China.

'British and Japanese mobile phone companies say they're putting on hold plans to sell new devices from Huawei, in the latest fall-out from US tech restrictions aimed at the Chinese company. Britain's EE and Vodafone and Japan's KDDI and Y! Mobile said they are pausing the launch of Huawei smartphones, including some that can be used on next generation mobile networks, amid uncertainty about devices from the world's No. 2 smartphone maker.'

Huawei 5G phone launches suspended
 
#47
Companies starting to get cold feet, and assisting POTUS with his trade war with China.

'British and Japanese mobile phone companies say they're putting on hold plans to sell new devices from Huawei, in the latest fall-out from US tech restrictions aimed at the Chinese company. Britain's EE and Vodafone and Japan's KDDI and Y! Mobile said they are pausing the launch of Huawei smartphones, including some that can be used on next generation mobile networks, amid uncertainty about devices from the world's No. 2 smartphone maker.'

Huawei 5G phone launches suspended
It has only just begun.
 
#48
This is really the crux. "Backdoors" and the like have always been a Hollywood distraction. The real, and most difficult to manage, threats are exactly the ones described in this report. Enumeration: understanding exactly what vulnerabilities exist for any implementation of software or kit provides all the adequate vectors needed to execute attacks. So the real issue is: who understands what those vulnerabilities are?

If I were a cyber department in any intelligence service, I would never engineer a vulnerability while I could, instead, simply take advantage of vulnerabilities that already exist. The former puts my fingerprints all over it. The latter is inherently unattributed. Even better, they are perfectly explicable as "bad coding practice". All I need to do the latter is to perform or get access to an internal vulnerability assessment, or hire and lean on previous employees who know what they are. That's the risk that using Huawei incurs. We, the UK, have insisted that our SIGINT agency have access to conduct such a vulnerability assessment on UK-deployed kit, and they have agreed. What is the likelihood that if the Chinese government demands the same, they will say no? Not high. If we can work this stuff out, it is reasonable to assume that the Chinese have as well.

This definitely applies to other companies. But it's a lot harder for the Chinese state to lean on, re-employ, or otherwise compel non-Chinese companies and citizens to get that information. It's that simple.

It's not whether you believe trout as a species is edible, but whether you trust the river you caught it from is clean.
Western intelligence operation use a variety of methods to hack into systems, but using existing "normal" bugs is probably the most common one. There is a thriving market in IT exploits found by security researchers, and western security agencies are known to be buyers of them.

As for using vulnerabilities known to the company though, that is a poor plan except for the worst managed ones (e.g. Oracle, Microsoft, Adobe). For most companies known problems get fixed. Problems in open source projects always get fixed unless someone seriously drops the ball.

What the Americans have done in the past though is something far more clever. They use their position of influence to get non-obvious back doors specified in an official standard and then issue regulations requiring that companies doing business with the US must implement it, with a few strategic bribes to ease things along. They did this for example with a widely used encryption standard. Non-government connected security experts involved in the standards process who smelled a rat were dismissed as tin foil hat wearers until it eventually leaked out that they were right after all.

There is also a widespread belief that there may be an American back door in the hardware random number generators (RNG) built into common CPUs, which is an interesting twist on the subject. Modern security relies heavily upon random numbers, and unlike software, hardware is not easily audited. Most of the CPUs used in servers which hold interesting information are made by a very small handful of American companies, with one (Intel) accounting for the bulk of them. The number of people involved in designing these RNGs would be very, very small, and it would not be difficult for the American government to require them to cooperate and to issue a gag order requiring them not to talk about it. An RNG which actually produced "random" numbers in a non-obvious but predictable pattern, or which were just "weaker" random numbers would make most security systems crackable for a state level actor, and the Americans are by far the biggest state level actor in this realm.

This is why nobody trusts the hardware RNGs built into CPUs despite the potential usefulness of them. Instead they use software derived random numbers with entropy (randomness) being obtained from the timing of various random hardware events (e.g. movements of your mouse), and then throw the CPU RNG in on top. It isn't relied upon, but it is thought that it won't make things worse when used in this way.

Unfortunately, one type of cyber attack involves doing things which exhaust the pool of entropy, that is, to use up the supply of random numbers faster than they could be replenished. The CPU RNG would be a solution to this, but as mentioned before, nobody trusts it to not have an American back door in it due to their record on embedding back doors into security standards (see above). The end result is that one of the known systemic security weaknesses cannot be fixed because of the concern about the possible existence of a backdoor.

