Vodafone Says It Found Hidden Backdoors in Huawei Equipment (bloomberg.com) 166
For months, Huawei has faced U.S. allegations that it flouted sanctions on Iran, attempted to steal trade secrets from a business partner and has threatened to enable Chinese spying through the telecom networks it's built across the West. Now Vodafone Group has acknowledged to Bloomberg that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier's Italian business. From the report: While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China's global technology prowess. Europe's biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier's fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone's security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.
Interesting Spin.. (Score:5, Insightful)
Vodafone says they found "vulnerabilities", without any further qualification. Suddenly in Bloomberg those become "hidden backdoors". Seems like someone has an agenda
Re:Interesting Spin.. (Score:5, Insightful)
Even TFA notes that it's not uncommon to find security flaws in networking hardware. In fact I doubt there is a single manufacturer of network hardware who hasn't got at least one CVE.
This is a complete non-story.
Re:Interesting Spin.. (Score:4, Insightful)
Re:Interesting Spin.. (Score:4, Informative)
Because China is a communist dictatorship, responsible for the vast majority of corporate espionage across the world today, whereas the other is your own fucking government, tasked with defending your fat, hairy arse against Chinese threats to your economic and physical security.
Re:Interesting Spin.. (Score:5, Insightful)
the other is your own fucking government, tasked with defending your fat, hairy arse against Chinese threats to your economic and physical security
Not at all, the government that is pressing me to accept their propaganda is definitely not my own fucking government, and them spying on me isn't defending my hairy arse against anyone.
This very same government used to point nuclear warheads and other weaponry at me 30 years ago and today supports mafia mobsters operating my country, something the Chinese government has never done.
So, fuck off. You don't want to buy Huawei, fine. It is not your business what everyone else is buying.
Re: (Score:2)
Hahahahahaha! Highly satiricial.
Re:Interesting Spin.. (Score:4, Informative)
Re: (Score:2)
Some manufacturers, like Cisco, have several hundred CVEs against them for hard coded credentials. Why aren't the governments of the world clamouring to rid their networks of Cisco crapola?
Rubbing salt into the wound, there's a story on Techcrunch about hackers breaking into Cisco and going undetected for six months. They stole files that 'may have' info about employees and beneficiaries, including social security numbers, and financial information.
https://techcrunch.com/2019/04/30/citrix-internal-network-breach/ [techcrunch.com]
Re:Interesting Spin.. (Score:4, Interesting)
This is a complete non-story.
This is propaganda. It is the second story about Huawei and "security" today.
Re:Interesting Spin.. (Score:4, Interesting)
Exactly so. It is propaganda - as I put it in an earlier reply, a powerful narrative carefully tailored to appeal to the ignorant and prejudiced, based on no valid facts at all.
LEARN TO READ ILLITERATE ARCHTECH FAGGOT (Score:1)
https://www.networkworld.com/article/2223272/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html
Yeah everything is propaganda, the dozens of times Huawei was caught stealing and snooping is propaganda, Trump's tax returns are propaganda so we shouldn't look.
You're an illiterate moron.
Re: LEARN TO READ ILLITERATE ARCHTECH FAGGOT (Score:1)
ÂIn China, a company is a Chia pet. The state tells them what to do, and they do it.
There is no hard evidence that's happened with Huawei. -- 60 minutes
Nothing has changed since then.
Re:Interesting Spin.. (Score:5, Insightful)
This is a complete non-story.
This is propaganda. It is the second story about Huawei and "security" today.
Obviously something is going on; either Huawei are up to no good, or there is an active campaign to smear them.
Is it theoretically possible, and believable, that the Chinese government is using electronics companies to spy on the West? Yes, that is a believable scenario.
Is it theoretically possible, and believable, that the White House is orchestrating a smear campaign against Huawei and pulling strings? Yes, sadly, that sort of duplicity is possible too.
I can't say with entirety which scenario is correct, but honestly, the former scenario (spying) is probably more likely. It seems odd that, Huawei, specifically would be targeted if this was about trade.
Re:Interesting Spin.. (Score:5, Insightful)
LEARN TO READ ILLITERATE FAGGOT (Score:1)
https://www.networkworld.com/article/2223272/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html
Yeah everything is propaganda, the dozens of times Huawei was caught stealing and snooping is propaganda, Trump's tax returns are propaganda so we shouldn't look.
You're an illiterate moron.
