Reflections on Huawei
Recently there has been a lot of concern regarding Huawei. Actually, let me take that back - recently Huawei has been getting more bad press than usual. The big concern being put forth by several governments - including the United States government - is that Huawei has ties to the Chinese government that might be exploited to spy on customers using Huawei goods. What is interesting has been the reaction of some of the online press. Many of my non-techie friends and even a few of my fellow infosec professionals out there demand proof and immediately assume a lack of proof means that the accusations are false. So today I am explaining why I think the accusations are true.
We don’t always get proof from the US government in spy matters, in fact we almost always get none. Let's take for example the concept of Advanced Persistent Threat (APT) that became all the rage a decade ago. This was the idea that foreign governments were attacking US targets via the Internet using hacking skills to gain access to all kinds of systems, most of which involved various departments of the US government and most government contractors. What we did get from a lot of odd sources (such as security vendors that sold goods and services to Uncle Sam and its contractors) were things like IP addresses and occasionally shoddy pieces of malware. The infosec community picked these things apart and would summarize things with sweeping statements like "anyone could attack from that IP address" and "that command and control backdoor is crap, it is certainly not advanced" and dismiss the entire thing as security vendor marketing. This was especially true when some vendors would state that their products blocked or prevented APT, and were in fact simply using the name and various scare tactics to make sales.
The truth of the matter back then was a different story. At the time I was working for a government contractor, and we were regularly seeing attacks from APT actors, and the threat was real. Most of it was what is known as phishing attacks, with most being spear phishing. Also, there were usually a lot more indicators that the communications were an APT actor besides an IP address - source email address naming styles, day of week, subject line topic, content of the body of the email, links, and dozens and dozens of others. A lot of the information that identified APT actors was never released to the public, and this is the main point: a large body of evidence existed that was not only non-public, but was classified. During this period, many of those that had security clearances did not speak up with any information to those complaining infosec voices. Only when things like Operation Aurora happened did infosec pros seriously began to think that maybe there was some truth to this whole APT scenario.
A common sentiment among a number of infosec pros was "well if I were doing it, I would use some killer 0day and the most advanced backdoor software ever". To me, this simply meant they had never played offense. Now I don't mean playing offense as in penetration testing, I mean good ol' felonious activity. Let me explain.
Back in the day, many in the hacker community used to break into systems. Some of the hackers were hard core criminal about it, others would abide by a loose "code" of trying to leave the system in better shape than when it was compromised (patching holes, upgrading components to more secure versions, etc), and would often let the poor system administrators know about it. I was in that latter group, as were many of today's more established hackers that used to go by fancy hacker names (many now run security companies). Playing offense meant never using your 0day unless the target was worth it, and it was the only way into a wanted target. If sending in old crap exploits got the job done, so be it. One would step it up slowly as needed. If the really big guns were needed, then 0day it was. It was called "burning a 0day". There was a chance that if the system admin was wiley enough, they would reverse engineer the exploit or even send it to the vendor and things would get patched. In essence, if it was reported that a 0day was used against a target, it was no longer a 0day - because it was known.
APT actors did (and still do) pretty much the same - if they could send in an executable file called malware.exe attached to an email and it would work, they would. They had no issue with trying to get back in after being kicked out by system admins. If defenses were stepped up they would have to increase the sophistication. The same applied to backdoors where crap backdoors were used unless the situation warranted otherwise.
Which brings us to Huawei. Alone this might seem like an overreaction by the US government and its allies. But like the APT scenario with all of its many layers going on behind the scenes, history suggests there could be more. Much more. There could be components in various systems that could allow for tracking of unsuspecting users, remote disabling of features (such as security features), or even a kill switch that could allow the Chinese to shut down control systems at a government agency or power plant or some other critical system. These existed as legitimate concerns when I worked at a government contractor years ago, and they still are valid now. The fact that the US government is publicly stating there is a concern and that they have cut off Huawei is more than paranoia. There is most certainly a whole bunch of regular (and classified) spy stuff going on to back all of this up.
Yes, there are a lot of politics surrounding this, but there has been previous controversy over similar issues. The discussions regarding espionage during the last administration are a good example of this. The bottom line is that regardless of your political leanings, when the US intelligence community and many US allies' intelligence agencies are publicly voicing concerns, they are not simply making things up. There is more than an element of truth involved.