Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
China United Kingdom United States Technology

Vodafone Says It Found Hidden Backdoors in Huawei Equipment (bloomberg.com) 166

For months, Huawei has faced U.S. allegations that it flouted sanctions on Iran, attempted to steal trade secrets from a business partner and has threatened to enable Chinese spying through the telecom networks it's built across the West. Now Vodafone Group has acknowledged to Bloomberg that it found vulnerabilities going back years with equipment supplied by Shenzhen-based Huawei for the carrier's Italian business. From the report: While Vodafone says the issues were resolved, the revelation may further damage the reputation of a major symbol of China's global technology prowess. Europe's biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier's fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone's security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.
This discussion has been archived. No new comments can be posted.

Vodafone Says It Found Hidden Backdoors in Huawei Equipment

Comments Filter:
  • Interesting Spin.. (Score:5, Insightful)

    by Anonymous Coward on Tuesday April 30, 2019 @03:46AM (#58514868)

    Vodafone says they found "vulnerabilities", without any further qualification. Suddenly in Bloomberg those become "hidden backdoors". Seems like someone has an agenda

    • by AmiMoJo ( 196126 ) on Tuesday April 30, 2019 @04:00AM (#58514910) Homepage Journal

      Even TFA notes that it's not uncommon to find security flaws in networking hardware. In fact I doubt there is a single manufacturer of network hardware who hasn't got at least one CVE.

      This is a complete non-story.

      • by Anonymous Coward on Tuesday April 30, 2019 @04:11AM (#58514940)
        Some manufacturers, like Cisco, have several hundred CVEs against them for hard coded credentials. Why aren't the governments of the world clamouring to rid their networks of Cisco crapola?
        • by Anonymous Coward on Tuesday April 30, 2019 @05:06AM (#58515112)

          Because China is a communist dictatorship, responsible for the vast majority of corporate espionage across the world today, whereas the other is your own fucking government, tasked with defending your fat, hairy arse against Chinese threats to your economic and physical security.

          • by Anonymous Coward on Tuesday April 30, 2019 @05:15AM (#58515140)

            the other is your own fucking government, tasked with defending your fat, hairy arse against Chinese threats to your economic and physical security

            Not at all, the government that is pressing me to accept their propaganda is definitely not my own fucking government, and them spying on me isn't defending my hairy arse against anyone.

            This very same government used to point nuclear warheads and other weaponry at me 30 years ago and today supports mafia mobsters operating my country, something the Chinese government has never done.

            So, fuck off. You don't want to buy Huawei, fine. It is not your business what everyone else is buying.

          • Hahahahahaha! Highly satiricial.

        • by ArhcAngel ( 247594 ) on Tuesday April 30, 2019 @08:18AM (#58515804)
          Since you didn't provide any verification I will. [slashdot.org] But what's even stranger is going after one Chinese company while leaving others alone. Sure the founder of Huawei comes from the Chinese military but as a communist country China can control all of these companies not just Huawei. This smells of three letter agency cloak and dagger.
        • Some manufacturers, like Cisco, have several hundred CVEs against them for hard coded credentials. Why aren't the governments of the world clamouring to rid their networks of Cisco crapola?

          Rubbing salt into the wound, there's a story on Techcrunch about hackers breaking into Cisco and going undetected for six months. They stole files that 'may have' info about employees and beneficiaries, including social security numbers, and financial information.

          https://techcrunch.com/2019/04/30/citrix-internal-network-breach/ [techcrunch.com]

      • by ilguido ( 1704434 ) on Tuesday April 30, 2019 @05:12AM (#58515128)

        This is a complete non-story.

        This is propaganda. It is the second story about Huawei and "security" today.

        • by Archtech ( 159117 ) on Tuesday April 30, 2019 @05:22AM (#58515156)

          Exactly so. It is propaganda - as I put it in an earlier reply, a powerful narrative carefully tailored to appeal to the ignorant and prejudiced, based on no valid facts at all.

          • by Anonymous Coward

            https://www.networkworld.com/article/2223272/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html

            Yeah everything is propaganda, the dozens of times Huawei was caught stealing and snooping is propaganda, Trump's tax returns are propaganda so we shouldn't look.

              You're an illiterate moron.

        • by Oswald McWeany ( 2428506 ) on Tuesday April 30, 2019 @07:31AM (#58515588)

          This is a complete non-story.

          This is propaganda. It is the second story about Huawei and "security" today.

          Obviously something is going on; either Huawei are up to no good, or there is an active campaign to smear them.

