Chinese networking giant Huawei is battling suggestions it could be in collusion with the Beijing government and could cause massive disruption to UK communications in a future cyber conflict. Concerns have been raised at Cabinet level by senior intelligence officials over the presence of the firm's equipment at the centre of BT …
Vested Interest All Over again
First of all there is a significant vested interest by a specific UK comms provider competing with BT for business here.
Second, there is no networking gear on the market free of key Chinese parts.
Third, there is no networking gear manufacturer that does not have people of Chinese origin in their engineering department. From there on it is technicality - gun to temple of dear grandma in Beijing and voila... Backdoor is there...
So if the Chinese wanted to put a kill switch they could have done so for any network kit.
If there is such a switch, then:
1. It is in the network kit of any provider and the brief given to GCHQ by a certain network provider known for its stellar ineptitude and good gov relationships is full of sh*t. Their network is vulnerable as well.
2. The correct way to deal with it is to mitigate against it by providing suitable resilience.
3. Switches require means to throw them. Even if the gear is potentially compromised it can still be used provided that all the means to activate the switch have been put under control.
Oh, and it is the same provider by the way whose vested interests influenced the Broadband review and a few other quangocracy productions relied upon by Nu Labour. Well done.
Well what is the answer?
Each country makes its own electronics - it is a complete no brainer.
It would supply jobs, it is not that hard to do, it would ensure better competition for resources so some continents don't just get plundered by one or two countries.
There would be more variety, and the world would be a better place.
Make them national as well, and ensure that most in the place are actually working, and not just Gorillas in Suits, pinching everyone else's bananas.
If my experience of Huwaei kit is anything to go by, it's no wonder it's 1/3rd of the price.
My 3G dongle loves to crash and reset itself, and the Java based management app likes to write out megabytes of log files (luckily, you don't need to have this running to use the device).
No relationship with Red Army?
Of course no relationship except the founder is an ex red Army officer. And are people naive enough to think that it would be possible to have such a large company in China without being related to the Chinese Government.
Just a few links:
With the recent news about forced spyware on pc's sold in China, what is there to gain by assuming that Chinese goventment has humanistic motives.
Chinese people represent a great culture and history, however, but is a mistake to relate the current goventment / policies and Chinese history and this relation is what the government feeds on.
I'm satisfied with their explanation
Huawei is clearly a good company.
How do I know?
Simple. You showed a photo of their headquarters. If they were evil and hell-bent on global domination they'd be based in a volcano and keep pet sharks.
When they stop port scanning, I'll maybe listen!
For the last several weeks my computer has been port scanned - tracked back to what appears to be an official Chinese institution in whois (184.108.40.206) .
Emailed the IP address owner - no reply
Emailed the Chinese consul, copied owner - no reply.
Reminder email, no reply.
Will either write (pen and paper!) to the Chinese ambassador, or report the (continuing) incidents to the police for investigation.
Now is the real danger
The Chinese or the likes of short sighted politicians being "rewarded" for allowing such deals.
No links? I can smell it from here!
The Chinese government is so in control of the country that surely anyone wishing to set up some form of manufacturing concern has to deal with them and in so doing signs away certain rights.
Not saying that every company on Chinese soil is under government control, but I'm sure they are watched quite carefully to ensure they do not bring the country in any form of disrepute!
You want cheap products at knock down prices, then you must pay the piper!
Erm, that's called protectionism and it's historically proven to not be a Good Thing.
I'm finding a company whose name sounds like a north-eastern exclamation hard to take seriously as it is, but I certainly agree that basing out nation's communication backbone on what could easily turn out to be compromised kit is definitely an even less Good Thing.
Why do you need to trust the hardware?
If you're doing your communications securely you shouldn't have a problem. Chances are if the "Chinese" aren't listening to your traffic from a Red switch someone else anyway... so what's the bitch?
China should tell us........
How it is therefore that China supplied hundreds of Chinese manufactured chip and pin machines that ended up in UK (and europe and elsewhere ??) Supermarkets that included in them an extra Chip that was shown to automatically send all information such as pin and card number to a telephone number in Pakistan ?. If that can happen then god only knows what happens to all their other equipment.
I would not trust ANY Chinese or Pakistan manufactured equipment anyway, leaving aside clear security concerns.
Have you ever heard of IP address spoofing, Malware, botnets or routing through compromised machines to avoid detection? It could just as easily be your neighbour messing around with your wireless connection as be anyone in China.
"2. The correct way to deal with it is to mitigate against it by providing suitable resilience."
Did you read the article?
ALL the manufacturers kit is made in my country. Some of it is designed in my country.