Re: (Score:2)
Huawei is targeted because they are way ahead in 5G tech and own a lot of the key patents that must be licenced to implement it. They are therefore a major threat to US technology firms and an ideal target in the trade war.
It makes little sense for the Chinese government to bug Huawei hardware. The damage it would do to Chinese companies and the Chinese economy is obvious, and China generally doesn't get involved in the kind of politiking that would benefit from it anyway. Where China does spy it tends to b
Re: (Score:2)
Obviously something is going on; either Huawei are up to no good, or there is an active campaign to smear them.
False dichotomy. Both things can be true. If you knew someone was up to something but you couldn't prove it for whatever reason, would you just sit back and watch it happen, or would you try to interfere?
Re: (Score:2)
I have no dog in this fight, I made peace with the idea that I am being spied on in innumerable, unavoidable ways just by living my daily life, and that fact is almost completely out of my control. However:
Is it theoretically possible, and believable, that the White House is orchestrating a smear campaign against Huawei and pulling strings? Yes, sadly, that sort of duplicity is possible too.
Knowing what we know of the current administration, do they really seem competent enough to pull this off? Think of the favor wrangling this would require, and the constant leaking of every other attempt at favor wrangling which has been reported to date. Maybe the FBI or CIA, sure, I could see that.
Re:Interesting Spin.. (Score:5, Insightful)
This is a complete non-story.
To be more precise, this is a heavily biased story based on no credible or valid facts. As Caitlin Johnstone explains, the great majority of people are far more interested in narratives than in facts. Once they have accepted a narrative that appeals to their instincts and prejudices, no amount of facts or figures can dislodge it.
https://caitlinjohnstone.com/2... [caitlinjohnstone.com]
LEARN TO READ ILLITERATE ARCHTECH FAGGOT (Score:1)
https://www.networkworld.com/article/2223272/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html
Yeah everything is propaganda, the dozens of times Huawei was caught stealing and snooping is propaganda, Trump's tax returns are propaganda so we shouldn't look.
You're an illiterate moron.
Re: (Score:1)
Most people in Finland as well speak English - and the language couldn't be further different from English. But we do have subtitles.
Re: (Score:2)
Re: (Score:2)
Well that I did and I think it's amazing I managed to fail at that :-).
Re: (Score:2)
Re: (Score:2)
Most people in Finland as well speak English - and the language couldn't be further different from English. But we do have subtitles.
I can't believe some people still think Brexit is a good idea.
Re: (Score:2)
Brexitier uninformed nonsense. The EU parliament can instruct through a vote the commision to bring forth legislation on a top. Noting that the commission are appointed by the elected governments of the EU member states.
It's makes the UK less democratic because as long as we are respecting the Good Friday agreement we are going to have to have something that is regulatory alignment and custom's union in all but name, if actual membership of the common market and custom union. At which point we are going to
Re: (Score:1)
The world is not flat and even if all do use the same tricks it makes a difference if these are against structures that are foundations of our society or against foundations of some other society.
There is a difference then if the supplier with backdoors in its switching merchandise is under control of our or their government. This is that simple.
Re: Interesting Spin.. (Score:4, Informative)
Didn't Bloomberg get caught with its pants down already when they presented the supermicro supply chain vulnerability with zero proof, which also ended up being a non story?
Re: Interesting Spin.. (Score:1)
Bloomberg claimed physical alterations off-spec made their way to numerous end - clients. Should've been easy to prove. I don't think it was supermicro's responsibility to prove that unicorns don't exist, but they did a pretty good job of it.
Re: (Score:3)
AmiMoJo shilling for the Chinese. Whodathuinkit?
Re: (Score:2)
Obviously. At least to an expert, their claim is a direct lie. Also, if we count vulnerabilities now as "backdoors", then Cisco equipment, for example, is full of them.
Re: (Score:2)
Without knowing the specifics of the vulnerabilities and maybe even seeing the source code behind them its hard to say if it is malicious or just erroneous. I do a lot of software security assessments even in 2019 I still find things like SQL injection in recently developed software. Now I would argue that NOT happen because unless your building something bespoke and very very esoteric some ORM or at least prepared statement interface should work for you need to do.
I don't think for a second everything SQ
Re: (Score:3)
Re: (Score:2)
There are a lot of people that should know better, but do not. You can, for example, still study web-engineering and never take any security lectures in many places.
