Former Pentagon Analyst: China Has Backdoors To 80% of Telecoms

An anonymous reader writes "A former Pentagon analyst reports the Chinese government has 'pervasive access' to about 80 percent of the world's communications, and it is looking currently to nail down the remaining 20 percent. Chinese companies Huawei and ZTE Corporation are reportedly to blame for the industrial espionage. 'Not only do Huawei and ZTE power telecom infrastructure all around the world, but they're still growing. The two firms are the main beneficiaries for telecommunication projects taking place in Malaysia with DiGi, Globe in the Philippines, Megafon in Russia, Etisalat in the United Arab Emirates, America Movil in a number of countries, Tele Norte in Brazil, and Reliance in India.'"

"Don't ever invade China"

[Anonymous Coward]

Seriously, I think that in the next war someone will have with China, it will be breathtaking how powerful and effective China's cyberattacks will be at breaking that country's will or ability to fight.

Australian govt bans huawei from national network

[bug1]

There was a story a few months ago about how Australia banned Huawei from involvment in a big project, they didnt say why.

http://tech.slashdot.org/story/12/03/24/0424215/australian-govt-bans-huawei-from-national-network-bids [slashdot.org]

Re:Australian govt bans huawei from national netwo

[Crypto Gnome]

Actually they DID say why: specifically it boiled down to "because we cannot be *absolutely certain* that the Chinese Government does not have such a close relationship with Huawei that deploying their equipment would not (ever) compromise our national security".

Seems to me that someone in The Australian Government has learned a few important life lessons from The X-Files. (ie trust No-One).

Either that (a) or (b) they're just playing The Obvious "Devil You Know / Devil You Don't" card; and/or decisions were influenced by vendor-$ and Huawei could-not/would-not/weren't-given-a-chance-to cough up enough.

Personally Option (b) sounds more typical of government.

I for one will be eternally surprised to see any government making a well researched, informed, well reasoned decision - they're almost always a pack of retarded monkeys interested in looking after themselves and their friends.

Go On Mr Government - PROVE ME WRONG - I Dares Ya!

Re:Wait, what?

[girlintraining]

Emphasis added on the word potential. Now where's the proof (preferably from a chip teardown by a reputable hardware hacker or hacking group)?

There won't be any. Anyone with the capability of analyzing and reverse-engineering thousands of ICs would need deep pockets -- Either a large corporation or a government. A hacking group won't have the resources, even a well-funded one. You're talking about several hundred highly trained engineers from a dozen different disciplines working for years on the project, with no return on investment. There's no reason for a large corporation to conduct such business domestically -- they already have comparable products, and the Chinese equipment doesn't have any capabilities that aren't commonly available elsewhere. That leaves governments with a GDP in excess of a hundred billion USD per year. Short list. Said governments wouldn't disclose the results of such a search either, as it's a legitimate intelligence asset that would need to remain classified -- you don't want your enemy to know what you know, especially not before you come up with a way to defend against the attack or co-opt the infrastructure for your own purposes.

Second, forensically analyzing tens of thousands of chips and microprocessors would be pointless anyway: There still has to be some method of communicating the information back, and they can't compromise the entire communications chain, which is what would be required. Telecommunications equipment is designed to be evesdropping-friendly; Complete with port mirroring, trace and audit logs, selective forwarding based on rules... it's all standard. We're not even talking about the law enforcement black boxes, this is just stuff used for legitimate business purposes. The moment any such 'bug' went active, it would set off alarms -- by necessity, the communications would have to occur over the provider's own network. Unless their network admins are idiots they should notice the abberant traffic.

China would have to be very stupid to leverage such an intelligence asset for peanuts; It's basically a one-shot, and it would cost them billions in telecommunications contracts domestically. So if they do have such a capability, they're not going to use it until the value of the intelligence they would gain from it equals or exceeds that amount.

So there's two arguments right there based just on the economics of the situation. I strongly suspect that this unnamed pentagon analyst is being paid to spread disinformation. Such disinformation would serve the purpose of keeping the american public sucking the tit of the Department of Homeland Security's fear juice, and exaggerating our actual intelligence capabilities -- rather than waste hundreds of millions on a reverse engineering project that could never be made public, we'll just insinuate that "We know. We're on to you," and rattle our sabre a little. Maybe it deters them, maybe it forces them to expend resources to find out whether we're telling the truth or not, but it costs us nothing to make such a statement.

Re:The U.S. has like 99% listening coverage.

[Anonymous Coward]

And the USA are, of course, innocent of any atrocity [wikipedia.org] and would never kill their own citizen too. [wikipedia.org]

INB4 "Your numbers are smaller then my claim, therefore are not applicable!" The number scale with the population, China is a much bigger nation. Ignoring the scale, both country are equally evil.

