A few years back the U.K. tried a political experiment in which it purchased Huawei equipment and also set up a special government/Huawei lab where they could analyze the source code to ensure it was safe to use. GCHQ found that the code quality made it unreviewable, and that they could not even ensure that the source code provided actually ran on the equipment (because Huawei had direct update capability.) I believe that equipment has been banned since 2020. https://www.washingtonpost.com/world/national-security/brita...
You're thinking of HCSEC. In the majority of their reports they repeatedly complained that they couldn't even get binary equivalence with Huawei's deployed builds (which clearly obviates the value of any code review) but in the most recent available report from 2021 [1], they do report that Huawei had finally achieved that binary equivalence for a core product set.
The government chose to stop publishing HCSEC reports after 2021. I'm unable to work out whether HCSEC itself is still operating or not.
The ban always seemed weird to me. Not even a shred of a technical argument made it into public discourse when this was an issue. Governments just said "trust us" without giving any examples. This thread is the first time I read a hint at why that decision was made. Still, I don't know how much of this was a political stunt vs. grounded in reality. Maybe I am too jaded/cynical?
When it comes to government, it's hard to be too cynical. But in this particular case, it definitely was not a political stunt. There are a number of reasons for the limited disclosure - including NDA's signed by the governments and labs with the vendors in order to gain access to their intellectual property at a level sufficient to conduct the depth of analysis required.
I mean, it obviously did make it to the public because that WP article was written in 2019, and I remember hearing some of those details (that it wasn't so much "the code has backdoors" as "the code is so shit, it doesn't even matter if there's a backdoor in there deliberately") back then.
By the time any highly-technical topic makes it to the mainstream discourse, the details tend to get stripped out simply because none of the 70 year olds watching CNN or Fox appreciate the difference and none of the anchors or panelists know what they're talking about either.
Government secrecy when it comes to vulnerably research for foreign produced hardware is entirely understandable. I don’t need to know. You don’t want your adversaries to know how much you figured out.
The US does pentesting with Cisco hardware and doesn't publish the results? Sure. And again, I don't need to see that. The NSA doesn't need to publish all of the vulnerabilities it finds, this is its whole purpose (likewise with similar orgs doing similar things)
The US bans the sale and install of Cisco hardware? (of course not but from the context not clear)
Governments provided with source code from MNCs like Huawei will be under strict NDA - providing source is very unusual for obvious reasons (poor security being one - assuming they know it’s bad, sharing it opens a huge threat vector). They are almost certainly unable to share any specific vulnerabilities.
Government has a mandate. That's how it can function. They have evidence, why reveal it to the public (and thus china)? I grew out of my Ron Paul phase at 15.
You trust China over your own government? Move then.
Whoa there, kiddo! I deeply, deeply resent being called 15! The tone of your comment is just wild.
I am old enough to have seen several instances where organizations had internal reasons for their decisions and chose to argue something completely different in their outward communication. Given that an exclusion of Huawei had the obvious side effect of protecting domestic markets, this leaves quite some room for doubt around this specific instance. You say it yourself that governments have mandates.
It isn't a question of trusting China more, it is about the determination of whether China or a different government is the bigger threat. If my communication gets me in trouble it is much more likely to be with my local government than the Chinese. That and the Chinese equipment probably being cheaper and better casts a lot of doubt on whether conclusions from 5-Eyes countries are in my interests.
From that perspective it makes a big difference whether the Chinese have mostly secure back-doors or their software is just generally insecure.
Due to way the Chinese government operates in other countries, if you happen to be ethnically Chinese living in the West, the Chinese government is still probably more of a threat to you than Western governments.
It is difficult to assess - we could say similar things about the US network set up for extraordinary renditions. It is unclear whether the US or Chinese network is "worse". Although what worse means is very debatable, it raises questions of size, activity, goals and targets. We're comparing one clandestine thing to another and we don't have good data on either.
The media coverage at the time (which I followed closely because I worked in this space) indicated that the UK was under a great deal of pressure from the US to ban Huawei. The US was allegedly concerned that the use of Huawei equipment would allow US/UK shared intelligence to be eavesdropped by the CCP. The US pressure was widely viewed in the UK as having an economic purpose disguised as security.