          Is it theoretically possible, and believable, that the Chinese government is using electronics companies to spy on the West? Yes, that is a believable scenario.
          Is it theoretically possible, and believable, that the White House is orchestrating a smear campaign against Huawei and pulling strings? Yes, sadly, that sort of duplicity is possible too.

          I can't say with entirety which scenario is correct, but honestly, the former scenario (spying) is probably more likely. It seems odd that, Huawei, specifically would be targeted if this was about trade.

          • by ilguido ( 1704434 ) on Tuesday April 30, 2019 @07:56AM (#58515670)
            You are missing one important element. We know for sure that NSA [infoworld.com] and CIA and other three letters agencies are currently spying on us all. If Huawei equipment replace Cisco equipment or other NSA-compliant equipment, the three-letters gangs can no longer spy as easily as they do today. It is about spying, but they are not concerned about Chinese spying, as much as they are concerned about them not spying.
            • by Anonymous Coward

              https://www.networkworld.com/article/2223272/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html

                  Yeah everything is propaganda, the dozens of times Huawei was caught stealing and snooping is propaganda, Trump's tax returns are propaganda so we shouldn't look.

                      You're an illiterate moron.

          • by AmiMoJo ( 196126 )

            Huawei is targeted because they are way ahead in 5G tech and own a lot of the key patents that must be licenced to implement it. They are therefore a major threat to US technology firms and an ideal target in the trade war.

            It makes little sense for the Chinese government to bug Huawei hardware. The damage it would do to Chinese companies and the Chinese economy is obvious, and China generally doesn't get involved in the kind of politiking that would benefit from it anyway. Where China does spy it tends to b

          • Obviously something is going on; either Huawei are up to no good, or there is an active campaign to smear them.

            False dichotomy. Both things can be true. If you knew someone was up to something but you couldn't prove it for whatever reason, would you just sit back and watch it happen, or would you try to interfere?

          • I have no dog in this fight, I made peace with the idea that I am being spied on in innumerable, unavoidable ways just by living my daily life, and that fact is almost completely out of my control. However:

            Is it theoretically possible, and believable, that the White House is orchestrating a smear campaign against Huawei and pulling strings? Yes, sadly, that sort of duplicity is possible too.

            Knowing what we know of the current administration, do they really seem competent enough to pull this off? Think of the favor wrangling this would require, and the constant leaking of every other attempt at favor wrangling which has been reported to date. Maybe the FBI or CIA, sure, I could see that.

      • by Archtech ( 159117 ) on Tuesday April 30, 2019 @05:20AM (#58515150)

        This is a complete non-story.

        To be more precise, this is a heavily biased story based on no credible or valid facts. As Caitlin Johnstone explains, the great majority of people are far more interested in narratives than in facts. Once they have accepted a narrative that appeals to their instincts and prejudices, no amount of facts or figures can dislodge it.

        https://caitlinjohnstone.com/2... [caitlinjohnstone.com]

        • by Anonymous Coward

          https://www.networkworld.com/article/2223272/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html

          Yeah everything is propaganda, the dozens of times Huawei was caught stealing and snooping is propaganda, Trump's tax returns are propaganda so we shouldn't look.

          You're an illiterate moron.

      • by flux ( 5274 )

        Most people in Finland as well speak English - and the language couldn't be further different from English. But we do have subtitles.

        • Comment removed based on user account deletion
        • Most people in Finland as well speak English - and the language couldn't be further different from English. But we do have subtitles.

          I can't believe some people still think Brexit is a good idea.

      • by umghhh ( 965931 )

        The world is not flat and even if all do use the same tricks it makes a difference if these are against structures that are foundations of our society or against foundations of some other society.
        There is a difference then if the supplier with backdoors in its switching merchandise is under control of our or their government. This is that simple.

      • by comrade.putin ( 1235862 ) on Tuesday April 30, 2019 @08:19AM (#58515810)

        Didn't Bloomberg get caught with its pants down already when they presented the supermicro supply chain vulnerability with zero proof, which also ended up being a non story?

      • AmiMoJo shilling for the Chinese. Whodathuinkit?

    • by gweihir ( 88907 )

      Obviously. At least to an expert, their claim is a direct lie. Also, if we count vulnerabilities now as "backdoors", then Cisco equipment, for example, is full of them.

      • by DarkOx ( 621550 )

        Without knowing the specifics of the vulnerabilities and maybe even seeing the source code behind them its hard to say if it is malicious or just erroneous. I do a lot of software security assessments even in 2019 I still find things like SQL injection in recently developed software. Now I would argue that NOT happen because unless your building something bespoke and very very esoteric some ORM or at least prepared statement interface should work for you need to do.