And it gets worse. The thing that currently has most worried the sort of people who worry about genuine security (as opposed to the people who are more interested in breaking security) is Intel Management Engine (IME). This is a whole operating system and software stack that is built into the motherboard firmware and runs at a level below the operating system and is used to remotely access and manage IT systems. It has complete access to all the resources in a computer and can operate on a plane that is invisible to what most people think of as the operating system (e.g. Windows). It can even run if the computer is turned "off", so long as the device is plugged in as it runs on its own dedicated CPU.

The whole thing is so secretive that the author of the operating system they used (Minix) didn't know about their use of his software until he read about it in the press when the inevitable security problems were found - by Russian security researchers by the way. He doesn't mind Intel using his operating system, but he (Andrew S. Tanenbaum, who is very well known and respected in the operating system world) thinks the whole IME idea is a shit idea from a security perspective. Some other CPU vendors have their own equivalent. Multiple vulnerabilities have been found in IME. I don't believe any were found in MINIX itself, but rather on Intel's own software which runs on top of it.
https://www.cs.vu.nl/~ast/intel/

People were concerned enough about IME containing American back doors when the Russian security researchers mentioned above discovered the existence of a special software switch in IME that has links to the NSA. This is an undocumented feature that is apparently intended to be used by the US government for their own secure computers to turn IME off and so far as we know was not offered to anyone else by Intel.
Positive Technologies - learn and secure : Disabling Intel ME 11 via undocumented mode

Of course the best thing about state level back doors is that given how leaky state security apparatuses tend to be, whatever back doors the NSA puts in may be also known to the Russians, Chinese, Israelis, and others. And this leaves aside the problem of just how much of the engineering, software development, and manufacturing of nominally "western" companies has been outsourced to cheaper parts of the world, and how much software development has come to rely upon short term contractors from low wage countries. Relying on particular vendors to be "trustworthy" in this environment simply ignores the present day realities of international business and how much the world has changed in the past 100 years.

All of this has many people convinced that there can be no genuine security in IT and communications systems except through the use of systems that were developed completely in the open, all the way from open and transparent standards processes through hardware, firmware, operating systems, and application programs. There has been great progress made along these lines in many applications. The major road block to realising it in the area of security is that genuine security doesn't suit the agenda of certain companies and governments who happen to find the lack of real security to be convenient for their bottom lines and intelligence apparatus respectively.
 
#49
And it appears that someone has had their ARM twisted by the Americans. Huawei faces break with UK chip giant ARM
UK chip designer ARM have told their staff to stop working with Huawei. ARM designs the chips used in virtually all smart phones and tablets, and are widely used in all sorts of other applications. ARM are by far the most widely used CPUs these days.

Apparently the problem is that at least some of their designs use at least some licensed US IP. It is not clear just what the problem is, or whether it affects all ARM chips. This however forces ARM to stop doing business with Huawei or else face the wrath of the Whitehouse.
ARM instructed employees to halt "all active contracts, support entitlements, and any pending engagements” with Huawei and its subsidiaries to comply with a recent US trade clampdown.
ARM's designs form the basis of most mobile device processors worldwide.
In a company memo, it said its designs contained “US origin technology”.
As a consequence, it believes it is affected by the Trump administration's ban.
ARM do not manufacture the chips themselves. Instead what they do is licence the core design to other companies who then do design customisation and manufacturing themselves. Huawei naturally are a major user of ARM chip designs.

I have not seen anything which suggests that Huawei will not simply continue manufacturing ARM chips for use in their hardware, as they have a license to the designs.

Both ARM and Huawei have issued statements that appear to say that they don't blame each other for the current problem.
 
#50
And now the next US target has appeared. The US are reportedly going to ban US companies form doing business with Chinese security camera company Hikvision, the world's largest maker of video security systems.
The US is reportedly considering blacklisting Chinese surveillance tech firm Hikvision
The U.S. administration is considering limits to Chinese video surveillance firm Hikvision’s ability to buy U.S. technology, the New York Times reported on Tuesday, in a move that deepens worries about trade frictions between the world’s two top economies.
I would not be surprised to see even more companies added to the US blacklist, as US trade negotiations with China have not been going well recently.
 
#51
And the launch of 5G service in the UK has begun, with EE announcing they will switch on beginning on the 30th of May. EE use Huawei 5G kit in their network infrastructure.
EE keeps Huawei in first British 5G network, but halts handsets
Britain’s biggest mobile operator EE said on Wednesday its 5G network would rely on equipment made by China’s Huawei, at least for the first few years, as it announced plans to switch on the next-generation services on May 30.
Various sources are saying that Huawei smartphones may not go on sale however, as their are questions about getting software updates from Google.
 