>> The US pressure was widely viewed in the UK as having an economic purpose disguised as security.
I live in the UK. This may have been part of it, but to think that a communist dictatorship that (to pick a random example) harvests organs from political opponents is above backdooring their own kit is beyond naïve.
Does it really need a control when many countries across the globe have independently tried it out and reached the same conclusion? I would say the results are pretty clear.
Anecdotally, having done multi-year deep-dive security reviews of both Asian and Western carrier equipment (and compared notes with many colleagues working on similar efforts), there is a stark difference. It's not even close. I've focused on firmware security analysis of RAN/eNodeB/gNodeB equipment but have also done many pentests targeting core infra as well. Western nations have actually done the baseline assessment over years and years of deployment and defence - this is why we are able to see the contrast in the comparison.
The main purpose of this system was not to judge code quality (although that's a very useful side effect!) The goal was to convince politicians that they could allow the installation of cheaper telecom hardware made by a geopolitical rival, yet also protect themselves from espionage and deliberate sabotage.
Now personally I would say that this is a crazy idea from the jump, given the usual asymmetry between attackers and defenders. But even if you grant that it's possible, it requires that you begin with extremely high standards of code quality and verifiability. Those were apparently not present.
You're not thinking of the entire scope of the issue. For example, the UK cannot legislate Huawei or any other Chinese company. You might say that that's true about the US too, and to some degree you'd be correct, but this also isn't taking into account that the US is (was?) a strong ally and this provides much more leverage over the situation. It ALSO means that IF these networks are being used to spy on citizens that there's a lower worry (still a worry, but lower). It would also mean that if this data is not being shared with the UK then this would be a violation of the 5 eyes agreement, which means the UK has more leverage over that situation.
So yeah, even if they are equal, there are A LOT of reasons to spend the extra money.
As the other respondents said, it’s an issue of threat modeling. If you essentially model the origin country as your ally, you still need to worry about rogue developers and bad code quality enabling outside exploits. If you model the origin country as a potentially enemy then you need a level of assurance that is vastly higher.
Also, even if all providers provide equally crappy versions, it's still slightly more secure to prefer a vendor in your own or an allied nation. At least your interests are mildly aligned.
That control already exists because similar levels of audits have already happened on the competition. I'm not saying the competition is a shining example of quality, it definitely isn't, but it meets a bar of some set of basic security compliance standards.
That's a different kind of experiment and I just got to say that there is no "one size fits all" method of experimentation. The reason there doesn't need to be a control here is because comparitors have ZERO effect on the answers being asked.
The question being tested is:
- Do Huawei devices have the capacity for adequate capacity
Not
- Are Huawei devices better or on par in terms of security compared to other vendors.
These are completely different questions with completely different methods of evaluation. And honestly, there is no control in the latter. To have a control you'd have to compare against normal operating conditions and at that point instead you really should just do a holistic analysis and provide a ranking. Which is still evaluating each vendor independently. _You don't want to compare_ until the very end. Any prior comparison is only going to affect your experiments.
tldr: most experiments don't actually need comparisons to provide adequate hypothesis answering.
I've been personally involved in evaluating the security of a certain vendor starting with the letter H. Let us just say they are "less than honest". I had pcaps of their bullshit trying to reach out to random C2 shit on the internet, which garnered a response of "there must be a mistake, that is not our software".
Let China sell their telecom bullshit to all the poor people of the world - they will learn hard lessons.
That question doesn't make any sense. Windows isn't used to run core network infrastructure on that level. These devices should never ever call out to remote servers unless explicitly configured to do so, and even then that should be a select list of customer defined servers.
Obviously Windows will send more telemetry if telemetry it sent at all, because it's doing more stuff. Then again, Window's telemetry is nothing compared to what Huawei phones will send to the mothership, and Huawei phones are nothing compared to an Amazon Alexa. Not that any of that is relevant.
I'm not comparing it to an OS. I'm comparing it to other competitors in the particular solution space. To answer your question: no one else's equipment behaved in that manner.
