Friday, October 12, 2012

• Former Nortel exec warns against working with Huawei

Former Nortel exec warns against working with Huawei
by By Laura Payton - Friday, October 12, 2012

Chinese telecommunications giant Huawei is dangerous for companies in Canada that partner with it, Brian Shields is warning.

Brian Shields, former Nortel security adviser, says Huawei hacked company for 10 years

Canadian companies should not work with Chinese telecommunications giant Huawei, a former security adviser at Nortel warns.

Brian Shields, who was the senior systems security adviser at failed Canadian telecommunications company Nortel, says working with Huawei is too big a risk. Shields alleges Huawei spent years hacking into Nortel's system and stealing information so it could compete with Nortel on world markets. "These kind of things are not done by just average hackers. I believe these are nation-state [kinds] of activity," he told the CBC's Greg Weston, blaming China for the hacking. "It was on behalf of Huawei and ZTE and other Chinese companies that could have used this information to compete against us in the marketplace. It gave them a strategic advangage. How can you survive when you have a competitor basically right there knowing all your moves, what you're doing, what you see as the future products?" Shields said.

The U.S. intelligence committee warned in a report Monday of the risk of spying that comes with working with Huawei and another Chinese telecommunications firm, ZTE.
The committee said U.S. regulators should block attempted mergers and acquisitions by the firms, and that the government should avoid using components from those firms in their systems. The head of the U.S. intelligence committee, Mike Rogers, told CBC News that Canada should also be wary. The world’s second-largest telecommunications equipment supplier, Huawei is already providing high-speed networks for Bell Canada, Telus, SaskTel and Wind Mobile.

'It can't be trusted' 
Shields says Canadians should be reluctant to let the company build systems and provide parts to companies here. There's too great a potential for monitoring or breaking into companies with otherwise good security — or even the government, he says, "because the telecom's backbone that's being used to provide this communication, the hardware or software that's running, it can't be trusted." The federal government is trying to build a secure network after three departments were hacked in 2010.
It's not yet known whether Huawei will bid on the contract, but a spokesman for the prime minister hinted on Tuesday that there were national security considerations that could block some companies from a project like that.

He wouldn't say whether the government would block Huawei from bidding. Shields says the company shouldn't be allowed to bid on such a project. "I have no doubt they can break into any Fortune 500 company if they allow their employees to use the internet. You cannot keep these guys out. It's not possible," he said. Shields admits there were system infiltrations coming from around the world, but any time information was downloaded, the hack came from China. Public Safety Minister Vic Toews said Thursday that the government is concerned about the security of Canada's internet and infrastructure. "I can tell you that the issue that has been raised by the Americans has also been raised in Canada and among many of our allies, including Great Britain," Toews said.

'Downward slide'
In a separate interview airing Thursday on CBC Radio's As It Happens, Shields says Huawei spent 10 years hacking into Nortel's system. He's now advising Canadian companies not to work with the Chinese company. "Absolutely they should not. If they care about the core infrastructure of the Canadian communications, this is a huge risk," Shields said. "Remember, they've got this Communist Party over there right in their corporate offices. What are these people doing? Why is it such a close relationship with the Chinese government?"

Shields says there was a major change in the economic environment, which he believes was due to the hacking, which allowed Nortel's competitor to use information it otherwise wouldn't have had access to. "When 2000 came along, then it was a downward slide. And that coincidentally is the year when Huawei started selling on the international market. How coincidental," Shields said. Shields has previously blamed Chinese hackers for Nortel's demise. The U.S. and Australia have both banned Huawei from major infrastructure projects.

A better reason to avoid Huawei routers: Code from the '90s
by By Jeremy Kirk - Friday, October 12, 2012

Conspiracy theories aside, Huawei appears to be just catching up on the importance of security, a researcher says 

Security researcher Felix "FX" Lindner has a more compelling reason to steer clear of routers from Huawei Technologies than fears about its ownership.
While the company is blasted for its opaque relationship with China's government in a U.S. intelligence report released Monday, a bigger worry for some is what's inside its routers.

"The code quality is pretty much from the '90s," said Lindner, who has analyzed the software inside Huawei's home and enterprise routers, and runs Recurity Labs, a security consultancy, in Berlin. Lindner will speak on Thursday at the Hack in the Box security conference in Kuala Lumpur and discuss some of the vulnerabilities he and a fellow researcher disclosed earlier this year along with an overview of Huawei's security. When Lindner began looking at Huawei's routers, the company didn't have a prominent product security team, Lindner said.

But since he and colleague Gregor Kopf detailed vulnerabilities in the firmware of Huawei's AR18 series routers, which are meant for homes, and its AR29 series routers, intended for small enterprises, at the Defcon conference in July, "they seem to be trying to ramp up product security in a visible way right now," he said. Lindner's conclusion comes as Huawei is contesting a blistering report released this week by the U.S. House of Representatives' Permanent Select Committee on Intelligence. The report alleges that Huawei and another Chinese company, ZTE, pose a threat to U.S. infrastructure and postulates their equipment could be secretly modified by Chinese intelligence agencies.

The accusations contained in the report are broad and unspecific. Lindner said the report is "lacking truth in data," which is exactly why he tears apart millions of lines of router code looking for security problems. With Huawei, he's found plenty. "I'm somewhat in support of what the report says, not for the reasons the report says but simply because of quality assurance," Lindner said. "I'd rather have Cisco build government networks than Huawei, not because Huawei is Chinese, but because in comparison, Cisco has higher-quality devices." 

After the vulnerabilities were detailed at Defcon, Huawei said it has rigorous security practices and follows industry best practices. Still, it is possible that even a simple coding mistake could leave Huawei vulnerable to accusations of working with Chinese intelligence. Lindner said it is very difficult to figure out what is a "backdoor" in code, or a way get inside a system. For example, if security researchers discover an engineer account that wasn't deleted before router code was finalized, it could give ammunition to critics that the company was in collusion with other interested parties. "It's hard to argue with a root shell," Lindner said.