        I don't think for a second everything SQ

        • Well with Cisco you even have this level of incompetence: https://www.bleepingcomputer.c... [bleepingcomputer.com]
          • by gweihir ( 88907 )

            There are a lot of people that should know better, but do not. You can, for example, still study web-engineering and never take any security lectures in many places.

        • by gweihir ( 88907 )

          I agree. In particular 3) is a frequent occurrence, but 1) (also in the form of "manager does not give enough time) and 2) are regularly observable. Now, it seems this was a telnet-port that remained open and that is something that is not "hidden" in any sane sense of the word. And it is not hard to find when you know what you are doing either, a simple nmap run is enough. Of course, you need the running system for that and hence it does take some effort and you need to understand what you are doing. But so

        • ÂWithout knowing the specifics of the vulnerabilitiesÂ

          The Âbackdoor is Telnet. Vodafone instructed Huawei to uninstall Telnet. Huawei agreed to do that, but didn't, because they needed it for installation and test. It sounds from the story like they only killed it.

          • by gweihir ( 88907 )

            They must have reactivated it somehow, because a non-running telnet server is not a security issue at all. Sounds like plain old incompetence to me.

    • by Freischutz ( 4776131 ) on Tuesday April 30, 2019 @04:59AM (#58515094)

      Vodafone says they found "vulnerabilities", without any further qualification. Suddenly in Bloomberg those become "hidden backdoors". Seems like someone has an agenda

      Funny that, isn't it? If we are going to equate every 'vulnerability' in Huawei gear with 'a back door deliberately installed by Chinese intelligence' rather than just resign ourselves to the fact that Huawei home routers are bug riddled pieces of garbage like everybody else's then every 'vulnerability' discovered from now on in the routers of a whole legion of manufacturers must be assumed to be a 'back-door' installed by the intelligence service of the country each manufacturer operates from. Also, Huawei is not exactly alone in this kind of thing, https://tech.slashdot.org/stor... [slashdot.org]. But that aside the really funny bit here is that they quote this professor who says:

      “There’s no specific way to tell that something is a backdoor and most backdoors would be designed to look like a mistake,”

      so, basically, back-doors and vulnerabilities are indistinguishable from each other. Then he goes on to say:

      “That said, the vulnerabilities described in the Vodafone reports from 2009 and 2011 have all the characteristics of backdoors: deniability, access and a tendency to be placed again in subsequent versions of the code,” he said.

      So in other words back-doors and vulnerabilities are indistinguishable from each other except when they are in Huawei equipment? So which is it Professor? ... are back-doors and vulnerabilities indistinguishable from each other or not? ... or does that apply varyingly depending on what best suits your political agenda in each case? I direct your attention back to this Slashdot article: https://tech.slashdot.org/stor... [slashdot.org] were those 'back-doors' intentionally installed by the CIA/NSA or just Cisco being incompetent? Is there a way to tell the difference in this case between a 'vulnerability' and an intentionally installed 'back-door'? Or is it conveniently impossible to tell the difference in this particular case?

      Personally I'm going to stick with the opinion that if you are country X, where X != {China,Russia,America}, then being spied on is unavoidable and that being spied on by China because ... "China first!!!! is indistinguishable from being spied on by Russia because ... "Russia first!!!! which in turn is indistinguishable from being spied on by America because ... "America first!!!!". Furthermore, anybody who thinks they can be secure without encrypting everything at the point of origin, decrypting it at the point of receipt and making heavy use of air gaps, intrusion detection and firewalls is dumber than a bag of hammers. And, no, I do not really care that Americans/Russians/Chinese could be spied on by their own governments since I'm not American/Russian/Chinese and the former two, at least, got what they voted for.

      • “That said, the vulnerabilities described in the Vodafone reports from 2009 and 2011 have all the characteristics of backdoors: deniability..."

        The very first feature he claims to be characteristic of backdoors is "deniability".

        (Pause to let the huge burst of universal laughter die down).

        So if the Chinese deny that something is a backdoor, that (in the professor's odd little universe) proves that it is a backdoor. No doubt there is a Latin name for that particular fallacy - or maybe not. I doubt if the

        • So if the Chinese deny that something is a backdoor, that (in the professor's odd little universe) proves that it is a backdoor. No doubt there is a Latin name for that particular fallacy - or maybe not. I doubt if the Latin and Greek rhetoricians would have stooped to describing such a blatant and transparent piece of deceit.

          It is a variant of the "ad hominem" fallacy. The unexpressed hypothesis here is "Chinese are treacherous" (which is both "ad hominem" and borderline racist), hence if they say something you know it is not true and they are for sure trying to trick you.

