April 21, 2014

Huawei still banned from bidding on Australia’s National Broadband Network

huawei-logoAustralia’s recently formed government has maintained the existing ban which stops the Chinese telecoms giant Huawei from bidding on contracts to build Australia’s National Broadband Network (NBN). The new government, which took power on 18 September 2013, has listened to advise from it security agencies and upheld the ban placed by its predecessors.

Huawei is currently considered a security risk by several different nations including the USA. Its bad image stems from the fact that the company was founded by Ren Zhengfei, a former officer of the People’s Liberation Army and its perceived links to the Chinese State.  The USA, like Australia, has banned Huawei and a government committee reported last year that “the risks associated with Huawei and ZTE’s provision of equipment to US critical infrastructure could undermine core US national-security interests.”

The Australian Attorney-General George Brandis said the government had no plans to relax its stance on Huawei adding that “the decision of the previous government not to permit Huawei to tender for the NBN was made on advice from the national security agencies.”

“Since the election the new government has had further briefings from the national security agencies. No decision has been made by the new government to change the existing policy,” Brandis told the AFP.

Huawei had previously run an intense lobbying campaign in Canberra for the ban to be removed. According to the Australian Financial Review, the Attorney-General overruled a move by some within the new government to relax the ban on Huawei. However some members of the cabinet were reportedly against changing the previous government’s policy and had expressed concerns that allowing Huawei to bid on the NBN could be seen as a problem by the USA.

Huawei has denied having close connections to the Chinese government and has stressed that the company is 98.6% owned by its employees.

UK government to investigate Huawei’s involvement in the Cyber Security Evaluations Centre

Huawei-Logo-300x300The Intelligence and Security Committee, a group established by the British government to examine the extent of foreign involvement in the UK’s Critical National Infrastructure and its implication for national security, has raised questions about the independence of staff employed at the Cyber Security Evaluations Centre, or the Cell as it is commonly called.

Part of the work at the cell is to test equipment from Huawei for security vulnerabilities and ensure that the equipment doesn’t have any back-doors or easily exploitable weaknesses.

According to the report the Cell was formed due to a big contract win for Huawei from British Telecom (BT). The UK government engaged directly with Huawei UK and suggested the establishment of the evaluation center to increase confidence in the security of Huawei products.

Although staffed by security cleared UK personnel, the Cell is funded entirely by Huawei and remains under Huawei’s control. The report questions whether the staff, 34 who are paid and employed by Huawei, are sufficiently independent of Huawei to provide the necessary level of assurance about the company’s activities.

The Cell tests all updates to Huawei’s hardware and software for high-risk components before they are deployed on UK networks, however the center was only due to become fully operational at the end of 2011 (six years after Huawei won the BT contract). But now in 2013 the center is working at a reduced capacity, both in terms of staffing and remit, and witnesses have conceded that it is too soon to tell how effective it is.

Huawei’s trouble stem from the fact that the company was founded by Ren Zhengfei, a former officer of the People’s Liberation Army. Most of the concerns surrounding Huawei relate to its perceived links to the Chinese State. Due to these concerns a government committee in the US published a harsh assessment of Huawei’s reliability. The report concluded that “the risks associated with Huawei and ZTE’s provision of equipment to US critical infrastructure could undermine core US national-security interests”. In Australia the Government decided to exclude Huawei from any involvement in their National Broadband Network on national security grounds.

Huawei has denied having close connections to the Chinese government and has stressed that the company is 98.6% owned by its employees.

HP asks researcher not to disclose Huawei router vulnerabilities as they are ‘too big’

(LiveHacking.Com) – Security researcher, Kurt Grutzmacher, has been researching security vulnerabilities caused by buffer overflows on Huawei and H3C routers and was planning to present his findings on Saturday at the ToorCon 14 security show in San Diego. However just before the planned disclosure, Kurt was contacted by the HP Software Security Response Team asking him not to make the disclosure as the vulnerabilities are ‘too big’ for HP, H3C or Huawei to be ready. H3C is a wholly owned subsidiary of Hewlett-Packard and is based in Hangzhou, China.

