China's Huawei, ZTE should be kept from U.S. - draft Congress report.

[firewalker]

* China's telecom gear makers pose potential risk

* House Intelligence Cttee seeks to block any M&A

* Huawei is world's No.2 telecoms gear maker by revs, ZTE 5th

* ZTE Hong Kong-listed shares down 6 pct

* U.S. should set "prejudices" aside - China foreign ministry

...

http://www.reuters.com/article/2012/10/08/usa-china-huawei-zte-idUSL1E8L800L20121008


Alexander.

[T4P]

WTF is wrong with the Congress?

[firewalker]

WTF is wrong with the Congress?

CISCO, Apple, AT&T, .... ,.

Alexander.

[poptones]

I don't see how this has NOT been an issue until now. Even China is not so stupid, they've officially abandoned Windows long ago for fear it would allow US spying. Yet here we go, bouncing along like bunny frou frou, just waiting to be scooped and banged on the head...

[PeterG]

I am thinking congress has realised China has the potential to cripple Americas electronic industry so they are playing the FUD game.

Regards

[poptones]

Apple sells hundreds of Millions of computers a year. How is this not a security issue?

Sure would be nice to have those manufacturing jobs back home.

[HardBoot]

Huawei makes some great stuff, lots of anti-competition against them.

TP-LINK is a good cheapy brand, surprised they aren't being targeted too.

Basically all of the stuff uses Linux, free distros with poorly made frontends... security isn't too disastrous.

[Monkeh]

Basically all of the stuff uses Linux, free distros with poorly made frontends... security isn't too disastrous.

They do a lot of custom (and generally illegal) modifications for which there is no security auditing.

[HardBoot]

Basically all of the stuff uses Linux, free distros with poorly made frontends... security isn't too disastrous.

They do a lot of custom (and generally illegal) modifications for which there is no security auditing.

Well I see a lot of stuff running as root, but it still requires the off-the-shelf open source software to have holes to be discovered and exploited.
What do you mean by illegal modifications?

[poptones]

Umm. does it really need to be said that linux cannot be assured secure if you're running a binary blob as a driver?

[Monkeh]

Basically all of the stuff uses Linux, free distros with poorly made frontends... security isn't too disastrous.

They do a lot of custom (and generally illegal) modifications for which there is no security auditing.

Well I see a lot of stuff running as root, but it still requires the off-the-shelf open source software to have holes to be discovered and exploited.
What do you mean by illegal modifications?

I mean violating the GPL by building binaries into the kernel and modifying the kernel and other software without providing the source.

Umm. does it really need to be said that linux cannot be assured secure if you're running a binary blob as a driver?

Apparently, yes.

[Bored@Work]

Huawei makes some great stuff, lots of anti-competition against them.

TP-LINK is a good cheapy brand, surprised they aren't being targeted too.

First, because this is not about consumer equipment. Consumer equipment like cell phones or home routers is just peanuts. This is about infrastructure equipment.

Second, because Huawei has an extremely bad reputation. When you have a bad reputation suddenly everything looks suspicious. E.g. the link to the PLA. No one would probably ask about that if they had an otherwise spotless reputation.

I have friends working in the telecommunication industry. They all claim the well known case of Huawei copying Cisco routers, hardware, firmware, even copying the documentation 1:1, was just the tip of the iceberg. They all had stories about friendly Chinese interns dutifully doing their work and attentively listening. And then disappearing the minute their contract was up. Month later the design appeared copied in China.

This is how Huawei gained their bad reputation, by copying. I don't think the US wants to protect US industries. There isn't much to protect. Non of the really big players is a pure US company. Looking at the runner-ups, Ericsson is Swedish.  Alcatel-Lucent is a French/American mix (and the US government helping the French? I doubt it). Nokia Siemens Networks is Finnish/German. And these are the big players, not Motorola (split, parts now with Google), Nortel (Canadian and bankrupt), not even Cisco is playing in the Huawei league.

[poptones]

Being able to root half the home routers in the US would be a LOT of peanuts.

But what really cares me is all the weaponized shit running Windows.

[Monkeh]

Being able to root half the home routers in the US would be a LOT of peanuts.

That's what bothers me about BT using Hauwei for their infrastructure here in the UK. Who knows whether they can flip the off switch and cripple us.