          It is also a "ignoratio elenchi", because he deliberately ignores the matter of the problem to better gaslight the reader. However every "ad hominem" fallacy is also a "ignoratio elenchi".

      • by AmiMoJo ( 196126 )

        At least in Huawei's case it seems like a genuine screw-up that was quickly fixed. Cisco deliberately installed actual backdoors via hard coded accounts and passwords, for support staff to use.

        And why all the focus on Huawei home routers? TP-Link are also Chinese and sell a huge amount of gear in the consumer and SOHO space, mainly because they are reasonably priced and actually kinda decent for what they are.

        • At least in Huawei's case it seems like a genuine screw-up that was quickly fixed. Cisco deliberately installed actual backdoors via hard coded accounts and passwords, for support staff to use.

          And why all the focus on Huawei home routers? TP-Link are also Chinese and sell a huge amount of gear in the consumer and SOHO space, mainly because they are reasonably priced and actually kinda decent for what they are.

          I just assume that I'm being spied on. Most of the time I don't really care. I do, however, take appropriate precautions (read: encryption, firewalls, intrusion detection, air gaps) mostly because of the malicious joy I derive from knowing that I have added a bit to the ever increasing flood of encrypted traffic that US/Russian/Chinese intelligence have to spend money to laboriously decrypt in just in order to be able to tell whether it is even interesting for them. I see it as job creation for network tech

    • by Kartu ( 1490911 )

      Europe’s biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone’s security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.

    • Anyone that has trust in Chinese companies or the Chinese government, has never done business in China.
    • Bloomberg is almost continuously pumping adverse material related to Huawei.
    • Sounds like we should be ENCOURAGING them to sell to Iran.

    • Vodafone says they found "vulnerabilities", without any further qualification. Suddenly in Bloomberg those become "hidden backdoors". Seems like someone has an agenda

      It is obvious that you do

  • Comment removed (Score:5, Informative)

    by account_deleted ( 4530225 ) on Tuesday April 30, 2019 @03:49AM (#58514874)
    Comment removed based on user account deletion
    • Re: (Score:3, Insightful)

      by wierd_w ( 1375923 )

      Ever noticed how people who cheat on their spouse are the most paranoid about their spouse cheating on them?

      Makes you wonder about US vendors, doesn't it? (or rather, the US government, and its relationship with US vendors, and how the US is so paranoid of foreign vendors.)

      • Re: (Score:3, Informative)

        by gweihir ( 88907 )

        There is no need to wonder about US vendors. They are known to be all compromised. Huewei is still a "probably".

      • by fazig ( 2909523 )
        Yeah, sure I noticed that. It's popular armchair psychology.
        I usually discard that kind of reasoning because without proof that this is actually the case for the individual in question, it's little more than a petty ad hominem circumstantial along a similar bullshit line of logic as "If you've got nothing to fear, you've got nothing to hide".

        At the end of the day, before we make a decision which devices to use, we should thoroughly test all kinds of communication hardware for security flaws and potential
      • by msauve ( 701917 )
        "Makes you wonder about US vendors, doesn't it?"

        So, exactly which US 5G cellular base station vendors do you have in mind? Ericsson? Nokia? Samsung?
    • by gweihir ( 88907 )

      Indeed. In the same time, Cisco had a lot more.

      Obvious smear campaign is obvious.

      • Re: (Score:2, Insightful)

        by Anonymous Coward

        It's not a smear if it's true. Regardless, China is a foreign power and one setting itself up in opposition to western interests. So you see, your own government has a duty to protect you from it ("defence of the realm") and it will do so whether you agree with it or not.

        • China is a foreign power and one setting itself up in opposition to western interests.

          I believe that is what is called "competition", and it is described as the mainspring of free enterprise capitalism in the opening pages of every economics textbook.

          Of course capitalists, like those who have bought and control the US government, hate competition like the gates of Hell. Their idea of paradise is a monopoly, monopsony or as close as they can get. (Like Microsoft and Amazon).

          • by gweihir ( 88907 )

            Indeed. The funny thing is that these so-called capitalists are pretty much opposed to free markets. It is almost like the "free market" is a cover-story and not anything they mean serious.

        • by gweihir ( 88907 )

          Singling somebody out when everybody does it is a smear campaign. Takes 2 brain cells to rub together to see that though and you obviously come up short.

    • by Anonymous Coward

      Huawei CEO came out to tell the world they have never added a backdoor and would never do so.

      Clearly he lied. Just because a new backdoor was not found does not mean none exists.
      It likely just means they became better at hiding them after they have been caught repeatedly.

      Of course he also conveniently forgets to add that as Chinese company they have to silently comply with any request of the Chinese government.

