NEWS AND ANALYSIS:
An investigation of the telecommunications equipment produced by China’s Huawei Technologies Ltd. has uncovered numerous cases of secret access points that could allow Chinese intelligence to conduct cyberoperations through the equipment.
Finite State, a cybersecurity research firm, conducted a survey of Huawei equipment and discovered that 55% of Huawei hardware devices it tested contained at least one backdoor access point.
The vulnerabilities in Huawei products pose serious security threats of cyberattack and data exfiltration if the equipment is used, according to Finite’s report on Huawei published Wednesday.
“The Chinese National Intelligence Law of 2016 requires all companies ‘to support, provide assistance, and cooperate in national intelligence work,’” the report stated. “Even if Huawei may be technically correct in saying that Chinese law doesn’t explicitly ‘compel’ the installation of backdoors, China’s intelligence and counterespionage activities tend to be so expansive that these provisions could be used to justify activities extending well beyond China’s borders.”
The report notes that Huawei dominates the global market for next-generation 5G telecommunications infrastructure. The concern is that all data passing through mobile devices, smart homes and other internet-connected devices will become cyberattack vectors if Huawei equipment is used in 5G networks.
Finite reviewed more than 1.5 million files embedded in 9,936 firmware images supporting 558 Huawei enterprise networking products. The review found hard-coded backdoor credentials, unsafe use of cryptographic keys, indicators of insecure software development practices, and the presence of known and zero-day vulnerabilities. A zero-day vulnerability is a hole in software that can be used for cyberattacks.
“The results of the analysis show that Huawei devices quantitatively pose a high risk to their users,” the report said. “In virtually all categories we studied, we found Huawei devices to be less secure than comparable devices from other vendors.” Hundreds of cases of back doors were discovered.
One of the ways Huawei set up backdoor remote access is to code firmware of its products with a default username and password that can permit remote access unless changed by computer administrators. In other instances, a specific password was coded into the firmware that would provide easy backdoor access. A third method used a special encryption key coded into the software that would allow remote access to the key holder.
The Dutch AIVD intelligence service reported in May that Huawei equipment used by a Dutch telecommunications carrier contained back doors. In January, the African Union reported that Huawei equipment at its headquarters was sending confidential information to China. Vodafone, a large European phone company, also has identified hidden back doors in software inside Huawei products that could provide unauthorized access to networks in Italy.
Huawei and founder Ren Zhengfei, a People’s Liberation Army veteran, deny the company engages in intelligence-gathering for the Chinese government and insist the company’s products are secure. However, the Finite investigation is the first public security assessment of Huawei products.
Huawei is facing federal charges related to economic espionage of American cellphone technology and illegal financial dealings with Iran. Huawei Chief Financial Officer Meng Wanzhou is facing extradition from Canada on charges of violating international sanctions on trading with Iran.
The U.S. government, however, has stopped short of revealing all it knows about the danger of using Huawei equipment. The government has banned use of its products, however.
Michael Wessel, a member of the congressional U.S.-China Economic and Security Review Commission, praised the report.
“For years, Huawei has essentially dared the international community to identify the security vulnerabilities that have so often been alleged regarding the use of the company’s products,” Mr. Wessel said in a statement. “Finite State’s report identifies a broad range of significant security vulnerabilities, a substantial portion of which could allow for remote access to their products.
“Policymakers now have in their hands information that can be used to debate the advisability of utilizing Huawei products in our systems,” he added. “Finite State’s report removes the discussion from the limited purview of the intelligence and law enforcement communities and opens this up to public debate.”
Amid reports that the United States carried out cyberattacks against Iran’s military, the Department of Homeland Security warned this week that Iranian hackers are stepping up cyberattacks of their own against U.S. computer networks.
Christopher C. Krebs, director of the Homeland Security Department’s Cybersecurity and Infrastructure Security Agency (CISA), issued a statement Saturday warning of the increased Iranian cyberactivity.
