
Vodafone Found Hidden Backdoors in Huawei Equipment - jmsflknr
https://www.bloomberg.com/news/articles/2019-04-30/vodafone-found-hidden-backdoors-in-huawei-equipment
======
0898
As Jon Gruber says: "Bloomberg, of course, is the publication that published
“The Big Hack” in October — a sensational story alleging that data centers of
Apple, Amazon, and dozens of other companies were compromised by China’s
intelligence services."

"The story presented no confirmable evidence at all, was vehemently denied by
all companies involved, has not been confirmed by a single other publication
(despite much effort to do so), and has been largely discredited by one of
Bloomberg’s own sources."

"By all appearances “The Big Hack” was complete bullshit. Yet Bloomberg has
issued no correction or retraction, and seemingly hopes we’ll all just forget
about it. I say we do not just forget about it. Bloomberg’s institutional
credibility is severely damaged, and everything they publish should be treated
with skepticism until they retract the story or provide evidence that it was
true."

~~~
neximo64
How do you know for sure that the story is false? As you've mentioned
Bloomberg hasn't corrected or retracted the story. Governments and companies
have in the past denied things that have been true.

Do you seriously think Huawei vehemently denying that it has backdoors in its
technology makes it true all of a sudden?

~~~
longhorn_alum
> How do you know for sure that the story is false?

That's not how journalism works, at least until fairly recently

------
steve19
Hard to know from the article, and Bloomberg does not have a good track
record, if the 'backdoor' was a vulnerability , an unwanted feature or an
actual backdoor.

I might imagine a Chinese headline with "US firm Intel backdoors every CPU",
which may or may not be true depending on your feelings on Intel ME

~~~
VvR-Ox
Intel ME _is_ a backdoor.

The funny thing is that there are many more. Interesting how the EU is dealing
with this - most media seems to focus on how badly china could be spying while
the US proved they aren't trustworthy long before.

~~~
fxfan
You haven't worked for large companies have you? Intel ME is NOT a backdoor.
It may have vulnerabilities, sure. But none explicitly put in there.

It was designed for a specific purpose- troubleshooting enterprise computers.
And it does that job amazingly well. No more IT guy guiding me when he can
just do all the clicks himself.

~~~
danarmak
It doesn't matter if it's a deliberate backdoor or not. It's a door, and I
want to be able to close that door if I'm not using it, and Intel won't let
me. Reducing attack surface is a security best practice exactly because any
software can have bugs.

An allegory: imagine if an OS ran an SSH server and there was no way to turn
it off or to control the keys it accepts. Maybe it has no bugs (you can't see
the source code). Maybe it has no malicious intent or backdoors. As a security
conscious computer owner, I still view its existence as a negative. I would
like to be able to provably turn it off or control the keys it accepts.

~~~
VvR-Ox
And that's exactly what matters and why I among many others call it a
backdoor.

Telnet on the other hand is a service that I can switch off or block with far
less work involved in normal circumstances.

To get rid of Intel ME I'd need to use Core-/LibreBoot and install it in a
ritual that for a novice has something of a "black magic rite".

------
O_H_E
I was skeptical about "boycotting" China and Huawei for a long time; just
thought that they make cheap phones, and innovative tech, so why not.

I changed 180 degrees when I started learning about the growing Chinese
influence, how politically corrupt they are, and the excessive violence and
human rights violations exercised against minorities.

China is growing its economic dominance very quickly. They are gaining many
growing Asian and African countries under their belts (pun intended with the
belt & road initiative [1])

These poor counties don't really have a say when offered china's generous
offers, but we do.

It is going to be expensive, just like trying to fix climate change is: We
have to be willing to pay to fix our mistakes (or other people in our society,
if we want better future for our [grand]kids. But we will only be paying the
price of our mistakes: depending that much on sweatshops, factory workers who
are paid next to nothing, and collaborating with an authoritarian regime that
clearly opposed our values for the longest time.

[1]
[https://en.wikipedia.org/wiki/Belt_and_Road_Initiative](https://en.wikipedia.org/wiki/Belt_and_Road_Initiative)
Concentration camps and race-based terrorism in Xinjiang:
[https://www.businessinsider.com/what-is-life-like-in-
xinjian...](https://www.businessinsider.com/what-is-life-like-in-xinjiang-
reeducation-camps-china-2018-5) Belt and road effect on nature:
[https://www.businessinsider.com/china-belt-road-
encourages-i...](https://www.businessinsider.com/china-belt-road-encourages-
invasive-species-2019-1)