Kurt has been researching the routers since June 2012 and in August he submitted his finding to US-CERT asking them to coordinate with HP/H3C. US-CERT’s standard disclosure policy is 45 days after vendor notification. After 30 days Kurt had not received a reply from US-CERT or from HP. At this point he contacted them again stating his intention to disclose the problems as the ToorCon.

Then just a few days before the conference, Kurt was contacted by email and voicemail by HP kindly asking him to not disclose the vulnerabilities. Kurt decided to agree with HP. However there Kurt is confident that the disclosure will be made within the next few months.

According to Kurt all users of  H3C or Huawei equipment are at risk.

“Can others figure out what I know? Certainly they could. Am I going to tell anyone or give hints? No, I cannot. There is this bag with an angry cat in it that wants to come out. Or it may not be a cat. It’s Schrödinger’s Disclosure! You just won’t know until it’s opened.”

This latest concerns over the vulnerabilities in Huawei routers come after two separate U.S government reports condemned the safety of Huawei equipment. The first report was from the U.S. House of Representatives Intelligence Committee said that U.S. telecommunications operators should not buy equipment from Huawei. The second was a White House-ordered review of the security risks posed by Chinese telecom suppliers, it concluded that Huawei equipment had too many security vulnerabilities.

No evidence that Huawei was spying for China but vulnerabilities a worry

(LiveHacking.Com) – Earlier this month a report by the U.S. House of Representatives Intelligence Committee said that U.S. telecommunications operators should not buy equipment from Huawei Technologies Co Ltd or its smaller rival, ZTE Corp. because of the security risks posed by potential Chinese state interference. Or to put it simply, worries over electronic spying on U.S. interests.

Now however, two people familiar with a White House-ordered review of the security risks posed by Chinese telecom suppliers have told Reuters that the 18-month review found that relying on Huawei was risky for other reasons, such as the existence of vulnerabilities that hackers could exploit. But there was no evidence of Huawei spying.

It seems that the White House ordered intelligence agencies to conducted a classified inquiry into Chinese telecom equipment makers which investigated reports of suspicious activity and probing nearly 1,000 telecom equipment buyers. “We knew certain parts of government really wanted” evidence of active spying, said one of the people, who requested anonymity. “We would have found it if it were there.”

The report from the Republican and Democratic leaders of the House Intelligence Committee criticized Huawei for not providing details about its relationship with Chinese government agencies. Last year, Huawei was banned from bidding for an emergency network for first responders “due to U.S. government national security concerns”.

“The White House has not conducted any classified inquiry that resulted in clearing any telecom equipment supplier,” White House National Security Council spokeswoman Caitlin Hayden said.

Because the White House review did find several security vulnerabilities within Huawei products, questions are being asked about whether Huawei intentionally put the vulnerabilities into its devices as a backdoor for the Chinese Government.

Chris Johnson, a former CIA analyst on China, said officials emerged from the review with “a general sense of foreboding” about what would happen if China asked Huawei for assistance in gathering intelligence from U.S. customers.

ZDNet reported from the  security conference “Hack In The Box” that researcher Felix “FX” Lindner has demonstrated how easy it is to gain access to Huawei routers and telecom equipment. He told the conference in Kuala Lumpur, “I don’t know if there are backdoors – but it doesn’t matter since there are so many vulnerabilities.” According to Lindner the code running on the routers, used by billions worldwide, is out dated and full of security holes.

Around the world, the reaction from other agencies has been mixed. Australia barred Huawei from becoming a contractor on the country’s National Broadband Network, and Canada said last week that Huawei could not bid to help build a secure national network. However Britain has said that  Huawei’s products have been fully vetted and did not represent a security concern.