Security and Huawei
In continuation of this topic. Or not in the sequel, but as a prehistory, as the article below was written three months before the events described.
I thought a lot about the information risks associated with both Huawei equipment and Huawei itself. I talked to people who talked about their experience working with Huawei in the role of customers in an informal setting - according to them, product quality, to put it mildly, is not the best, but the price is excellent. In the end, I realized a frightening truth. The main risk of information security is not in the network hardware, but in the technical support engineers of the vendor.
Some of the largest telecoms in Europe have chosen Huawei network equipment because of low prices, often twice as low as those of competitors. Immediately after the purchase of equipment, the client invariably detects many bugs, some in the program code, some in the hardware. Among network engineers, it is widely known that Huawei’s software architecture is very poor, lacks flexibility, and has many vulnerabilities (although the situation improves over time).
')
But this is a critical business problem. Many of these companies have created special units exclusively engaged in testing Huawei’s code and hardware for performance in a specific use case. Still, it is cheaper than simply buying Cisco or Juniper equipment.
The real security threat comes when Huawei begins to solve customer problems. Their typical reaction in the case of a large customer is the flight of a team of engineers from China directly to the site to deal with the case. I was told that engineers from twenty to one hundred at a time would be at the expense of Huawei itself working on identifying bugs, making changes to the code, sending the result to developers at home, getting a new code and testing it.
This happened to at least three major European providers. Let's forget for a moment that if you release a product, you have to thoroughly test it, ensure high quality of software code, relative bug-freeness, and even Cisco and Juniper acted in a manner similar to Huawei in the 90s, when the network industry was still in its infancy.
The main risk is a team of engineers . They will be located in the very center of the country's telecommunications infrastructure. To identify and fix problems, they will have full access to network architecture information. In addition, they are likely to have full access to the existing equipment, including not only released Huawei. These engineers will temporarily integrate into the company’s structure, and they will have the opportunity to carefully study the staff’s response to information security incidents, and simply assess the overall degree of network security.
Knowledge is the key to success when attacking a network.
It is unlikely that the Huawei equipment contains bookmarks - this is very hard to hide. It is much easier for a foreign government to include a couple of its people in the technical support team, and then get documentation, topology diagrams and device configurations from them. Telecoms are usually very poorly protected from data theft by trusted people.
With this information, an attacker can easily build a network map. Knowledge of weak points, physical locations, logical structure, plan of reaction to attacks and how the company has installed equipment is truly invaluable. An ordinary hacker from the outside would have to spend a huge amount of time and resources on researching the target and finding weak spots in the operator’s network.
Keep in mind that the ongoing maintenance of equipment implies the continuous updating of information on network design and configuration available to Huawei. This data is objectively required by the company for better implementation of customer support.
Having full knowledge of the internal network and security-related internal procedures of a large national provider is a significant threat to national security .
All development is conducted in China, and the results of any verification of Chinese citizens working for Huawei will be unreliable.
It is very difficult to establish barriers that can prevent the leak of information to the manufacturer of your equipment. He simply cannot help you without this information.
All the hype around bookmarks in Huawei hardware is at least surprising. If I were an IT director at a telecom operator, I would be more concerned about the operational costs associated with poor software quality, since the quality of Huawei products from the point of view of many engineers is worthless.
People rightly worry about national security, but the fact is that Huawei engineers can gather a tremendous amount of information about the telecommunications infrastructure on which the modern world is built. This is essentially network intelligence. But it should be noted that companies buying equipment from Cisco face the same threats. I think that Cisco equipment sales to the Chinese government are limited for the same reasons, but the media say little about it.
To understand the scale of the disaster: not so long ago, in the process of carrying out a project for a very large sales network, I learned that three days without electronic financial transactions would cause tremendous damage to the economy and could well lead to mass unrest. After five days, a collapse of society can occur, since nothing is being sold or bought. Commerce is as vital infrastructure as electricity and water.
Putting yourself in the attacker's place: I just need to know where to strike in order to cause this. And it is this information that engineers can easily obtain, settling in the customer’s premises and eliminating his problems. So we are right in taking care of security, and we need to look carefully at Huawei, and not at its products. And it goes without saying that the same attitude should be towards American developers like Cisco and Juniper on the part of residents of certain countries.
The problem is information security, not physical.