How do you provide resilience in that situation?
"3. <snip> Even if the gear is potentially compromised it can still be used provided that all the means to activate the switch have been put under control."
Wrong again, my unthinking friend. We have designed in, and shipped, a failure mode which will be automatcially activated on the 1st of every month unless a certain specific sequence of otherwise ordinary operational commands is received by our equipment in a specific timeframe before the 1st of the month. If that sequence is not received, bye bye Internet..
I am of course only joking.
I'm not Chinese, and they couldn't possibly do something like this to us.
@ Mike Richards
That's a façade. The real headquarters is a tailors shop in New York.*
*You have to be over a certain age...
Re: When they stop port scanning, I'll maybe listen
I've had this joker as well - they've been looking for open proxies on my web site every day for the past 3 weeks without success (obviously). What the Zigong Sciences Informations Academy (managed by the Data Communication Bureau Of Sichuan Province) wants on my site I can't imagine!
So Huawei has been going for 20-odd years, but it' at a time of global recession that these fears emerge?
Yes I know all the usual (and some unusual!) techniques. This is repetitive, consistent (not rotated IP), and massive (many users affected). I tracked back using a well-known use-on-your-own-network-only network mapping software package.
Yes, I am trapping it at the outer firewall, but it is still a pain in the arrse.
I gave the owner the benefit of the doubt in my original email, but the least that should have been done was an investigation and reply...
Who wants the contract ?
Their are vested intrests at work in wanting this hardware to be from an other location than China.
How ether if we make the hardware in the UK it would cost the earth as we would never be able to compeate with this company on price and if any other country had any sense then they would not trust us to supply their hardware so the market would be very small indeed.
I think here in the UK the only option is security via diversaty. Lets make it a matter of security policy that BT and others aquire their kit from a number of suppliers so reducing the damage any attack can do to the network as a whole.
"In the 1990s stories emerged that the US National Security Agency had for decades allegedly rigged the products of Swiss encryption firm Crypto AG. It was reportedly able to effortlessly decode secret diplomatic and military messages as a result. Similarly, the Israeli government - which probably has closer ties to its commercial technology sector than Beijing does - was accused in 2000 of spying via backdoors in wiretapping equipment supplied to US law enforcement by Comverse Infosys.
Both those firms have continued to thrive despite their alleged sidelines in espionage."
If its the west, its OK. It's legitimate for the safety of all.
But if it's anyone we don't like, well...
I wondering who could trust a third party company to provide security
I was looking at their products
I was wondering who could actually trust to buy from a third party company his security, one just has to pay an higher prices to buy access to third parties (actually that could be a "product" not described in the brochure) .. but take a look at the regional sales office location, it is fascinating...
I have somehow a problem here
After the USS Vincennes shot down an Iranian Airbus over the Persian Gulf on July 3, 1988, "Iran vowed that the skies would rain with American blood." A few months later, on Dec. 21, a terrorist bomb brought down Pan Am Flight 103 over Lockerbie, Scotland.
Once more, NSA intercepted and decoded a communication of Iranian Interior Minister Ali Akbar Mohtashemi linking Iran to the bombing of Pan Am 103.
One intelligence summary, prepared by the US Air Force Intelligence Agency, was requested by lawyers for the bankrupt Pan American Airlines through the Freedom of Information Act.
"Mohtashemi is closely connected with the Al Abas and Abu Nidal terrorist groups. He is actually a long-time friend of Abu Nidal. He has recently paid 10 million dollars in cash and gold to these two organizations to carry out terrorist activities and was the one who paid the same amount to bomb Pan Am Flight 103 in retaliation for the US shoot-down of the Iranian Airbus."
Moreover, Israeli intelligence intercepted a coded transmission between Mohtashemi in Teheran and the Iranian Embassy in Beirut concerning the transfer of a large sum of money to the Popular Front for the Liberation of Palestine-General Command, headed by Ahmed Jibril, as payment for the downing of Pan Am 103.
Are we talking of the same event for which there was a lenghty trial and ultimately Lybia was forced to pay compensation money ?
Indirection & propaganda from the US govt. I think
"Don't look here, look at them!"
The yellow dot stuff hasn't been mentioned for a while
Pushed in by the US.
All said and done though I'd infinitely prefer the US as the superpower over China any day. Except they've totally boiled their economy dry and are effectively bankrupt, so that's soon to be that.
who exactly are you wittering on about? do tell. it'll add some veracity to the post and allow us to have a mooch.
we await with bated beards.
A) some of the hardware is made in the UK, (not huawai's though) and B) They do have multiple suppliers for competing elements , 21cn uses Huawai and FTEL msans, and Huwawai and Ciena optical parts.
