So far, all of Huawei’s found potential backdoors turned out to be them being extremely terrible at writing secure software or developing secure operating procedures. No proof of backdoors just yet.
They’ve been executing corporate espionage for ages, though, so they can’t exactly be trusted if you work in a field that may be interesting to Chinese competition.
It’s kind of how Facebook has never been caught watching random people through your smartphone’s webcam, but you wouldn’t want that Facebook video calling thing watching you all day.
If there is a backdoor somewhere, we probably wouldn’t know about it, or it’d be on the front page of every non-Chinese affiliated news article.
I don’t think gardeners, builders, farmers, or waiters have anything to fear. If your company is targeting locals and not doing any R&D, most data they can extract through espionage is useless. It’s not entirely black-and-white.
They’ve never been caught abusing their software for espionage, it’s always their business people or the engineers they send over for meetings, with maybe a few planted employees, and possibly co-conspirators in universities and other Chinese institutions. They’ll also been caught being rather hacker-friendly, but no direct ties have been proven just yet.
Their people cannot be trusted and their software developers are either malicious or dangerously incompetent. Neither is proof of any backdoor, but both are good reasons to avoid them.
They certainly have little interest in you if you’re a waiter at some shitty restaurant, sure. But do you really think they don’t target the agricultural, construction or food industries and the technologies they may be developing?
Your average farmer isn’t developing any new crops, your average builder isn’t designing new construction mechanisms, and your average restaurant isn’t developing a new way to cook food. There are specific R&D centers for all that stuff. At best, the end users of that technology get to beta-test the functionality.
There are exception to everything, but farmers wouldn’t be remortgaging their homes for drones and millimeter-precision GPS systems if they could just build that tech themselves.
So far, all of Huawei’s found potential backdoors turned out to be them being extremely terrible at writing secure software or developing secure operating procedures.
That’s how you write a backdoor in 2023 “oops… Guess I made a mistake again”
That was always the defence, but by that standard every piece of software is full of bugs. Microsoft Windows? Gets ten to twenty backdoors closed every month! Linux? Backdoors are closed weekly! WordPress plugins? Those are just backdoors that come with a theme!
No Cisco-style obfuscated, hard-coded admin password has ever been found in Huawei stuff. Their firmware was behind on security patches for open source software and I believe they did some firmware updates over HTTP, but in that area they’re not much worse than any of their competitors. When Vodafone did a vulnerability assessment of their network, which then got leaked, Bloomberg called telnet (within an air-gapped network) a “backdoor”, but Vodafone itself denies that. The biggest issue I remember Vodafone finding was the fact that Huawei tried to get remote management on the devices they installed so they didn’t need to be sent out to the field every time they needed to do maintenance; not uncommon for network vendors, but obviously not acceptable within carrier networks with locked-down security controls.
If there are real backdoors, then Huawei is just better at hiding them than their western counterparts. All we have to go on right now is secret documents from government agencies that pinky-swear that they really found backdoors that no independent researcher has been able to verify. There are a lot of wild stories about Huawei backdoors on the internet, but I have yet to see proof of any of a real backdoor.
So far, all of Huawei’s found potential backdoors turned out to be them being extremely terrible at writing secure software or developing secure operating procedures. No proof of backdoors just yet.
They’ve been executing corporate espionage for ages, though, so they can’t exactly be trusted if you work in a field that may be interesting to Chinese competition.
It’s kind of how Facebook has never been caught watching random people through your smartphone’s webcam, but you wouldn’t want that Facebook video calling thing watching you all day.
If there is a backdoor somewhere, we probably wouldn’t know about it, or it’d be on the front page of every non-Chinese affiliated news article.
So, nearly everything then
I don’t think gardeners, builders, farmers, or waiters have anything to fear. If your company is targeting locals and not doing any R&D, most data they can extract through espionage is useless. It’s not entirely black-and-white.
They’ve never been caught abusing their software for espionage, it’s always their business people or the engineers they send over for meetings, with maybe a few planted employees, and possibly co-conspirators in universities and other Chinese institutions. They’ll also been caught being rather hacker-friendly, but no direct ties have been proven just yet.
Their people cannot be trusted and their software developers are either malicious or dangerously incompetent. Neither is proof of any backdoor, but both are good reasons to avoid them.
They certainly have little interest in you if you’re a waiter at some shitty restaurant, sure. But do you really think they don’t target the agricultural, construction or food industries and the technologies they may be developing?
Your average farmer isn’t developing any new crops, your average builder isn’t designing new construction mechanisms, and your average restaurant isn’t developing a new way to cook food. There are specific R&D centers for all that stuff. At best, the end users of that technology get to beta-test the functionality.
There are exception to everything, but farmers wouldn’t be remortgaging their homes for drones and millimeter-precision GPS systems if they could just build that tech themselves.
I’m talking about the industry, not the individual.
That’s how you write a backdoor in 2023 “oops… Guess I made a mistake again”
That was always the defence, but by that standard every piece of software is full of bugs. Microsoft Windows? Gets ten to twenty backdoors closed every month! Linux? Backdoors are closed weekly! WordPress plugins? Those are just backdoors that come with a theme!
No Cisco-style obfuscated, hard-coded admin password has ever been found in Huawei stuff. Their firmware was behind on security patches for open source software and I believe they did some firmware updates over HTTP, but in that area they’re not much worse than any of their competitors. When Vodafone did a vulnerability assessment of their network, which then got leaked, Bloomberg called telnet (within an air-gapped network) a “backdoor”, but Vodafone itself denies that. The biggest issue I remember Vodafone finding was the fact that Huawei tried to get remote management on the devices they installed so they didn’t need to be sent out to the field every time they needed to do maintenance; not uncommon for network vendors, but obviously not acceptable within carrier networks with locked-down security controls.
If there are real backdoors, then Huawei is just better at hiding them than their western counterparts. All we have to go on right now is secret documents from government agencies that pinky-swear that they really found backdoors that no independent researcher has been able to verify. There are a lot of wild stories about Huawei backdoors on the internet, but I have yet to see proof of any of a real backdoor.
What you want to look for is a pattern of similar bugs that result in the same end result, e.g. https://t.me/durov/196
It can also just be bad programmers but that’s kind of the point … plausible deniability