back to article Huawei networking kit gets the green light from Blighty's spooks

A board put together to double-check the work of a British government team set up to investigate Huawei has given the Chinese giant a clean bill of health. The Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board was established in early 2014 on the recommendation of the UK National Security Adviser. The board is …

  1. Aitor 1

    So unsafe

    If they give the greenlight, we can be sure that it is UNSAFE, at least from UK spooks.

    1. Anonymous Coward
      Big Brother

      Re: So unsafe

      we can be sure that it is UNSAFE

      Backdoor added. Check.

      1. Anonymous Coward
        Anonymous Coward

        Re: So unsafe

        Backdoor is there by SPEC.

        It is mandated by internal Chinese government tender requirements and it is officially published.

        1. Sir Runcible Spoon

          Re: So unsafe

          GCHQ are now happy that they have been given the keys to the backdoor more like.

  2. Anonymous Coward
    WTF?

    A recommendation of sorts...

    Now that GCHQ have given Huawei kit their seal of approval I definitely won't be buying any.

    1. Anonymous Coward
      Anonymous Coward

      Re: A recommendation of sorts...

      So who's would you use? Stuff from the US / NSA?

      1. Gordon 10
        Thumb Up

        Re: A recommendation of sorts...

        Indeed - it pragmatically comes down to *if* it is compromised - which compromisee is least likely/able/willing to use against you.

  3. Anonymous Coward
    Anonymous Coward

    Speculative speculation

    Huawei kit is blacklisted by US spooks based on the NSA's ability to either intercept or force disclosure of critical vulnerabilities that are reported to CISCO about CISCO's kit. At least one yet-to-be-patched vulnerability gives spooks backdoor access to typically all kit of that supplier. US spooks assume that the Chinese Gov't has either a similar intercept or forced disclosure agreement in place with Huawei, (or that they will develop this in the near future).

    Therefore all Huawei kit has to be considered insecure. (Same for CISCO etc just a different adversary).

    The UK government have basically done a "what are your processes for patch implementation" which of course passed. The US Govt can't warn the UK Govt about this "type" of risk because that would mean disclosing that they have the same capabilities over kit made by US suppliers.

    1. Yet Another Anonymous coward Silver badge

      Re: Speculative speculation

      The UK govt can't say it's insecure without the public demanding that Chinese made kit is all ripped out of every govt/police/school/hospital which might cost a few quid - and be followed by a Chinese ban on Downton Abbey tea-towels or whatever it is we export to China

  4. Anonymous Coward
    Anonymous Coward

    No problem. Plenty of other vendors are neither us nor china based.

  5. Anonymous Coward
    Anonymous Coward

    Wanted: a switch I can examine..

    What I would really like to get my hands on is a network switch with firmware I can examine. I have everything else, but I need a smart switch so I can enable/disable ports on remote.

    I'd be obliged if anyone can point me at a supplier who uses firmware that can be evaluated.

    1. Anonymous Coward
      Anonymous Coward

      Re: Wanted: a switch I can examine..

      " I have everything else,"

      Really? I bet you don't have access to the firmware on your hard discs. Are you really using a free and open BIOS? I assume you are running Linux or a BSD and presumably you have compiled it yourself from scratch, via a trusted compiler. Note that even using Gentoo is considered cheating here.

      Unless all you have is a switch with nothing connected to it, then I don't believe you. On the other hand if you do have anything more complex than a toothpick plugged into it, you have more to worry about than your switch's firmware.

      1. Anonymous Coward
        Anonymous Coward

        Re: Wanted: a switch I can examine..

        Really? I bet you don't have access to the firmware on your hard discs. Are you really using a free and open BIOS? I assume you are running Linux or a BSD and presumably you have compiled it yourself from scratch, via a trusted compiler.

        Sigh. OK, let me complete that sentence then: "I have everything else to a level that I consider an acceptable risk" - and by that I mean kit with firmware that I have the sources to, and the hardware designs. The reason for that is simple: it's mine.

        I still don't have an in-depth view of what goes on inside the actual CPU and disk firmware is a black box, but I know what's in my BIOS. I also know from the very early Internet firewalling days just what a ruddy pain in the rear it is to write something that must access information several layers higher up the stack because it becomes a painful game of variables - I'm not so worried there.

        But I still need a switch I can trust, or at least take apart to a level that I can trust it to do what I want and nothing more.

  6. choleric

    Same again for Cisco please

    Now can we have the same rigour applied to Cisco, Juniper et al? Or should they be considered as automatically above board because they are not Chinese?

    1. Anonymous Coward
      Anonymous Coward

      Re: Same again for Cisco please

      Now can we have the same rigour applied to Cisco, Juniper et al? Or should they be considered as automatically above board because they are not Chinese?

      Given the attitude we see from the FBI, the NSA and all the kids singing that same tune (yes, Cameron, it's you I'm talking about) it seems anything American is best not considered trustworthy. But that is by now no longer news, is it?

      1. Yet Another Anonymous coward Silver badge

        Re: Same again for Cisco please

        Cisco were at least trying. They were drop shipping kit to fake mailbox addresses so that the NSA didn't notice when a potential target was buying cisco gear.

        1. Anonymous Coward
          Anonymous Coward

          Re: They were drop shipping kit to fake mailbox addresses so that the NSA didn't notice...

          Which is simply a poor stunt, because dealing with dead-drops is what the spooks do best. And they'd have people embedded all the way from sales to despatch anyhow.

          However when a government ***owns*** part of a company, you have to consider the attack vectors and decide accordingly. Buying cheap kit means more than getting poor software, third party professionalism and potential compromises in security- it can mean poor hardware construction, testing and an ability to catch design flaws before they impact the customer.

          Not that Cisco are the alternative- I'm just saying that a great deal of suppliers are barely doing half the job they should...

  7. Anonymous Coward
    Anonymous Coward

    Perhaps it is time......

    For Software Defined Networking,,,,, preferably open source, strongly encrypted and with some form of canary or tripwire at layer 1 and 2.

    I see a whole new line of business taking form here....

  8. JaitcH

    What about the US suppliers - or do they get a pass Jail card?

    Living next door to the world's workshop - China - is exciting ... and money saving.

    ZTE and Huawei names adorn many of pieces of equipment we have both in our premises as well as in the wider word in VietNam.

    Now that the UK has rejected the admonitions of Obama and the US Government, surprise, surprise, hopefully the Huawei will penetrate Europe and bring commensurate savings with it.

    A hotel group my wife is a member of has recommended they standardise on Huawei and TP-Link equipment.

  9. The Morgan Doctrine

    Guaranteed Huwei Has Hooks it its Kit

    Good grief! Giving Huawei a clean bill of health is letting the fox in the henhouse. Heck, 37 years ago I was putting foolproof back doors into the RSTS timesharing system I had installed in my home and from which I ran my 1978 race for the U.S. Congress. The revelation that NSA put back doors into the firmware on US-manufactured disk controllers ought to be proof enough that any reasonably competent developer can create absolutely undetectable hooks. Somebody (probably multiple somebodies) on Her Majesty's Cyber Security team has been well and truly…bought.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like