Huawei, and @DGP
<<"It's about a third of the cost of their competitors, who make theirs in China anyway.">>
When I worked at Nokia (networks) in Rusko, Oulu, Finland, one of the highlights for those customers waiting in reception was to look up and see basestations being manufactured - right in front of their eyes.. I'm seriously quite sure it gave a feeling of confidence. Actually, it made ME feel good to watch the SMD machines running during a coffee-break (OK, sad, or what but...)
Then, we dismantled the entire line, and shipped it to China. Now "Made in China" is normal.
@DGP <<If you're doing your communications securely you shouldn't have a problem. Chances are if the "Chinese" aren't listening to your traffic from a Red switch someone else anyway... so what's the bitch?>>
Nope, they are! The Rice-guzzlers won't permit the A5/1 (?) security algorithm to be used - they want to hear what you're saying. So, speak Finnish. Or Engrish, with a Brummie accent. And use the letter "R" a lot. That fuc*ks 'em.
Of course every machine on the planet that is portscanning is those evil intelligent operatives (who are stupid enough to act from a traceable machine).
My guess would be automated scanning from a malware infection, and I'd rule out address spoofing when linked to port scanning as TCP requires the three way handshake (and I don't see much UDP scanning at the moment).
I wouldn't waste my time trying to contact the system owners. You're going to be *VERY* busy if you respond to all the background noise associated with being atteched to the intertubes.
This is a simple remedy.
Make the concerned people sign an NDA and let them examine the coding.
Then with that same tested and tried CLEAN code then flash the hardware.
Also have the hardware inspected visually so visual confirmation can be made.
If concerned people wanted to..... they could add to the programming some kind of obsfucation so no direct linking orr embedding or tapping of wires could intercept data.
Not too hard to do.
Re: When they stop port scanning, I'll maybe listen
/var/log # grep :1080 security | cut -d " " -f 1,2,3,8,9,10
Jun 12 11:51:56 Deny TCP 220.127.116.11:12200
Jun 12 13:27:39 Deny TCP 18.104.22.168:12200
Jun 12 15:04:04 Deny TCP 22.214.171.124:12200
/var/log # grep :3128 security | cut -d " " -f 1,2,3,8,9,10
Jun 12 05:25:17 Deny TCP 126.96.36.199:12200
Jun 12 11:52:04 Deny TCP 188.8.131.52:12200
Jun 12 13:27:48 Deny TCP 184.108.40.206:12200
Jun 12 13:55:23 Deny TCP 220.127.116.11:12200
Jun 12 14:25:56 Deny TCP 18.104.22.168:12200
Jun 12 15:04:13 Deny TCP 22.214.171.124:12200
Jun 12 15:59:37 Deny TCP 126.96.36.199:6000
/var/log # grep :8000 security | cut -d " " -f 1,2,3,8,9,10
Jun 12 05:25:21 Deny TCP 188.8.131.52:12200
Jun 12 08:13:55 Deny TCP 184.108.40.206:12200
Jun 12 10:41:27 Deny TCP 220.127.116.11:12200
Jun 12 11:52:08 Deny TCP 18.104.22.168:12200
Jun 12 13:27:52 Deny TCP 22.214.171.124:12200
Jun 12 13:39:25 Deny TCP 126.96.36.199:12200
Jun 12 13:55:24 Deny TCP 188.8.131.52:12200
Jun 12 14:04:51 Deny TCP 184.108.40.206:12200
Jun 12 14:43:18 Deny TCP 220.127.116.11:12200
Jun 12 15:04:17 Deny TCP 18.104.22.168:12200
/var/log # grep :8080 security | cut -d " " -f 1,2,3,8,9,10
Jun 12 08:13:57 Deny TCP 22.214.171.124:12200
Jun 12 11:52:01 Deny TCP 126.96.36.199:12200
Jun 12 12:45:59 Deny TCP 188.8.131.52:12200
Jun 12 13:27:43 Deny TCP 184.108.40.206:12200
Jun 12 13:55:26 Deny TCP 220.127.116.11:12200
Jun 12 14:04:49 Deny TCP 18.104.22.168:12200
Jun 12 15:04:08 Deny TCP 22.214.171.124:12200
It has become so common that it is considered Internet background noise. You won't get a reply from the controlling NOC and you won't stop it because it's a combination of Chinese people trying to get around The Great Firewall and the Chinese Authorities trying to get there first. Just blackhole it, let them hear the sound of one hand clapping and get on with your life.