#52
On Wednesday president Xi Jinping said that the Chinese people must be prepared for a long economic struggle with the US, comparing it to a new "Long March".
www.cbc.ca/news/business/chinese-president-xi-jinping-1.5145077?cmp=rss
"Today, on the new Long March, we must overcome various major risks and challenges from home and abroad and win new victories for socialism with Chinese characteristics," state news agency Xinhua paraphrased Xi as saying.

"Our country is still in a period of important strategic opportunities for development, but the international situation is increasingly complicated," he added.

"We must be conscious of the long-term and complex nature of various unfavourable factors at home and abroad, and appropriately prepare for various difficult situations."
He also emphasised the importance of having indigenous technology and IP. It appears that the recent US blacklisting of Chinese companies has if anything driven home to the Chinese the importance of not being dependent upon the US for any critical technology.
Xi also talked about the importance of technology, and "emphasized that technology innovation is the lifeblood of companies."

"Only by having indigenous intellectual property and core technology can products possessing core competitiveness be produced, and only then can an invincible position be attained amid fierce competition."
I would not be surprised if other up and coming economic powers were to come to similar conclusions in future.
 
Last edited:
#54
And the people who will suffer will be you and me. - caught in the flack of another trade/cold war.
Well I think much of America is willing to endure Economic Patriotism at this point. It will not be popular but China has the majority of the country and congress against it.

The rest of the world will just be passengers on a rough ride.
 
#55
Well I think much of America is willing to endure Economic Patriotism at this point. It will not be popular but China has the majority of the country and congress against it.

The rest of the world will just be passengers on a rough ride.
You two go on and bash each other over the head while the rest of the world routes itself around you.
 
#57
According to UK IT news sources, the US trade blacklist may be extended to cover even more Chinese video security companies, including Hangzhou Hikvision Digital Technology Co., Megvii, Meiya Pico, Iflytek and Zhejiang Dahua Technology Co.
No Huawei out: Prez Trump's game of chicken with China has serious consequences
And ripples of the Trump administration's trade tussle with China extend beyond Huawei. Reports indicate that US authorities may blacklist five Chinese video surveillance technology firms alongside Huawei: Hangzhou Hikvision Digital Technology Co., Megvii, Meiya Pico, Iflytek and Zhejiang Dahua Technology Co.
The news story doesn't find claims that the US is motivated by human rights concerns as very plausible, given the muted US response to the murder of Jamal Khashoggi by Saudi Arabia. Instead they see it as being motivated by trade interests.
It's been suggested that the Trump administration is concerned about the role these companies play in helping China monitor and control its Uighur minority, though the administration's response to the death of journalist Jamal Khashoggi at the hands of Saudi operatives suggests trade interests matter more than human rights.
The story quotes an analyst as saying that one of the potential outcomes of current US policy would be for the US to "continue to pull up the drawbridge and sever its economic ties with China". This could see the world split into US and Chinese spheres of interest.
Kennedy said there are a wide range of possible outcomes. "At the extreme, the US could continue to pull up the drawbridge and sever its economic ties with China along high-tech lines. We would see the world split into Chinese and non-Chinese tech hemispheres."
He feels the best outcome would be for the US and China to come to some sort of trade deal. It's not clear how this outcome differs from the other except in being a negotiated one.
The best outcome, he said, is a truce involving a broad trade deal that lays clear rules for two countries moving forward and promotes ongoing dialogue.
Another analyst sees the Trump government as trying to pull as much of the US trade supply chain back within the US. He doesn't think they could succeed completely, but they may be able to do so to a surprising degree.
Weber, with UC Berkeley, said while it's difficult to believe the global supply chain that developed over the past thirty years might break, the Trump administration appears to be committed to undoing it.