“CISA is aware of a recent rise in malicious cyberactivity directed at United States industries and government agencies by Iranian regime actors and proxies,” he said. “We will continue to work with our intelligence community and cybersecurity partners to monitor Iranian cyberactivity, share information and take steps to keep America and our allies safe.”
The statement said Iranian regime hackers and proxies stepped up destructive “wiper” cyberstrikes that are aimed at doing “much more than just steal data and money.”
“These efforts are often enabled through common tactics like spear phishing, password spraying and credential stuffing,” Mr. Krebs said. “What might start as an account compromise — where you think you might just lose data — can quickly become a situation where you’ve lost your whole network.”
To counter the Iranian activities, CISA is urging computer administrators to shore up basic cyberdefenses, such as using stronger user/password authentication. “If you suspect an incident — take it seriously and act quickly,” Mr. Krebs said.
The warning coincided with a Yahoo News report a day before the warning was issued that Cyber Command, the military cyberwarfare unit, carried out online attacks against Iranian intelligence groups behind the recent mining attacks against oil tankers in the Gulf of Oman. No details of the cyberattacks were disclosed.
The cyberattacks followed President Trump‘s decision to call off bombing strikes against Iranian air defense batteries. The planned U.S. raid followed the Iranian shoot-down of an RC-4 Global Hawk drone.
Iranian cyberattack capabilities are considered to be a middle-tier threat that in the past was focused on an evolving array of targets initially involving denial-of-service strikes to shut down banking websites, attacks designed to steal money from banks and, more recently, destructive cyberattacks.
One such attack was the Iranian cyberattack in August 2012 against the state-owned Saudi Aramco oil corporation that destroyed tens of thousands of computers. Iranian hackers also were blamed for cyberattacks against the Sands casino and hotel in Las Vegas in 2014 that involved wiper malware.
Then in May 2016, seven Iranian hackers were indicted on federal charges of conducting a cyberattack that unsuccessfully sought to take over the industrial controller used for a dam near Rye, New York. Two Iranian groups linked to the Islamic Revolutionary Guard Corps were identified in the indictment, the ITSec Team and the Mersad Co.
In 2010, the U.S. government conducted a cyberattack against Iran’s illicit nuclear program by planting the Stuxnet computer virus inside an industrial control system used for centrifuges.
CHINA’S STRONG MILITARY NIGHTMARE
China’s Communist Party is engaged in a major program to funnel civilian technology into Beijing’s large-scale military buildup using a variety of means, including theft of American technology, according to a senior State Department official.
Christopher A. Ford, assistant secretary of state for international security and nonproliferation, said this month that China’s party-ruled government has moved beyond seeking regional hegemony to striving for global dominance and the replacement of the U.S.-led democratic and free market world order with its communist-style system.
Mr. Ford told the U.S.-China Economic and Security Review Commission that the entire Chinese system is working to achieve what is called the “Strong Military Dream” of having the world’s most powerful military forces by 2049, the 100th anniversary of Communist Party rule.
“Despite the win-win propaganda rhetoric, this is no peaceable, benevolent, live-and-let-live vision of 21st century international engagement,” Mr. Ford said. “In the scope of its ambitions, the Chinese Communist Party is inescapably revisionist, even revanchist, in its approach to influencing the rest of the world. Its self-conceived national mission is to make itself ever more powerful vis-a-vis everyone else — and particularly vis-a-vis the United States.”
Mr. Ford said the Chinese are seeking to export their socio-political “operating system” around the world under a Beijing leadership that is aggressively pursuing a model of modernization that entails state-controlled economics and authoritarian dictatorship. That system is “one in direct competition with the liberal institutions of the current international system,” he said.
The Chinese are employing a “military-civilian fusion” to rapidly build up the military through all its universities and high-technology research institutes.
A key aspect will be producing state-of-the-art military power driven by artificial intelligence and AI-enabled technology.
“China has focused relentlessly not just upon developing technology indigenously but also upon acquiring it abroad, by means both fair and foul, tilting the playing field in its favor at the expense of U.S. and global companies,” he said.
• Contact Bill Gertz on Twitter at @BillGertz.