
The FBI, CIA and NSA say American citizens shouldn't use Huawei phones - daegloe
http://money.cnn.com/2018/02/14/technology/huawei-intelligence-chiefs/index.html
======
devhead
Maybe it's tinfoil hat time; the more the government says to not use Huawei,
offering no proof at all, the more I think they are unable to track and log
information like they can on US(ish) phones.

All US phones have components manufactured in China as well as all over the
world. It is not a stretch to think the foreign governments couldn't get in
the middle and create vulnerabilities or straight up drop attacks on different
components they have access to. How is Huawei any different?

Are we supposed to take their complaints seriously when Snowden leaks revealed
the NSA hacked Huawei servers to find vulnerabilities they themselves could
use to spy on people around the world. /shrug operations Shotgiant doesn't
matter? If the NSA hack revealed that Huawei was injecting spyware it's time
to release the details of how they found out.

~~~
eridius
This argument would hold more weight if the government was saying not to use
any non-US phone. But they're specifically targeting Huawei and ZTE. Notice
that there's no recommendation to avoid e.g. Samsung phones.

~~~
morganvachon
> _" This argument would hold more weight if the government was saying not to
> use any non-US phone"_

There's not even such a thing as a "US phone" though, is there? Even phones
manufactured by US companies like Apple are made in China with
Chinese/Taiwanese sourced parts. Google always outsources its Nexus/Pixel
devices to third parties like LG and Motorola. Speaking of Motorola, they are
now owned by Chinese manufacturer Lenovo, which has also been in hot water
lately over spyware and rootkits in their laptops.

I'm of two minds about the announcement. On the one hand, Huawei and ZTE have
both been caught installing backdoors and spyware on their devices in the
past[1]. On the other hand, the US three letter agencies have a vested
interest in US citizens carrying around easily monitored and tracked devices,
and they easily find ways around Constitutional protections against spying
within their own borders.

I honestly don't know who to believe in this situation.

[1] [https://www.fastcompany.com/4025254/new-phone-who-dis-
huawei...](https://www.fastcompany.com/4025254/new-phone-who-dis-huawei-zte-
respond-to-reports-of-secret-back-door-in-android-devices)

~~~
bitsnbytes
"Even phones manufactured by US companies like Apple are made in China with
Chinese/Taiwanese sourced parts."

Exactly my thought. US gov't even outsources to private contractors that then
subcontract and outsource to China for electronic components including chips
that can easily end up in our DOD systems. I wonder if this is more of a money
or market thing being pushed by the Existing Oligopoly?

Something doesn't appear to add up completely?

~~~
013a
What doesn't add up is that, in the real world, you can't protect against
every threat model. Its their job to protect the best they can. They can't
tell Apple to stop building their phones in China, but they can simply say
"Don't buy Huawei".

That's easy. And moreover, its a bigger threat. With a Huawei phone, the
Chinese government has control over everything from the processor to the
userspace software. With a small piece of silicon in a fab, the threat surface
is much smaller; they'd have to sneak it in against Apple's will, past all of
Apple's American-loyal QA.

In the software world, we tend to think about security as an absolute, because
computer logic is absolute. In the real world, security is probabilities. How
can you minimize the chance of breach while minimizing costs.

~~~
coldtea
> _What doesn 't add up is that, in the real world, you can't protect against
> every threat model. Its their job to protect the best they can. They can't
> tell Apple to stop building their phones in China, but they can simply say
> "Don't buy Huawei"._

If the 'threat' was real, that makes as much sense as hardening one door in
your house, when you have 4 other doors because "you can't protect against
every threat model".

~~~
013a
No. It makes as much sense as securing the 4 doors because that's a relatively
cost efficient way to implement basic security. But let's avoid strengthening
all the walls with a titanium alloy to protect us when the threat brings a
bulldozer to get in. That's expensive.

Asking Apple to manufacturer their phones outside of the US is a highly
expensive action.

------
windexh8er
This is not new. I worked for a Comcast subsidiary who owned and operated a
multi-state "cable" company who owned all of their end to end transport and
had a customer base of around 250k at the time. They installed all fiber and
HFC networks in the ground, thus they also owned all the fiber transport gear.
We had been in a bake off between Infinera (US based) and Huawei for long-haul
transport until a three letter agency paid a visit and made the decision for
us.

So... Either one of two things was true: the three letter agency was
protecting US consumers or the three letter agency already had Infinera
backdoored. My personal opinion in the matter was the former. Why? Because
later that same year the data center was shut down one night and off limits
for all changes and users. The next day a large, locked and tamper taped
mobile rack was in the DC with 100Gb link into core routing. That led me to
believe gaining access to siphoning traffic was not really the issue. But I
could also be wrong because I wasn't in the know.