"It's a determined effort to pull as much of that supply chain back inside the US border as they possibly can," he said. "They won't succeed 100 per cent but we might surprise ourselves."
However, while he feels the US may have the upper hand in the short run, in the long run the advantage may shift to China due to its size and resources. As an example, American companies such as Apple would be vulnerable if they were shut out of the Chinese market.
There are risks to both American and China in this standoff. While Weber believes the US has the upper hand in the short term, he contends China, if it can navigate the internal political risks of disruption, has the long term advantage because of its size and resources. China, he said, could shut Apple out of the Chinese market and that would hit the US stock market hard.
He sees supply chains becoming increasingly "nationalised", by which he appears to mean that the state becomes increasingly involved in the conduct of business and trade in order to direct activity along lines that the state sees as being in the national interest. He said that a year and a half ago (by which he apparently means before Trump was in effective control of the US and enforcing policy) this would have been unthinkable, but that this may now be current reality.
"One of our scenarios was called Barlow's Revenge which was a story about nationalized supply chains," he said. "A year and a half ago, in theory that could happen, but the world was too interconnected to imagine that. Now people are saying we're actually already living in that world."
This is not a scenario which the free market advocates of Silicon Valley will be happy with as the foundations of trade and investment over the past 40 years are overturned.
That's not a scenario likely to appeal to Silicon Valley's free trade contingent. As described on one of the presentation slides, a lot will be lost: "The delicate balance of regulation and innovation in which the digital world thrived for the last 40 years is hollowed out."
The second analyst goes on to say that he hopes that a short term "fix" will be worked out between the US and China. He thinks it likely this will happen this summer before the 2020 election cycle starts in the US. However, over the long run he still sees trade becoming "nationalised" as the state takes greater control of business decisions in the US.
Weber expressed optimism that a short term fix will be worked out – that's happened before when ZTE was briefly banned. "My gut tells me that will happen sometime this summer before the 2020 election heats up in the US," he said. "But I don't think the fight will suddenly go away. It will be toned down but I think five years from now we will see significantly greater nationalized supply chains."
Something not addressed in the news article is how other countries would in turn react to these developments. Will they be divided into spheres of influence by Washington and Beijing, or will the larger ones try to carve out their own spaces and "nationalised supply chains"? We have already seen the US applying pressure on nominal allies to fall into line behind the new US trade policy.

There is already a word for "nationalised supply chain" by the way - autarky, so we may as well use it.

Should the world indeed go down the path of autarky, then the position of mid sized powers who are not part of some larger trade block in which they have influence and wish to maintain independence may need to take strenuous efforts to carve out their own spheres of influence in the world while they still can. That is something that certain countries may wish to keep in mind as they contemplate their futures today.
 
#58
The following article is mainly about the current US-China trade war, but there is a minor tit-bit in there which has relevance to this thread.
www.cbc.ca/news/business/china-trade-war-1.5146440?cmp=rss

At the end of last week Trump said that Huawei's problems with the US could all go away if the US gets a good enough trade deal with China. As the news story notes, the "natioanl security threat" could be just a US bargaining chip.
"It's possible that Huawei even would be included in some kind of trade deal," said the U.S. president at the end of last week. "If we made a deal, I can imagine Huawei being included in some form or, some part, of a trade deal."
The US has used similar tactics against Canada and Europe, and is currently threatening Japan with the same.
 
#59
Are phlegm/saliva considered vegetarian/vegan/kosher/halal? Expect the UK consumption of these exotic delicacies via Chinese meals to increase significantly over the coming weeks.
 
#60
From today's Times:

Huawei says Fedex meddled with mail
Didi Tang, Beijing
May 29 2019, 9:00am, The Times


Huawei claims that packages destined for its head office in China ended up in TennesseeVCG/GETTY IMAGES


Huawei has said that it is reviewing its relationship with Fedex after claiming that the delivery company rerouted two of its packages to the United States and tried to divert two others.

Two packages addressed to Huawei’s China office, sent from Tokyo on May 19 and May 20, ended up at the delivery company’s head office in Memphis, Tennessee, three days later.

Huawei said the company had also tried to reroute two other packages sent from Hanoi in Vietnam to Huawei’s offices in Hong Kong and Singapore. One has now been delivered to its correct destination with no indication of tampering, the company said.

“The recent experiences where important commercial documents sent via Fedex were either diverted to, or were requested to be diverted to, Fedex in the United States, undermines our confidence,” Joe Kelly, a spokesman for Huawei, told Reuters.

The company said the four packages contained urgent commercial documents. Huawei said that both Vietnam packages were sent by its shipping agent, a contractor. It added that the shipping agent had refused permission for Fedex to send the packages to America and ordered that they be returned.

Fedex apologised for the error on its Chinese social media account, saying it had “mishandled” the packages.
The rerouting comes amid escalating tensions between China and western countries over the use of Chinese technology. The US government has placed Huawei on its “entity list”, banning it from access to US technology and equipment and preventing US tech companies from doing business with it. Huawei says that it is not controlled by the Chinese government or its military.

Huawei formally took legal action against the American government today, asking a court in Texas to rule that the ban of Huawei’s products was unconstitutional.

Song Liuping, the technology company’s chief legal officer, said the ban set a “dangerous precedent” that would harm billions of consumers and affect “tens of thousands of American jobs”.

“Politicians in the US are using the strength of an entire nation to come after a private company,” he said. “This is not normal.”
 

Similar threads


Latest Threads

Top