PS: I agree with the stance on bloomberg, but that doesn't really defy my
point. I just had to get something off my chest.

~~~
BLKNSLVR
"Chinese influence, how politically corrupt they are, and the excessive
violence and human rights violations exercised against minorities."

I know your heart is in the right place, but you could replace China with "The
US" or "Russia" or "North Korea" or "colonial Britain" or almost any other
country and it would be true. Those who wouldn't be worthy of the list are
those who've never had the resources or opportunity to make the list.

It's sad, but I believe it's pretty close to the truth.

In relation to China, "The West" gifted it the power it now wields by
outsourcing manufacturing there because cheap labor meant much higher
percentage profits for all the savvy business owners who didn't want to pay
local rates. And didn't they do well over the last 40-odd years! Can't deny it
being smart business back then. Also can't deny that China's current world
power status wasn't predictable 40-odd years ago if businesses everywhere
decided to follow suit. And they did, and here we are, and all the countries
that host companies that contributed to this are now having a cry about the
actions of the monster they profited from creating.

~~~
jhanschoo
> you could replace China with "The US" or "Russia" or "North Korea" or
> "colonial Britain" or almost any other country and it would be true. Those
> who wouldn't be worthy of the list are those who've never had the resources
> or opportunity to make the list.

Many Western countries have a checkered past, but it's not exactly as though
present citizens of the West were directly involved in the atrocities
committed in the past by the West. Every sufficiently long lived state has had
its dishonorable days, but it's not like we can't criticize both the past and
current behavior of these nations and the /current/ behavior of China.

On the other hand, it is to the current Western climate's benefit that many
dare make such criticism openly on the record and without fear of persecution
(e.g. Gitmo). The same cannot be said of China.

> And didn't they do well over the last 40-odd years!

While your paragraph has the tone that the West is simply getting its just
desserts, I find it unwarranted. This criticism, at its best, is criticism of
past bad realpolitik policy by the West. People like the parent comment are
only just learning of how woeful it is that Chinese influence is spreading,
when Chinese influence is that unjust. It is useful to know that the West may
have fed the beast. But the parent comment you are replying to was likely
ignorant of the situation then and likely had no decision-making power then
anyway. Thus adopting such a tone is in quite bad taste, since the parent
comment is likely a victim of someone else's poor decisions and not their own.

~~~
BLKNSLVR
"the tone that the West is simply getting its just desserts"

That wasn't my intention, although it can easily be read like that. My
intention is for the potentially "ignorant of some history" parent-poster to
be provided with some context around the current situation, ie. it does not
exist in a vacuum, and has been strongly influenced by the actions and
policies of the leadership of non-Chinese countries and companies.

The citizens of all countries are the victims in this. The significant
majority (99+%) of the world population are caught in situations created or
influenced by a very small minority of people (some of which were
democratically voted for, but then that turns into a much more complex
debate).

I intentionally started my comment with "I know your heart is in the right
place" to make it (hopefully) clear that I wasn't directing any accusations
toward the parent poster.

------
apexalpha
>Vodafone said in the report that Huawei would need to remove or inhibit a so-
called telnet service—a protocol used to control devices remotely—that the
carrier said was a backdoor giving Huawei access to sensitive data.

This seems like a diagnostic telnet port left open by accident. I'm very
sceptical at this point at any American government or media finding a
'backdoor' in Huawei.

A backdoor implies this is intentionally left open to later get unauthorized
access.

Why would anyone build a 'backdoor' on an open telnet port?

This seems intentionally blown out of proportion to fit a narrative.

~~~
HenryBemis
I have been playing VikingMUD for more than a decade. I have been
'backdoor/hacking' it when I was using telnet to connect?

I have been audit in IT/IT Audit/IT Security for quite a while. Having ability
to telnet in is not a crime. We got firewalls for stuff like that. Even if it
is not documented in whatever paperwork have been provided, it takes 5 seconds
on a scan to pick this up. There also a bunch of IDS/IPS out there that would
spot and kill such a connection attempt in a millisecond.

Also, telnet is unencrypted. Who attacks something when everything is
readable? It beats the purpose.

This story has so many holes that a junior net-admin could prevent in their
first week. I will assume that Vodafone has 'an army' of highly skilled
network and security administrators that have "block telnet" in the first page
of their checklists.

I am not taking sides. I am just thinking of ways I have reacted in the past
when I found on firewall logs blocked connect attempts.

I also think Bloomberg should stick to what they do best, money. Let the IT
Sec to far more qualified outlets. Or if they really want to do this right,
and not just aim for clickbaits, get a team of experts to go through their
material before they post.

~~~
threeseed
I don't think you have an idea of how a telco works.

There isn't some giant firewall that every request goes through so you can say
"block port 21" and your problem is fixed. Most of the equipment is talking
directly to each other on many different private networks some of which may be
managed by third parties. And as companies shift towards virtualised,
container based architectures it can become harder as there is more complexity
as companies transition.

And not sure if you've worked at a large company before but the idea that they
have this army of highly skilled people who just make sure everything works
perfectly isn't what happens.

