Monday, October 8, 2012

There are Consequences for Getting Caught

So the big news is about to drop. The unfortunate thing, whether Huawei has been spying or not, is they are in a very difficult and indefensible position. Even their direct whitepaper response leaves a lot to consider.

Huawei's response that it would required hundreds of thousands of people to pull off an attack of this magnitude is false. The final firmware burn-in on their products would be controlled by very small teams, if not individuals. A well placed government asset in this position could very easily slip code in that passes all regression testing by the quality assurance team, but has additional behaviour that doesn't affect the end product.

Assuming their manufacturing process is locked down, do they apply the same rigor when handling remote firmware updates? Numerous times in the past we've seen build servers (ala Adobe) or source repositories get remotely compromised. The result varies, but the typical end goal is to backdoor the product, and Huawei is a prime target for an attack of this nature. The important thing to note is that this does not require an embedded government asset, only a well placed attack. Let's not forget that Cisco had their own breach that saw an 800MB chunk of source code get stolen, some of which was later publicly posted. Had the Cisco attacker used a little less ego, he very well could have begun a targeted campaign to backdoor Cisco products or IOS updates.

It begs to ask the question: how does the CSO of Huawei, or the US government know that the supply chain has or hasn't been compromised? The only way for the US to know this for certain is to have someone embedded at the same trust level as the people actually coordinating or carrying out the espionage. Disclosing this fact compromises their own position, so less likely, but still a possibility.

Could it also be that Huawei has been caught enough times, and a mountain of independent evidence has finally piled up to a tipping point? If this is the case then how does their CSO not know that they have been compromised? If this is true, it is the most damaging situation Huawei could find themselves in.

I often wonder why the US has picked Huawei out of a number of foreign telecommunications manufacturers. Why aren't we examining all foreign entities that power critical infrastructure in North America? The unfortunate thing is the congressional report will give the high level information, but their classified annex will have the real dirty details as to why they did this in the first place. Information that only a select few will have access to.Yet they are still free to wage a very public campaign against Huawei.

There is a key takeaway from this story that other foreign companies should be aware of. If the US comes knocking at your door: open it, let them do what they want, see what they want, and record what they want or they will make you pay dearly for it.

UPDATE: The committee report is here.

1 comment:

  1. Hi Justin,

    this is exactly what is plainly wrong how the US view the world: "US comes knocking at your door: open it, let them do what they want, see what they want, and record what they want or they will make you pay dearly for it."

    US does export a lot of defense and "cyber"-security related gear, and not one dares to ask raytheon or cisco or RSA or you name it to open their does and show everything.