Re: (Score:2)
I agree. In particular 3) is a frequent occurrence, but 1) (also in the form of "manager does not give enough time) and 2) are regularly observable. Now, it seems this was a telnet-port that remained open and that is something that is not "hidden" in any sane sense of the word. And it is not hard to find when you know what you are doing either, a simple nmap run is enough. Of course, you need the running system for that and hence it does take some effort and you need to understand what you are doing. But so
Re: Interesting Spin.. (Score:1)
ÂWithout knowing the specifics of the vulnerabilitiesÂ
The Âbackdoor is Telnet. Vodafone instructed Huawei to uninstall Telnet. Huawei agreed to do that, but didn't, because they needed it for installation and test. It sounds from the story like they only killed it.
Re: (Score:2)
They must have reactivated it somehow, because a non-running telnet server is not a security issue at all. Sounds like plain old incompetence to me.
Re: (Score:2)
You forgot non-implemented features (as in Apple)
Re:Interesting Spin.. (Score:4, Interesting)
Vodafone says they found "vulnerabilities", without any further qualification. Suddenly in Bloomberg those become "hidden backdoors". Seems like someone has an agenda
Funny that, isn't it? If we are going to equate every 'vulnerability' in Huawei gear with 'a back door deliberately installed by Chinese intelligence' rather than just resign ourselves to the fact that Huawei home routers are bug riddled pieces of garbage like everybody else's then every 'vulnerability' discovered from now on in the routers of a whole legion of manufacturers must be assumed to be a 'back-door' installed by the intelligence service of the country each manufacturer operates from. Also, Huawei is not exactly alone in this kind of thing, https://tech.slashdot.org/stor... [slashdot.org]. But that aside the really funny bit here is that they quote this professor who says:
“There’s no specific way to tell that something is a backdoor and most backdoors would be designed to look like a mistake,”
so, basically, back-doors and vulnerabilities are indistinguishable from each other. Then he goes on to say:
“That said, the vulnerabilities described in the Vodafone reports from 2009 and 2011 have all the characteristics of backdoors: deniability, access and a tendency to be placed again in subsequent versions of the code,” he said.
So in other words back-doors and vulnerabilities are indistinguishable from each other except when they are in Huawei equipment? So which is it Professor? ... are back-doors and vulnerabilities indistinguishable from each other or not? ... or does that apply varyingly depending on what best suits your political agenda in each case? I direct your attention back to this Slashdot article: https://tech.slashdot.org/stor... [slashdot.org] were those 'back-doors' intentionally installed by the CIA/NSA or just Cisco being incompetent? Is there a way to tell the difference in this case between a 'vulnerability' and an intentionally installed 'back-door'? Or is it conveniently impossible to tell the difference in this particular case?
... "China first!!!! is indistinguishable from being spied on by Russia because ... "Russia first!!!! which in turn is indistinguishable from being spied on by America because ... "America first!!!!". Furthermore, anybody who thinks they can be secure without encrypting everything at the point of origin, decrypting it at the point of receipt and making heavy use of air gaps, intrusion detection and firewalls is dumber than a bag of hammers. And, no, I do not really care that Americans/Russians/Chinese could be spied on by their own governments since I'm not American/Russian/Chinese and the former two, at least, got what they voted for.
Personally I'm going to stick with the opinion that if you are country X, where X != {China,Russia,America}, then being spied on is unavoidable and that being spied on by China because
Re: (Score:3)
“That said, the vulnerabilities described in the Vodafone reports from 2009 and 2011 have all the characteristics of backdoors: deniability..."
The very first feature he claims to be characteristic of backdoors is "deniability".
(Pause to let the huge burst of universal laughter die down).
So if the Chinese deny that something is a backdoor, that (in the professor's odd little universe) proves that it is a backdoor. No doubt there is a Latin name for that particular fallacy - or maybe not. I doubt if the
Re: (Score:2)
So if the Chinese deny that something is a backdoor, that (in the professor's odd little universe) proves that it is a backdoor. No doubt there is a Latin name for that particular fallacy - or maybe not. I doubt if the Latin and Greek rhetoricians would have stooped to describing such a blatant and transparent piece of deceit.
It is a variant of the "ad hominem" fallacy. The unexpressed hypothesis here is "Chinese are treacherous" (which is both "ad hominem" and borderline racist), hence if they say something you know it is not true and they are for sure trying to trick you.
It is also a "ignoratio elenchi", because he deliberately ignores the matter of the problem to better gaslight the reader. However every "ad hominem" fallacy is also a "ignoratio elenchi".
Re: (Score:1)
At least in Huawei's case it seems like a genuine screw-up that was quickly fixed. Cisco deliberately installed actual backdoors via hard coded accounts and passwords, for support staff to use.