This was in 2010-2011, pre-Snowden.

~~~
tgsovlerkhgsel
A third possibility is that they're using this influence to give an economic
advantage to US-based companies, and a disadvantage to foreign (or
specifically Chinese) ones.

Could also be all three of course.

~~~
psergeant
The economic argument is difficult to make, because it raises costs on
American companies who are consumers.

~~~
coldtea
Unless of course those consumers have less influence on politicians that huge
telcos (and the costs are negligible anyway)

------
turc1656
_" There is a risk of letting any company "beholden to foreign governments"
inside the country's telecommunications infrastructure, he said."_

At it's face value this is indeed true. However, it is interesting there is no
mention of Samsung then, right? Why would they be exempt from this
recommendation, especially given Samsung phones are hundreds or perhaps
thousands of times more prevalent than Huawei and ZTE phones in the US.

Shouldn't the argument from the FBI, CIA, and NSA be that US citizens
shouldn't purchase any non-US manufactured phone? I'm skeptical as to the true
purpose of the statement. This might possibly indicate that for whatever
reason Huawei and ZTE don't play ball with the US when it comes to
surveillance and the US intelligence agencies don't like it. If anything, this
just raised the probability of me purchasing one of these phones. I'll
probably stick with BlackBerry, but I will at least consider these next time I
need to buy a new phone.

~~~
kragen
The US has 23,000 soldiers in South Korea.

It may also be relevant that there are no US-manufactured phones. Indeed, even
Samsung phones are full of chips from mainland China and Taiwan.

~~~
gnode
Isn't the issue more about design though? It seems to me that it'd be easy
enough to take a random sample of chips made by your Chinese manufacturer, cut
the top off and verify it matches your design with a microscope. However if
the complex product is designed by an adversary it's easier to hide a
backdoor, probably also easier to plausibly claim it was an accidental bug.

------
benevol
That's really funny, because a couple of years ago, Snowden demonstrated very
clearly that American tech companies are _all_ infested by NSA mass
surveillance tools or dominated by mass surveillance activities, constantly
profiling pretty much all citizens.

~~~
Angostura
As far as I’m aware he didn’t demonstrate that (say) Apple was infested by NSA
mass surveillance tools. And those options that could be used to profile users
can be switched off. What am I missing?

~~~
josh2600
Rex, the Qualcomm baseband os, is a binary blob that’s really annoying to
reverse engineer and it shares a bus with the top-level os.

~~~
tptacek
No, that's not in fact how basebands work; the baseband is connected to the AP
via HSIC, which is an internal USB bus. "Shares a bus with the top-level OS",
by the way, is a sequence of words that doesn't really make sense.

~~~
josh2600
I checked and you're right! I misunderstood a series of articles from 5 years
ago on this subject. Please excuse my confusion :(.

Edit: Also Rex is the kernel and RtOS is the OS.

[http://www.osnews.com/story/27416/The_second_operating_syste...](http://www.osnews.com/story/27416/The_second_operating_system_hiding_in_every_mobile_phone)

------
ctphipps
The headline seems sensationalized. The article doesn't mention a
recommendation not to use, it simply was the absence of a recommendation at
all.

"...asked the group to raise their hands if they would recommend private
American citizens use products or services made by Apple competitor Huawei or
smartphone maker ZTE."

The US Government is not in the business of recommending device brands or
services to private individuals, and not making a recommendation is not the
same as recommending against.

~~~
caf
Yes. I would say there it is pertinent to consider why the Senator did not
word the question as _" Would you recommend private American citizens avoid
using products or services..."_.