      Using Huawei is a bad idea and everyone knows it, but with prices that good which for profit compa

  • by Anonymous Coward

    Has a long history of accidentely shipping equipment with undisclosed ports/accounts left enabled. Then that whole thing with the NSA intercepting routers in the mail. Loving the manufactured outrage here.

    • Well, $60 billion a year buys a lot of manufactured outrage. (Among other things).

      https://fas.org/irp/budget/ [fas.org]

      • by Anonymous Coward

        https://www.networkworld.com/article/2223272/60-minutes-torpedoes-huawei-in-less-than-15-minutes.html

        Yeah everything is propaganda, the dozens of times Huawei was caught stealing and snooping is propaganda, Trump's tax returns are propaganda so we shouldn't look.

                You're an illiterate moron.

  • Well, no. Huawei has to really step up their game. Cisco has a lot of exploitable vulnerabilities and backdoors.

    • by Anonymous Coward

      Unfair Cisco has NSA help installing their "vulnerabilities".

    • Yeah, c’mon Huawei. If you want to play with the the big boys like Cisco, at least hard code an ssh1 password into your equipment. This isn’t difficult; the groundwork’s already been laid.

  • by Kokuyo ( 549451 ) on Tuesday April 30, 2019 @04:39AM (#58515046) Journal

    One really wonders about the current state of society when slander campaigns and outright lies are so transparent these days. Not only are people not called out on them, they don't even seem to have any consequences down the line.

    I think Zuckerberg could eat a baby on livestream and people would be very outraged... all over Facebook.

  • Was that article from the same Bloomberg crew that we are still waiting for to present us "spy chips" on SuperMicro boards?

  • Provocative headline Getting traffic. Very old incident but resonates more now with the pressure from Trump to dump Huawei.
  • These were security issues that were found and solved a decade ago. Funny how we don't get to see the same damaging and dishonestly implicating headlines about Cisco equipment, which has been revealed to have multiple actual, real back doors in the last few years.

    The whole premise of western and American media is to spin everything to make the east look bad and evil, but as soon as we look past the flimsy facade, it's in fact the American equipment which is exactly as bad, insecure, and subverted as their m

  • It was Telnet... (Score:5, Informative)

    by Retron ( 577778 ) on Tuesday April 30, 2019 @07:16AM (#58515538)

    As per the BBC, the "backdoor" was actually just Telnet.

    https://www.bbc.co.uk/news/liv... [bbc.co.uk]

    "Vodafone said: "The issues in Italy identified in the Bloomberg story were all resolved and date back to 2011 and 2012.

    "The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet."

    • My personal opinion is that any vendor still using telnet is either stupid or negligent or lazy. There are no details but even if it was only accessible from inside a LAN, it is a risk. SSH has been around for 20+ years as a Telnet replacement.
  • I attended a security talk some years back, wherein someone had done code level analysis of Huawei equipment. The presenter explained up front that he went in looking for Chinese back doors.

    At some point in time he gave up, because he had found so many code flaws, and vulnerabilities, he concluded that the Chinese government didnâ(TM)t NEED to pay the company to install black doors, and if they had, it would be impossible to distingish them from the crappy coding that had been done.

    Please note, this is not actually a slam at Huawei or Chinese companies in general. No company is immune from the pressures of needing to hit a ship date, and the iron triangle isnâ(TM)t a new thing to any of us. When you canâ(TM)t adjust time, or the size of the shipping product (You didnâ(TM)t ACTUALLY need packet routing in the minimal viable product of our router, did you?) quality is your remaining variable.

    This is why state actors will pay a hundreds of thousands of dollars for the right vulnerabilities, itâ(TM)s more deniable then paying someone to insert a back door. Not to say that no one has ever decided to code themselves a retirement package, just that the state actor that paid for the retirement has plausible deniability.

    Min

  • This is what Huawei gets for stealing IP from Cisco, Motorola and Ericsson.

  • I think 99% of phones are made in China. Who's to say they don't make sure every iPhone, Samsung, etc doesn't have at least one backdoor entrance?
    • Yes my phone could have a backdoor; however, my company is not running all the company’s data through my phone. My company’s ISP is not running our Internet through my consumer phone.
  • COMMIES! #ColdWarFeelings
  • Apparently it had Telnet installed, something that hackers use, along with Unix or those whistle things
  • The main reason the US doesn't want 5 Eyes allies using Huawei gear is then the US NSA can't use the back doors it has in all the other network gear. The way I see it, I'm much less at risk of problems from the Chinese Government spying on me than the US government. (Typed on my Huawei phone)

Sentient plasmoids are a gas.

Working...