~~~
HenryBemis
Actually I have, most of my employers and clients the past few decades have
80k++ employees. I understand that there are PLENTY of interfaces on a company
on the size of Vodafone (let's call them that) that have live access to
networks, infrastructure, and what have you (e.g. Huawei, Nokia, Ericsson to
name the big whales) and myriad other smaller ones monitoring, fixing, live, a
million moving parts.

The responsibility and accountability remains though. I do not accept the 'we
are big and busy so we drop the ball'.

------
Uptrenda
As opposed to backdoors in:

\- The SIM card for remote operator app provisioning.

\- The baseband processor (that supports over-the-air fireware updates,
"typhoon boxes", and other horrible crap)

\- The GSM spec, lulz (that allows for binary SMS app pushes signed by certain
keys, "silent" SMS to track location, and so on by protocol standard.)

\- Obsolete, broken, and purposefully weakened crypto that remains in use for
backwards compatibility (and spying.) Not that it would matter anyway because
traffic is unencrypted over core links.

Vodafones entire business model depends on backdoors for controlling customer
equipment and tracking subscribers. Also, China numba wun!

~~~
csin
Not be mention being fined in multiple countries for shady marketing
practices!

------
gloflo
One could replace 'Huawei' with 'Cisco' in this article and everyone would
just nod and sigh. The political spin on it is concerning.

------
klagermkii
This article dances back and forth between saying "vulnerability" and
"backdoor", which while they may have the same end result wildly differ in
intent.

I can't tell the seriousness of this except for the telnet one.

~~~
Aissen
How anyone trusts Bloomberg after the Seamicro chip story is beyond my
understanding. (and specially the way it was handled and not retracted —
anyone can make mistakes, but owning them is most important).

Even the title could have been something else. Like this excerpt from the
article:

> "Vodafone has defended Huawei against the U.S. onslaught"

------
jdsully
The article takes a lot of words to explain they left a telnet server open. It
wasn’t some super secret hidden thing.

~~~
sterlind
Ah, but the article said that the telnet server "could still be launched," not
that it was necessarily open. It could be one of those "magic knock" packets
that 'launches' telnet, like the backdoor found in some Cisco routers a while
back.

Also weird is that Huawei insisted on keeping it open until they'd completed
testing... does that mean it's phoning home? Or that they have their own
technicians coming around to service it?

Such a crappy article. Bloomberg should have learned from the Supermicro
fiasco to include more details and not parrot a single source. At this point
if IC is serious about Huawei posing a national security risk they should
arrange a leak of their actual intel to force real public discussion..

~~~
jeroenhd
"Never attribute to malice that which is adequately explained by stupidity"

Some lazy engineer probably added the feature as a remote monitoring/debugging
tool with no regard for security because it needed to work before the next big
release. Disabling the feature before the next release would probably break
all kinds of support and monitoring, potentially leading to instability or
them being unable to service failing equipment.

~~~
threeseed
Thankfully not all of us take your approach.

Because you should always assume malicious intent when it comes to IT
security.

------
negamax
I can’t tell if this is true or an organized smear campaign against Huawei for
monetary reasons.

~~~
danarmak
Why not both? Many routers have had remote access vulnerabilities, but there's
a clear reason to write about 2012-era vulns about Huawei and not some other
manufacturer.

~~~
gloflo
What would be that reason?

~~~
bildung
The smear campaign part of negamax's comment.

------
swarnie_
Has anyone else noticed the increased "scrutiny" the US has been putting on
Chinese companies recently?

Huawei seems to be the biggest example and its worrying me because they are
starting to strong arm EU allies to follow in their footsteps. Both Germany
and the UK have cleared Huawei to take put in 5g rollouts against the USA's
wishes.

I'm not sure who to side with here, the company with multiple allegations
against it or the country which is known to do exactly the same thing except
maybe worse...?

Try not to dismiss this because its not dripping in pro-usa sentiment, i'm
interested to hear what people inside the bubble think.

~~~
gloflo
Absolutely, I find the increase of our politics _and_ media attacking 'The
Russians' and 'The Chinese' in recent years very concerning. Especially with
the lack of reflection on our own actions both nationally and internationally.
Like pervasive surveillance, hacking, military aggression and influencing
elections, just to name a few.

~~~
mschuster91
> Absolutely, I find the increase of our politics and media attacking 'The
> Russians' and 'The Chinese' in recent years very concerning.

