Sometimes, a Patch Tuesday update arrives with a bang that sends users scrambling for cover - September's update earns that description.
In the last couple of days, Google announced it will be putting restrictions on Huawei’s access to its Android operating system, massively threatening Huawei's smartphone market. Meanwhile, UK based chip designer ARM has told its staff to suspend all business activities with Huawei, over fears it may impact ARM's trade within the United States. Fuelling these company actions is the United States government's decision to ban US firms with working with Huawei over cybersecurity fears.
The headlines this week further ramps up the pressure on the UK government to follow suit, by implementing a similar ban on the use of Huawei smartphones and network devices within the UK, a step beyond their initial 5G critical infrastructure ban announced last month. But is this really about a foreign nation-state security threat? Or is it more about it geo-economics and international politicking?
Huawei: A Security Threat or an Economic Threat?
It’s no secret that Huawei was founded in 1987 by Ren Zhengfei, a former engineer in the People's Liberation Army, and the company was quickly built with the backing of major Chinese state and military contracts. But the US government, secret services and military are also known to invest heavily in Silicon Valley and US tech firms. In recent weeks there have been a number of accusations about deliberate backdoors placed within Huawei devices, implying the usage of Huawei devices could aid Chinese forces in conducting covert surveillance, and with potentially causing catastrophic impacting cyber attacks.
The reality is all software and IT hardware will have a history of exploitable vulnerabilities, and it is pretty much impossible to determine which could be intentionally placed covert backdoors, especially as an advanced and sophisticated nation-state actor would seek to obfuscate any deliberately placed backdoor as an unintentional vulnerability.
For instance, the following are critical security vulnerabilities reported within tech made by US firms in just the last 9 days, no suggestion any of these are intentionally placed backdoors:
- 22-May-2019 New Zero-Day Exploit for Bug in Windows 10 Task Scheduler
- 14-May-2019 ZombieLoad: Researchers discover New Hardware Vulnerability in Modern Intel Processors
- 14-May-2019 Prevent a worm by updating Remote Desktop Services
- 13-May-2019 WhatsApp voice calls used to inject Israeli spyware on phones
- 13-May-2019 Cisco Secure Boot Hardware Tampering Vulnerability
Secret Backdoors are already unintentionally there to be discovered
The more usual approach taken by nation-state intelligence and offensive cyber agencies is to invest in finding the unintentional backdoors already present in software and hardware. The discovery of new and completely unknown 'zero-day' security vulnerability is their primary aim. Non-published zero-days vulnerabilities are extremely valuable, clearly, a value lost if they were to inform the vendors about the vulnerability, as they would seek to quickly mitigate with a software patch.
For instance, the United States National Security Agency (NSA) found and exploited vulnerabilities in Windows without informing Microsoft for over five years, creating a specific hacking tool called EternalBlue, which is able to breach networks. The very same tool that was leaked and used within the devasting WannaCry ransomware attack last year.
The WhatsApp vulnerability reported last week was another public example of this approach, where a private Israeli firm NSO Group found a serious vulnerability within WhatsApp. But instead of informing Facebook to fix it, NSO created a tool to exploit the vulnerability, which it sold to various governments. The ethics of that is a debate for another day.
The Laws which allows Nation-States to Conduct Cyber Surveillance
The United States has significant surveillance powers with the "Patriot Act", the Freedom Act and spying internationally with FISA. China has its equivalent surveillance powers publicly released called the "2017 National Intelligence Law". This law states Chinese organisations are "obliged to support, cooperate with, and collaborate with national intelligence work". But just like Apple, Microsoft and Google, Huawei has categorically said it would refuse to comply with any such government requests, in a letter in UK MPs in February 2019. Huawei also confirmed "no Chinese law obliges any company to install backdoors", a position they have backed up by an international law firm based in London. The letter went on to say that Huawei would refuse requests by the Chinese government to plant backdoors, eavesdropping or spyware on its telecommunications equipment.
The Brexit Factor
There is a lot of geo-politicking and international economics involved with Huawei situation, given the US government are aggressively acting to readdress their Chinese trade deficit. It appears to be more than just a coincidence, the United States government is choosing now to pile on the pressure on its allies to ban Huawei, the world's largest telecommunications equipment manufacturer. Country-wide Huawei bans are extremely good economic news for US tech giants and exporters like Cisco, Google, and Apple, who have been rapidly losing their global market share to cheaper Huawei products in recent years.
To counter the US economic threat to their business foothold within the UK, Huawei is offering a huge carrot in the form of investing billions into UK based research centres, and a big stick in threatening to walk away from the UK market altogether. The has led to the UK government leadership becoming at odds with the MOD, the latter desire to stand shoulder-to-shoulder with the US and other NATO allies, in banning Huawei devices. This tension exploded with a very public spat between Prime Minister Theresa May and the Secretary of Defence, Gavin Williamson last month. The PM continued to defy the MOD's security warnings and Gavin Williamson was fired for allegedly leaking classified documents about the Huawei UK national security threat, an accusation which he vehemently denies.
Why the UK Gov is stuck between a Rock and Hard Place
The UK government continue to be stuck between a rock and a hard place, playing a balancing act of trying to keep both the United States and China happy, in a bid to score lucrative post-Brexit multi-billion-pound trade deals. This status-quo leaves UK Huawei smartphone consumers and UK businesses using Huawei network devices, caught in the middle. However, due to the relentless US pressure causing regular negative mainstream media headlines about the security of Huawei products, the Chinese tech giant may well be driven out of UK markets without a UK government ban.
HUAWEI NEWS AND THREAT INTELLIGENCE IN MAY 2019
- Department of Commerce Announces the Addition of Huawei Technologies Co. Ltd to the Entity List
- Huawei's use of Android restricted by Google
- Google will work with Huawei for the next 90 days after US eases restrictions
- What happens to my Huawei smartphones and tablets now
- ARM memo tells staff to stop working with China’s tech giant
- China warns of investment blow to the UK over 5G ban
- Trump declares a national emergency over IT threats
- Trump says Huawei could be part of trade deal
- Huawei: Which countries are blocking its 5G technology?
- Huawei 'to go the extra mile' to reassure world on 5G spying
- Is Huawei in retreat?
- Huawei says billions of customers could be harmed by US sanctions
- Mike Pompeo warns the UK over Huawei 'security risks'
- Huawei's microchip vulnerability explained
- Vodafone Found Hidden Backdoors in Huawei Equipment
- Microsoft researchers find NSA-style backdoor in Huawei laptop
- Huawei the Company and the Security Risks Explained
- Theresa May has questions to answer over the Huawei scandal
- Sacked defence secretary denies security council leak on Huawei decision
- Vodafone denies Huawei Italy security risk