And why all the focus on Huawei home routers? TP-Link are also Chinese and sell a huge amount of gear in the consumer and SOHO space, mainly because they are reasonably priced and actually kinda decent for what they are.
Re: (Score:2)
At least in Huawei's case it seems like a genuine screw-up that was quickly fixed. Cisco deliberately installed actual backdoors via hard coded accounts and passwords, for support staff to use.
And why all the focus on Huawei home routers? TP-Link are also Chinese and sell a huge amount of gear in the consumer and SOHO space, mainly because they are reasonably priced and actually kinda decent for what they are.
I just assume that I'm being spied on. Most of the time I don't really care. I do, however, take appropriate precautions (read: encryption, firewalls, intrusion detection, air gaps) mostly because of the malicious joy I derive from knowing that I have added a bit to the ever increasing flood of encrypted traffic that US/Russian/Chinese intelligence have to spend money to laboriously decrypt in just in order to be able to tell whether it is even interesting for them. I see it as job creation for network tech
Re: (Score:1)
Europe’s biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone’s security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.
Ignorance (Score:1)
Re: (Score:2)
Re: (Score:2)
Sounds like we should be ENCOURAGING them to sell to Iran.
Re: (Score:3)
Vodafone says they found "vulnerabilities", without any further qualification. Suddenly in Bloomberg those become "hidden backdoors". Seems like someone has an agenda
It is obvious that you do
Comment removed (Score:5, Informative)
Re: (Score:3, Insightful)
Ever noticed how people who cheat on their spouse are the most paranoid about their spouse cheating on them?
Makes you wonder about US vendors, doesn't it? (or rather, the US government, and its relationship with US vendors, and how the US is so paranoid of foreign vendors.)
Re: (Score:3, Informative)
There is no need to wonder about US vendors. They are known to be all compromised. Huewei is still a "probably".
Re: (Score:2)
I usually discard that kind of reasoning because without proof that this is actually the case for the individual in question, it's little more than a petty ad hominem circumstantial along a similar bullshit line of logic as "If you've got nothing to fear, you've got nothing to hide".
At the end of the day, before we make a decision which devices to use, we should thoroughly test all kinds of communication hardware for security flaws and potential
Re: (Score:2)
So, exactly which US 5G cellular base station vendors do you have in mind? Ericsson? Nokia? Samsung?
Re: (Score:2)
Qualcomm? They're American.
Re: (Score:2)
Re: (Score:2)
Google has led me to believe otherwise, so I can't trust you.
Re: (Score:2)
Re: (Score:1)
Indeed. In the same time, Cisco had a lot more.
Obvious smear campaign is obvious.
Re: (Score:2, Insightful)
It's not a smear if it's true. Regardless, China is a foreign power and one setting itself up in opposition to western interests. So you see, your own government has a duty to protect you from it ("defence of the realm") and it will do so whether you agree with it or not.
Re: (Score:2)
China is a foreign power and one setting itself up in opposition to western interests.
I believe that is what is called "competition", and it is described as the mainspring of free enterprise capitalism in the opening pages of every economics textbook.
Of course capitalists, like those who have bought and control the US government, hate competition like the gates of Hell. Their idea of paradise is a monopoly, monopsony or as close as they can get. (Like Microsoft and Amazon).
Re: (Score:2)
Indeed. The funny thing is that these so-called capitalists are pretty much opposed to free markets. It is almost like the "free market" is a cover-story and not anything they mean serious.
Re: (Score:2)
Singling somebody out when everybody does it is a smear campaign. Takes 2 brain cells to rub together to see that though and you obviously come up short.
Re: (Score:1)
Huawei CEO came out to tell the world they have never added a backdoor and would never do so.
Clearly he lied. Just because a new backdoor was not found does not mean none exists.
It likely just means they became better at hiding them after they have been caught repeatedly.
Of course he also conveniently forgets to add that as Chinese company they have to silently comply with any request of the Chinese government.
Using Huawei is a bad idea and everyone knows it, but with prices that good which for profit compa
Re: (Score:1)
Chinese manufacturing is cheaper from more than government subsidies. Labor, insurance, etc are all cheaper.
Re: (Score:2)
They're now spinning resolved security vulnerabilities as hidden back-doors. That is so massively dishonest. Well on form for American media, I suppose.
It's a fine example of a double standard. The underlying assumption - which you are supposed to accept without having to be persuaded - is that they are bad and we are good.
