Try as it might, Chinese telecom equipment maker Huawei Technologies just can’t shake perceptions that its equipment may serve as a virtual Trojan horse for Chinese electronic intelligence gathering.
For the last two years, Huawei’s defining challenge in the United States has not been tough competition from worldwide giants such as Cisco Systems but rather roadblocks set up by US lawmakers, suspicious of the company’s alleged connections to the People’s Liberation Army. Doubts linger despite no definitive public evidence that Huawei could be complicit in hacking.
In fact, the biggest threat from Huawei is likely not that the company has malicious intent to aid in hacking. Instead, as one security researcher has demonstrated, foreign companies should fear the potential security holes created by the sloppily coded software that powers Huawei’s gear.
Felix Lindner, head of German security firm Recurity Labs, has become a vocal critic of Huawei’s security practices. During 2012 he toured the hacker conference circuit – DEFCON in Las Vegas then Hack in the Box in Kuala Lumpur – to demonstrate how easy it is for an attacker to crack the software that powers five of Huawei’s best-selling routers, devices that form the backbone of networks within many large internet service providers and corporations.
If attackers gain access to the router’s inner workings, they can intercept and analyze all data being passed through the router, such as e-mails and web traffic. While all telecommunications hardware has some degree of security vulnerabilities, Lindner’s presentations demonstrated that Huawei’s equipment was especially vulnerable due to the use of long discontinued programming techniques.
Lindner said that when he approached Huawei to disclose the exact technical nature of the holes, the company was both uninterested and incapable of integrating the fixes. Reportedly, Huawei said they sent engineers to work with Lindner to fix the problem, but Lindner claims he still doesn’t see a clear fix available for download.
“I have yet to find someone who can actually access the software. All legitimate customers of registered Huawei equipment I spoke to receive a ‘you are not authorized to perform these actions’ message,” he told CHINA ECONOMIC REVIEW in an emailed response.
Lindner characterized Huawei’s inaction as “significantly different from other [global] vendors” when reacting to security flaws presented by outsiders.
Huawei maintains the problem has been fixed, despite Lindner claims. The company responded with a written statement that said, “We have upgraded the software and provided necessary security advisory to our customers.”
The challenge of finesse
Huawei’s challenges are not unique for a Chinese company; many firms have difficulty with precision in their products. For example, the Chinese auto sector, for example, has made vast improvements over the last decade but still struggles to manufacture a globally competitive automobile.
While Geely Automobile and SAIC Motors can’t quite master powertrains and drive shafts like General Motors or Toyota have, Lindner’s findings show that Huawei hasn’t mastered the art of programming secure and functional routers
Huawei’s routers have their share of flaws, but some of the other equipment the company makes, which lacks the complexity or security requirements of a router, can compete globally by beating established players on cost. Huawei’s cell phone towers have been deployed around the world, from the base of Mt. Everest to downtown Toronto. Some providers, such as Canada’s Wind Mobile, are satisfied with the quality of Huawei’s equipment because of cost and the level of support they receive.
While Huawei does have its satisfied customers, there are many left unsatisfied by the company’s refusal to be totally transparent with what their corporate structure and technical abilities to address flaws in the software.
In many ways, Huawei’s same refusal to embrace transparency has also strengthened the view of US lawmakers that it could be a threat. Huawei has at least challenged that its technical deficiencies are malicious backdoors. “What they have been calling ‘backdoors’ are actually bugs in the software,” Charles Ding, a senior VP of the company, told Congress in September 2012.
Perhaps in the case of Huawei, the proverb “you get what you pay for” holds true. As Lindner pointed out, Huawei, like other manufacturers, ships equipment to market that is just good enough to sell, but won’t withstand the rigours of security testing.
Lawmakers would do well to note that the business practice of selling sub-standard equipment isn’t a crime. For the firms buying Chinese equipment, however, it remains an unfortunate norm.