Oh no, the yellow peril is upon us!

[Jeremy Erwin]

The second link is to "World Net Daily", a site that has about as much credibility as the John Birch Society.

Re:The U.S. has like 99% listening coverage.

[fredprado]

The problem is, once the guy is extradited to anywhere else within US he can end in Minnesota or Texas, or whatever place they decide to send him in.

US may not be as bad as North Korea, but it is every bit as bad as China these days. Both are countries were justice is unreachable for common people, and where dominant groups do basically whatever they want. China censures information, US floods it in an ocean of propaganda and disinformation. In the end all is the same.

Re:He's right.

[cold fjord]

Pervasive espionage.

Chinese step up computer espionage against United States [nytimes.com]
FBI estimates there are currently more than 3,000 corporations operating in the United States that have ties to the PRC and its government technology collection program. [jamestown.org]
Chinese telecom firm tied to spy ministry [washingtontimes.com]

The report by the CIA-based Open Source Center states that Huawei’s chairwoman, Sun Yafang, worked for the Ministry of State Security (MSS) Communications Department before joining the company.

The report on Huawei’s board members states that Ms. Sun used her connections at MSS to help Huawei through “financial difficulties” when the company was founded in 1987.

Based in part on Chinese media reports and Huawei’s website, the report reveals that the Beijing government paid Huawei $228.2 million for research and development during the past three years.

I'm sure you can figure out why this might be important. . . well, maybe not.

Re:Wait, what?

[cold fjord]

Strange Loops: Ken Thompson and the Self-referencing C Compiler [scienceblogs.com]
Reflections on Trusting Trust - Ken Thompson [bell-labs.com]

Re:Wait, what?

[Solandri]

Even if you verify the source code is clean and compile it yourself, you're still vulnerable. The compiler could have a trojan hidden in it which inserts a backdoor when it detects certain functions are being compiled. And if you compile your compiler yourself? Well what's to say the compiler you use to do that doesn't have a trojan which inserts the trojan I just mentioned into your new compiler? And so on.

Basically, if you want to be 100% sure your code is clean, you have to write it (including any compilers you use) from scratch. [slashdot.org] Perhaps the most pertinent quote from that paper: "As the level of program gets lower, these [deliberately inserted] bugs will be harder and harder to detect. A well installed [hardware] microcode bug will be almost impossible to detect."

Re:Wait, what?

[kasperd]

Anyone with the capability of analyzing and reverse-engineering thousands of ICs would need deep pockets

No need to look at thousands of ICs. Looking at a few of the most interesting targets is still going to be valuable.

A hacking group won't have the resources, even a well-funded one. You're talking about several hundred highly trained engineers from a dozen different disciplines working for years on the project

I know one person who using just off the shelf equipment was able to read the ROM from a microcontroller in his sparetime. All it took was a cheap microscope and a webcam.

There still has to be some method of communicating the information back, and they can't compromise the entire communications chain, which is what would be required.

Covert channels can be very hard to detect. You don't need to compromise the entire chain. You just need to piggyback on a legitimate communication for hops between compromised equipment. For example VPN hardware could piggyback on legitimate connections by using some encrypted data instead of random values for sending packets over the Internet. A compromised router anywhere on the path the VPN connection takes could pick out the data. Now the data is on a router on the public Internet. There are plenty of ways to get the data from there. First of all the attacker could very well have a legitimate connection going through that router, now it just needs a covert channel to send data from that router.

Sending data from the router without risk of being noticed is slightly more tricky. The question is, would you take the risk of modifying packets in the hope that nobody is actually comparing the packets going into the router and out of the router? If you modified the IPID field of every packet going through the router, that would produce a feasible covert channel. It would not be immediately detected, but would be visible if you carefully inspected the traffic. Notice that it would not be sufficient to look at the traffic through the router in a lab before deployment, because the router wouldn't be sending any covert data until instructed to do so.

A more stealth method would be to just use the IPID field of packets generated by the router. There is no incoming packet to compare against. But extracting data that way without being visible takes time. You can run a traceroute that happen to pass through the router, then it will need to send three response packets (with the common settings). Each time you run a traceroute passing through that router, you could extract 6 bytes of data.

China would have to be very stupid to leverage such an intelligence asset for peanuts; It's basically a one-shot, and it would cost them billions in telecommunications contracts domestically.

Valid point, however even if it was noticed, it would be hard to prove who was behind.

This guy is right.

[r00t]

Imagine a chip, made in China, that has a network connection (to China) and can DMA to/from your RAM.

Oh, hey, you have one: your Ethernet chip. Shit. We're fucked.

Also notice the chips in your wireless router, cable modem, cell phone, cell tower, USB stick, USB port, etc.