I thought a lot about the information risks associated with both Huawei equipment and Huawei itself. I talked to people who talked about their experience working with Huawei in the role of customers in an informal setting - according to them, product quality, to put it mildly, is not the best, but the price is excellent. In the end, I realized a frightening truth. The main risk of information security is not in the network hardware, but in the technical support engineers of the vendor.
Some of the largest telecoms in Europe have chosen Huawei network equipment because of low prices, often twice as low as those of competitors. Immediately after the purchase of equipment, the client invariably detects many bugs, some in the program code, some in the hardware. Among network engineers, it is widely known that Huawei’s software architecture is very poor, lacks flexibility, and has many vulnerabilities (although the situation improves over time).
')
But this is a critical business problem. Many of these companies have created special units exclusively engaged in testing Huawei’s code and hardware for performance in a specific use case. Still, it is cheaper than simply buying Cisco or Juniper equipment.
Technical support as a threat to information security
The real security threat comes when Huawei begins to solve customer problems. Their typical reaction in the case of a large customer is the flight of a team of engineers from China directly to the site to deal with the case. I was told that engineers from twenty to one hundred at a time would be at the expense of Huawei itself working on identifying bugs, making changes to the code, sending the result to developers at home, getting a new code and testing it.
This happened to at least three major European providers. Let's forget for a moment that if you release a product, you have to thoroughly test it, ensure high quality of software code, relative bug-freeness, and even Cisco and Juniper acted in a manner similar to Huawei in the 90s, when the network industry was still in its infancy.
The main risk is a team of engineers . They will be located in the very center of the country's telecommunications infrastructure. To identify and fix problems, they will have full access to network architecture information. In addition, they are likely to have full access to the existing equipment, including not only released Huawei. These engineers will temporarily integrate into the company’s structure, and they will have the opportunity to carefully study the staff’s response to information security incidents, and simply assess the overall degree of network security.
Knowledge is the key to success when attacking a network.
What is the threat?
It is unlikely that the Huawei equipment contains bookmarks - this is very hard to hide. It is much easier for a foreign government to include a couple of its people in the technical support team, and then get documentation, topology diagrams and device configurations from them. Telecoms are usually very poorly protected from data theft by trusted people.
With this information, an attacker can easily build a network map. Knowledge of weak points, physical locations, logical structure, plan of reaction to attacks and how the company has installed equipment is truly invaluable. An ordinary hacker from the outside would have to spend a huge amount of time and resources on researching the target and finding weak spots in the operator’s network.
Keep in mind that the ongoing maintenance of equipment implies the continuous updating of information on network design and configuration available to Huawei. This data is objectively required by the company for better implementation of customer support.
Having full knowledge of the internal network and security-related internal procedures of a large national provider is a significant threat to national security .
How to protect yourself?
All development is conducted in China, and the results of any verification of Chinese citizens working for Huawei will be unreliable.
It is very difficult to establish barriers that can prevent the leak of information to the manufacturer of your equipment. He simply cannot help you without this information.
Opinion of the author
All the hype around bookmarks in Huawei hardware is at least surprising. If I were an IT director at a telecom operator, I would be more concerned about the operational costs associated with poor software quality, since the quality of Huawei products from the point of view of many engineers is worthless.
People rightly worry about national security, but the fact is that Huawei engineers can gather a tremendous amount of information about the telecommunications infrastructure on which the modern world is built. This is essentially network intelligence. But it should be noted that companies buying equipment from Cisco face the same threats. I think that Cisco equipment sales to the Chinese government are limited for the same reasons, but the media say little about it.
To understand the scale of the disaster: not so long ago, in the process of carrying out a project for a very large sales network, I learned that three days without electronic financial transactions would cause tremendous damage to the economy and could well lead to mass unrest. After five days, a collapse of society can occur, since nothing is being sold or bought. Commerce is as vital infrastructure as electricity and water.
Putting yourself in the attacker's place: I just need to know where to strike in order to cause this. And it is this information that engineers can easily obtain, settling in the customer’s premises and eliminating his problems. So we are right in taking care of security, and we need to look carefully at Huawei, and not at its products. And it goes without saying that the same attitude should be towards American developers like Cisco and Juniper on the part of residents of certain countries.
The problem is information security, not physical.
Source: https://habr.com/ru/post/168685/
All Articles