Huawei don't just produce mobile telephony equipment but let's ignore that for arguments sake. Ciphers like A5/1 only protect your channel up to your provider,.. so no that's not secure communication is it. I can remember going into a BT exchange with my dad's mate when I was a kid.. said mate whipped some sort of line tester and plugged it in and some random's phone jibber jabber came out. Moral of the story; There's nothing to stop any upstream provider spying on your communications if you don't secure your channel between A and B.
But OT; But the other half, being of the race guzzler south east asian variety, assures me she can understand "the letter R" just fine. I believe most "Rice-guzzlers" can't hear a difference in the sounds produced by "the letter L" and "the letter R", but that doesn't stop them learning the spelling of a word does it?
Protectionism is not proven to be bad
by history, if anything it is the reverse. It is much better for any country to be self reliant.
Protectionism is a Good Thing, when it comes to critical elements of an economy. No need to protect luxuries, but electronics, arms, food, land those should all be protected and you will find most are, just not electronics because it is new.
Look at Africa they don't protect, and they are just being resource raided, to the detriment of the populace.
Everything in China is dual use (military/civilian), why are people surprised here?
Everything Chinese should be banned
from civilized world. Same holds for Russian, Pakistani, Lebanese, Palestinian and so on. All Huawei equipment found inside the civilized world, must be replaced by AL/NSN/Ericsson/Cisco or Nortel equivalent and burnt.
..It was Tong (oops) in cheek. You're almost right - but can the service provider eavesdrop?
So, why would the - ok, "Rice-guzzlers" - insist on the A5/0 (practically unencrypted) algorithm in a GSM network? A BT exchange doesn't use this kind of algorithm. Nokia marketed the algorithm for the Chinese market. They'd have sold Jack Shitt if they hadn't.
Else, why, when I, as a BT engineer - I use the term loosely - had to check the orange alarms on a Strowger Switch* by plugging in a "butt"§ to check the line was in use, rather than someone knocked the bedroom phone handset off in a fit of passion? I heard conversations. Nice ones, sometimes...
(No disrespect to your "Her Indoors" intended, BTW).
* Strowger switch - also known as a "Monkey-on-a-pole"
§ Butt- small rubberised handset used for testing, in case the 'Merkans get hot under the collar.
I always thought it was better to drop a packet than deny it. That way the connecting machine doesn't see a reject, it just never hears an acknowledgement.
This should slow down their port scanning as each connection attempt will wait for a reasonable period before timing out, time it could be scanning another IP or Port on your machine or the next one in the list.
Why put all eggs in one basket?
Why don't they simply buy equipment from multiple companies. They need redundant equipment anyhow.
@AC Sun 18:24
"Deny" on this system is equivalent to "drop" on others (in fact, drop and deny are interchangeable). It silently blackholes the packet and doesn't send a RST. With a few sysctl tweaks you can have this as the default behaviour of any closed ports exposed, too. The "reset" action would give the (bad) behaviour you describe. Good heads-up, though, and you're quite right that the "stealth" response to a blocked packet has always been best practice.
Nice story but poor reporting
"at Cabinet level by senior intelligence officials ", remember as a journalist, you should prefer facts and avoid rumour. I suspect that your story stems from a number of vendors who have briefed against Huwaei who were upset that they won a nice chunk of CN21. If you ask around, you will find that in certain places, particularly the far east, Huwaei offer products at a fraction over costs into what are perceived as strategic accounts. At a margin that few western vendors can compete at.
Companies like Huwaei benefit from cheap credit from state sponsored banks, lenient labour laws with low wages with far better access to a growing internal market than western rivals. The red hearing of national security makes a nice headline but the substance of this story is weak and below the normal standard set by el Reg. Exclusive, yes - good reporting, definitely not!
Although it was well written :)
the beyound IT view
You all only see what have happened on your part and the IT part but the Chinese part.
When you buy a bargain like that, do you know how many rural labor that moved into cities works 10 hours or more non-stop, on the stream line? And how much they earn?
When you buy those bargains you are creating market disorder for the future and you are helping the Chinese gov to make their flawed stats and economic victory at the cost of both environment and morality look better.
Maybe I am trolling, I am sorry, but just think about it.
I bet Huawei kit would not have been included...
..if they were Russian.
One point about Huawei's competitors: Whilst their hardware is made in China or elsewhere in SE Asia, their software is typically produced at home.
- IT bloke publishes comprehensive maps of CALL CENTRE menu HELL
- Nine-year-old Opportunity Mars rover sets NASA distance record
- Prankster 'Superhero' takes on robot traffic warden AND WINS
- Comment Congress: It's not the Glass that's scary - It's the GOOGLE
- Analysis Who is the mystery sixth member of LulzSec?