I rather find it concerning that Russia has been financing the far-right,
nationalist and anti-European parties that have risen over entire Europe, and
that China is using debt as political leverage to gain power over poor African
countries.

Add to this that many Western companies and politicians only look for the next
quarter/election results and not 10, 20 or heaven forbid 50 years in the
future... while this is precisely what Russia and China are doing. A
splintered EU won't do a thing when Russia once again screws over human
rights, and no one in deep debts to China (or with all manufacturing
outsourced to China...) will dare criticize them when they start executing the
Uyghur Muslims.

~~~
gloflo
Thanks for this fine example of proving my point.

------
okket
"While the carrier says the issues found in 2011 and 2012 were resolved at the
time, the revelation may further damage the reputation of a Chinese
powerhouse."

------
andrzejg
It would be nice if they compare Huaweii to other vendors. I am quite sure
Erricson and Nokia had some backdoors/critical vulnerabilities as well. It is
quite common if the policies are poor and they skip some penetration tests. I
don't think anyone would make such silly backdoors on purpose (like unsecured
telnet connection).

------
SiempreViernes
> Abandoning Huawei for 5G, with Europe already lagging behind China and the
> U.S., could force them to rip out the supplier’s 4G gear

Does anyone know what this is about? Both the need to rip out 4G gear if they
don't want to use the new 5G stuff, and also the statement about Europe being
behind China and the USA?

~~~
jeroenhd
I think the idea is that Europe would rip out all Huawei components after the
scandal, requiring a revamp of both 4G and 5G networks.

I doubt the US is that much ahead of Europe. It's true 5G networks are yet to
really roll out, but with the higher population density the 4G coverage and
residential internet is better in most of Europe, making the current 4G
network suffice for now for many people.

~~~
icebraining
Supposedly higher density makes 5G more important, not less, since it supports
way more devices in the same area, while it doesn't really improve on the
coverage distance, which is more important for more rural areas.

------
Fnoord
Backdoors are always hidden. Else it is a "frontdoor".

------
amelius
Can't Huawei just license their technology to a US firm, so this hardware can
be implemented and produced under US supervision?

~~~
mr__y
>Chinese company licensing their technology to a US company that would be a
remarkable plot-twist

On the other hand given how sophisticated these things are , even if all the
source code is available you can't be 100% sure to spot all the
bugs/vulnerabilities/backdoors. I guess this applies to hardware equally well.

~~~
amelius
I mean at a higher level: their algorithms and analog designs licensed to the
US, not the source code.

~~~
zihotki
That'd take ages to implement and billions of dollars. Doesn't seem realistic

------
tinus_hn
It’s one of these debug interfaces they find all the time in network
equipment, either Chinese or by Cisco.

------
caprese
Alternate headline:

Chinese intelligence joins US and Five Eyes coalition in public-private
partnership global surveillance program, information sharing agreement to be
discussed in upcoming trade talks.

Whataboutisms only work when the accuser is assuming something un-ordinary is
happening, after knowingly or unknowingly exempting themselves from the
behavior they already practice.

------
fredgrott
leaving un secure stuff open is not the same as a damn backdoor

BUT, being lax in rigour concerning what ports, etc are left open and the
security reasons why is just at some point a question of are they an unknowing
asset of China Gov...

Both are equally important

------
O_H_E
Clean, no paywall, no ads:
[https://outline.com/VVdLhT](https://outline.com/VVdLhT)

------
NotPaidToPost
I'm sure that they're going to find out that some people at Huawei do not wash
their hands after going to the toilet.

Do you really want your data in those hands?

~~~
dang
Please don't do this here.

~~~
NotPaidToPost
What is 'this'? Sarcasm or not following groupthink?

~~~
dang
Post unsubstantive comments, especially snarky or indignant ones.

There's obviously no 'groupthink' on HN about Huawei.

~~~
NotPaidToPost
My comment was 'substantive', as you put it. Sarcastic, but substantive.

It's funny how you felt you had to use the word 'obviously'...

~~~
dang
I just mean that people argue about Huawei and other China-related stories
quite fiercely whenever they come up (often too fiercely:
[https://news.ycombinator.com/newsguidelines.html](https://news.ycombinator.com/newsguidelines.html)).
'Groupthink' is refuted by a quick glance into any such thread.

Actually though, the word 'groupthink' usually isn't about anything other than
oneself. It's a form of internet preening: I the freethinker am nobler than
the deluded masses in whose midst I glide. In other words, a middlebrow
'sheeple'. (Sorry if that feels like I'm picking on you personally; I don't
mean to.)