Obviously, once the assumption is stated it collapses under its own weight, while everyone for miles around collapses laughing.
Cisco (Score:1)
Has a long history of accidentely shipping equipment with undisclosed ports/accounts left enabled. Then that whole thing with the NSA intercepting routers in the mail. Loving the manufactured outrage here.
Re: (Score:2)
Well, $60 billion a year buys a lot of manufactured outrage. (Among other things).
https://fas.org/irp/budget/ [fas.org]
LEARN TO READ ILLITERATE ARCHTECH FAGGOT (Score:1)
https://www.networkworld.com/article/2223272/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html
Yeah everything is propaganda, the dozens of times Huawei was caught stealing and snooping is propaganda, Trump's tax returns are propaganda so we shouldn't look.
You're an illiterate moron.
So they are on par with Cisco? (Score:2)
Well, no. Huawei has to really step up their game. Cisco has a lot of exploitable vulnerabilities and backdoors.
Re: So they are on par with Cisco? (Score:1)
Unfair Cisco has NSA help installing their "vulnerabilities".
Re: (Score:2)
Yeah, c’mon Huawei. If you want to play with the the big boys like Cisco, at least hard code an ssh1 password into your equipment. This isn’t difficult; the groundwork’s already been laid.
One wonders (Score:3)
One really wonders about the current state of society when slander campaigns and outright lies are so transparent these days. Not only are people not called out on them, they don't even seem to have any consequences down the line.
I think Zuckerberg could eat a baby on livestream and people would be very outraged... all over Facebook.
Re: (Score:1)
https://www.networkworld.com/article/2223272/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html
Yeah everything is propaganda, the dozens of times Huawei was caught stealing and snooping is propaganda, Trump's tax returns are propaganda so we shouldn't look.
You're an illiterate moron.
The same Bloomberg of Supermicro non-evidence? (Score:1)
Was that article from the same Bloomberg crew that we are still waiting for to present us "spy chips" on SuperMicro boards?
Re: The same Bloomberg of Supermicro non-evidence? (Score:1)
No
Click bait (Score:2)
10 years ago, solved quickly. What about Cisco? (Score:1)
These were security issues that were found and solved a decade ago. Funny how we don't get to see the same damaging and dishonestly implicating headlines about Cisco equipment, which has been revealed to have multiple actual, real back doors in the last few years.
The whole premise of western and American media is to spin everything to make the east look bad and evil, but as soon as we look past the flimsy facade, it's in fact the American equipment which is exactly as bad, insecure, and subverted as their m
It was Telnet... (Score:5, Informative)
As per the BBC, the "backdoor" was actually just Telnet.
https://www.bbc.co.uk/news/liv... [bbc.co.uk]
"Vodafone said: "The issues in Italy identified in the Bloomberg story were all resolved and date back to 2011 and 2012.
"The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet."
Re: (Score:3)
Never attribute to malice what can be explained by (Score:5, Interesting)
I attended a security talk some years back, wherein someone had done code level analysis of Huawei equipment. The presenter explained up front that he went in looking for Chinese back doors.
At some point in time he gave up, because he had found so many code flaws, and vulnerabilities, he concluded that the Chinese government didnâ(TM)t NEED to pay the company to install black doors, and if they had, it would be impossible to distingish them from the crappy coding that had been done.
Please note, this is not actually a slam at Huawei or Chinese companies in general. No company is immune from the pressures of needing to hit a ship date, and the iron triangle isnâ(TM)t a new thing to any of us. When you canâ(TM)t adjust time, or the size of the shipping product (You didnâ(TM)t ACTUALLY need packet routing in the minimal viable product of our router, did you?) quality is your remaining variable.
This is why state actors will pay a hundreds of thousands of dollars for the right vulnerabilities, itâ(TM)s more deniable then paying someone to insert a back door. Not to say that no one has ever decided to code themselves a retirement package, just that the state actor that paid for the retirement has plausible deniability.
Min
Never excuse by incompetence what may be malice (Score:2)
Never excuse by incompetence what could reasonably be malicious, since either way it's unacceptable. Always demand that a culprit be identified before you accept an apology, which is otherwise false.
Backdoors (Score:2)
This is what Huawei gets for stealing IP from Cisco, Motorola and Ericsson.
Probably most phones have hidden back doors (Score:2)
Re: (Score:2)
RED DANGER! (Score:2)
Telnet (Score:2)
Five Eyes (Score:1)