[HardBoot]

My ISP and the datacentres I use use their own in-house firmware as much as possible for performance and cost reasons, only really simple things that are inherently not exploitable(like dummy switching) are running stock firmwares and still tweaked... no web interface, all controlled with offline serial.

I'm sure a lot, maybe even the majority of telcos are embarrassingly insecure... but all it takes to scare them straight is good ol' getting hacked.

Even though a lot of routers run root software... what's accessible without being logged in is limited, not much to break into. A lot are crap, but som aren't too easy to get into without having a physical unit to study to see how insecure it is.
My router runs OpenWRT(other has Tomato) and has some common sense settings.

I'm probably underestimating the stupidity of programmers... but it isn't that hard safely managing communication... just handle all possible input.


You have different types of packet... TCP/UDP, they're examined and sent in whichever direction, no security problems there. THe problems are with all of the services, but those are easily sandboxed so even if the code is faulty nothing can happen beyond spamming junk out and the OS can call BS pretty easily and take the service down.

[nukie]

Just look at what Huawei did to Vodafone, for those of you who live in Aussieland.... disaster

[TerminalJack505]

It turned out to be a bad day for ZTE.  In addition to the report from congress, Cisco dropped ZTE.  Cisco claims ZTE sold American hardware to Iran in defiance of sanctions.

[G7PSK]

Huawei make equipment for BT here in the UK and not long ago questions were raised about security due to the founder and chairman of Huawei being a former head of intelligence in China.
Not sure why they suddenly got worried as Huawei have been supplying equipment for some years to BT and other company's as well as a big chunk of the domestic market if they were planting bugs into the equipment there must be millions of them already out there, and I am sure that exchange equipment would be rigorously checked for such things by BT during installation.

[poptones]

how are they gonna check for backdoors if it's all proprietary?

[G7PSK]

My understanding was that BT would give Huawei the design to build rather than just an off the peg.

[Monkeh]

Huawei make equipment for BT here in the UK and not long ago questions were raised about security due to the founder and chairman of Huawei being a former head of intelligence in China.

Uhm, he was a researcher in the PLA, not a head of intelligence.

Not sure why they suddenly got worried as Huawei have been supplying equipment for some years to BT and other company's as well as a big chunk of the domestic market if they were planting bugs into the equipment there must be millions of them already out there, and I am sure that exchange equipment would be rigorously checked for such things by BT during installation.

During installation, really? I'm sure the people installing them are fully qualified to decompile the code and run through it.

[saturation]

Summary of international issues here:

http://en.wikipedia.org/wiki/Huawei#Controversy_and_response_to_criticism

[asbokid]

Basically all of the stuff uses Linux, free distros with poorly made frontends... security isn't too disastrous.

They do a lot of custom (and generally illegal) modifications for which there is no security auditing.

Well I see a lot of stuff running as root, but it still requires the off-the-shelf open source software to have holes to be discovered and exploited.
What do you mean by illegal modifications?

I mean violating the GPL by building binaries into the kernel and modifying the kernel and other software without providing the source.

Umm. does it really need to be said that linux cannot be assured secure if you're running a binary blob as a driver?

Apparently, yes.

If we're talking about CPE here - Huawei modems and routers used in the home -  whose binary driver blobs are they?!   

Answer.. the blobs are supplied by the SoC maker: Broadcom Corporation - At a guess, some 95% of Huawei's CPE kit uses SoC from Broadcom's MIPS-powered BCM63xx series.    Broadcom is, of course, a US$18bn NASDAQ-quoted Yankee corporation...
Ooops, there goes that silly conspiracy theory of Congress!   Besides, it would take a very clever bugger to hide spyware in the DSP layer.

cheers, a

[poptones]

One of the most common network exploits now is through fracking printer drivers.

If I have access to the data bus, I own you.

[asbokid]

No great worries with printer drivers and broadband CPE.   The biggest security risk is probably default passwords.  There are one or two network exploits for CPE. e.g. there must be quite a few old routers still running vulnerable versions of dnsmasq, for example.   And then there's TR069 and CWMP - a purpose built backdoor into most routers. Intended for firmware upgrades and for the telco to get line statistics, etc.  Great idea so long as the encryption key remains secure. For years now, British Telecom has used the same 2048 bit RSA public key in its routers. It must be securing literally millions of devices.  God knows what would happen if the corresponding private key was cracked or fell into the wrong hands.

cheers, a