How much of a risk does a company like Huawei or ZTE pose to
U.S. national security? It’s a question that’s been on many peoples lips for a
good year now. Last year the U.S. House of Representatives Permanent Select
Committee on Intelligence warned American companies to “
use
another vendor”, and earlier in that year the French senator and former
defense secretary Jean-Marie Bockel recommended a “
total
prohibition in Europe of core routers and other sensitive IT equipment coming
from China.” In parallel discussions, the United Kingdom, Australia and New
Zealand (to name a few) have restricted how Huawei operates within their
borders.
Much of the analysis has previously focused upon Huawei's
sizable and influential position as the world’s second largest manufacturer of
network routers and switching technology – a critical ingredient for making the
Internet and modern telecommunications work – and the fact that it is unclear
as to how much influence (or penetration) the Chinese government has in the
company and its products. The fear is that at any point now or in the future,
Chinese military leaders could intercept or disrupt critical telecommunications
infrastructure – either as a means of aggressive statecraft or as a component
of cyber warfare.
As someone who's spent many years working with the majority
of the world's largest telecommunication companies, ISP's, and cable providers, I've been able to observe firsthand the pressure being placed upon these
critical infrastructure organizations to seek alternative vendors and/or
replace any existing Huawei equipment they may already have deployed. In
response, many of the senior technical management and engineers at these
organizations have reached out to me and to IOActive to find out how true these
rumors are. I use the term “rumor” because, while reports have been published
by various government agencies, they’re woefully lacking in technical details.
You may have also seen François Quentin (chairman of the board of Huawei France)
claiming
that the company is a victim of “rumors”.
In the public technical arena, there are relatively few bugs
and vulnerabilities being disclosed in Huawei equipment. For example, if you
search
for CVE indexed vulnerabilities you’ll uncover very few. Compared to the
likes of Cisco, Juniper, Nokia, and most of the other major players in routing
and switching technology, the number of public disclosures is miniscule. But
this is likely due to a few of the following reasons:
- The important Huawei equipment isn't generally the kind of
stuff that security researchers can purchase off Ebay and poke around with at
home for a few hours in a quest to uncover new bugs. They're generally
big-ticket items. (This is the same reason why you’ll see very few bugs
publicly disclosed in Cisco’s or Nokia’s big ISP-level routers and switches).
- Up until recently, despite Huawei being such a big player
internationally, they haven't been perceived as such to the English-speaking
security researcher community – so have traditionally garnered little interest
from bug hunters.
- Most of the time when bugs are found and exploitable
vulnerabilities are discovered, they occur during a paid-for penetration test
or security assessment, and therefore those findings belong to the organization
that commissioned the consulting work – and are unlikely to be publicly
disclosed.
- Remotely exploitable vulnerabilities that are found in
Huawei equipment by independent security researchers are extremely valuable to
various (international) government agencies. Any vulnerability that could allow
someone to penetrate or eavesdrop at an international telecommunications
carrier-level is worth big bucks and will be quickly gobbled up. And of course
any vulnerability sold to such a government agency most certainly isn't going
to be disclosed to the vulnerable vendor – whether that be Huawei, Cisco,
Juniper, Nokia, or whatever.
What does IOActive know of bugs and exploitable
vulnerabilities within Huawei’s range of equipment? Quite a bit obviously –
since we've been working to secure many of the telecommunications companies
around the world that have Huawei’s top-end equipment deployed. It’s obviously not
for me to disclose vulnerabilities that were uncovered on the dime of an
IOActive client, however many of the vulnerabilities
we've uncovered during tests have given great pause to our clients as remedies are sought.
Interesting enough, the majority of those vulnerabilities
were encountered using standard network discovery techniques - which to my mind
is just scratching the surface of things. However, based upon what’s been
disclosed in these afore mentioned government reports over the last year, that
was probably their level of scrutinization too. Digging deeper in to the
systems reveals more interesting security woes.
Given IOActive’s expertise history and proven capability of
hardware hacking, I’m certain that we’d be able to uncover a whole host of
different and more significant security weaknesses in these critical
infrastructure components for clients that needed that level of work done. To
date IOActive the focus has be on in-situ analysis – typically assessing the security
and integrity of core infrastructure components within live telco environments.
I've heard several senior folks talk of their fears that
even with full access to the source code that that wouldn't be enough to verify
the integrity of Chinese network infrastructure devices. For a skillful
opponent, that is probably so, because they could simply hide the backdoors and
secret keys in the microcode of the devices semiconductor chips.
Unfortunately for organizations that think they can hide
such critical flaws or backdoors at the silicon layer, I've got a surprise for
you. IOActive already has the capability strip away the layers of logic within
even the most advanced and secure microprocessor technologies out there and
recover the code and secrets that have been embedded within the silicon itself.
So, I’d offer a challenge out there to the various critical
infrastructure providers, government agencies, and to manufacturers such as
Huawei themselves – let IOActive sort out the facts from the multitude of
rumors. Everything you've probably been reading is hearsay.
Who else but IOActive can assess the security and integrity
of a technology down through the layers – from the application, to the drivers,
to the OS, to the firmware, to the hardware and finally down to the silicon of
the microprocessors themselves? Exciting times!
-- Gunter Ollmann, CTO
IOActive Inc.