------
3steve
60 Minutes did a segment on Huawei a couple of years ago where they discussed
the extreme concerns intelligence officials had with Telcos using Huawei
equipment. At the time it just seemed like a very strange segment, this was of
course before the Snowden revelations. I have thought about that segment many
times since the Snowden revelations and it starts to make sense why
intelligence officials where so concerned.

~~~
xploit
I recall seeing that segment. If I remember correctly it was focused on the
Chinese stealing trade secrets and intellectual property from US companies.
One example they gave was Cisco source code that was found in Huawei network
devices.

------
peterwwillis
I'm going to make two assumptions: China is spying on us through these phones,
and the US _is not_ spying on the Chinese through US phones.

Now consider what real harm is going to come from US citizens using these
phones when don't have any influence on the US government. Are the Chinese
going to siphon the data of everyone in the country and use it to plan attacks
on the government? Could be. But considering the relationship these two
counties have right now, does this seem probable?

We aren't at war with China. But we are slowly giving up market share to
foreign companies, which weakens our economy and our negotiating power.
Really, the biggest threat to the US from China is not intelligence leaks.
It's _customers_. Once we lose the mobile market, everything else people use
through the mobile phone may follow. China's startups could position
themselves to become the center of the tech world with a captive user base and
tailored platform.

It could be that ZTE and Huawei simply can't be bought, and the US gains
nothing by allowing China to dump cheap and powerful smartphones on the
market. It's one thing to screen phones in the public sector - but nationally?
I'm not buying it.

------
thomastjeffery
> Huawei has not made strides in the U.S. market in large part because of
> government concerns that the Chinese government can use its smartphones and
> other products for intelligence gathering.

This is a great opportunity for Huawei to be the first major manufacturer to
have a totally open-source stack. It would be immediately unimpeachable; a
feature that no other smartphone manufacturer has.

~~~
homero
They'll never get the modem from qualcomm, that thing has it's own os and can
download and run anything

~~~
catpack
You do realize that they design and manufacturer their own modems, right?

~~~
homero
Huawei has a soc? I swear they use mediatek

I stand corrected HiSilicon

~~~
vetrom
HiSilicon is wholly owned by Huawei.

------
ASalazarMX
It's a sad state of affairs when one can't tell whether China really has
backdoors on Huawei phones, or USA just wants you to use phones with their own
backdoors.

Too much smoke and mirrors.

~~~
reaperducer
Maybe it's a budget-saving measure. Keeps the TLA's from having to buy all of
our information from Facebook and Google.

------
giardini
What we need is a phone that neither the Chinese nor American governments can
monitor. Failing that, since I live in the USA, perhaps a phone that the
Chinese can monitor but the American government cannot (at least until China
and USA ink a pact to trade intelligence info).

What irks me is why does the government insist upon having the ability to
monitor everyone willy-nilly when it has been shown consistently that by far
most of the information gathered is worthless for both espionage and criminal
investigations?Why not return to the older court-approval method for warrants
(and get rid of FISA courts and the FISA system entirely).

~~~
adventured
What in the world would lead you to believe if the Chinese can monitor your
phone, that the US can't? That's so far out there in terms of logic, I can
hardly imagine where you're coming from.

This entire thread is overloaded with posts that seem to not understand the US
intelligence system, its legal authority, how FISA works, how the court system
works, et al.

I keep seeing people say that they might be better off with their information
outside of the US, because China or Russia can't arrest them if they reside in
the US. If your information is outside the US, transited to a foreign service
provider, you just dramatically increased the US Government's authority to
target your information.

~~~
giardini
adventured says _> "What in the world would lead you to believe if the Chinese
can monitor your phone, that the US can't? That's so far out there in terms of
logic, I can hardly imagine where you're coming from."_

Firstly, What makes you think you know and can state here what I believe? You
have _no_ idea.

Secondly, I don't believe that. But I _do_ believe that surveillance is a
constantly-changing game (like stepping into a river) and a Chinese vendor
will be slower to provide updates to USA intelligence agencies than will a
domestic vendor. Hell, domestic communications vendors have willingly
_followed the instructions_ of the 3-letter agencies. The _time lag_ could
allow one to avoid surveillance.

adventured says _> "This entire thread is overloaded with posts that seem to
not understand the US intelligence system, its legal authority, how FISA
works, how the court system works, et al."_

Best to save your breath and worry about the gaps in your own knowledge.

adventured says _> "I keep seeing people say that they might be better off
with their information outside of the US, because China or Russia can't arrest
them if they reside in the US. If your information is outside the US,
transited to a foreign service provider, you just dramatically increased the
US Government's authority to target your information."_

Firstly, that was true for awhile but not now. Foreign or domestic, your data
is being collected and is being examined by computers, indexed and stored for
future reference. We're already at "Big Brother".

Secondly, I'd like to see the FBI try to bring evidence to a U.S. criminal
court that was collected by almost _any_ foreign government's intelligence
services. That would be a fast track to dismissal of charges.

------
russellbeattie
All three of these orgs have done questionable things to their own citizens -
some in recent history - however, they're what Americans have. Not trusting
them when they're being so ridiculously direct seems unwise. If I had to
choose my lesser evil, I'll go with my government's agencies over the word of
a foreign government. I don't think China is fundamentally evil, but I do
think that it's viciously competitive and very organized. So for now, I'll
take the warnings at face value and avoid Huawei phones.

~~~
supergirl
how about ask for proof? let it be debated by elected people first? seems like
secret agencies are running things there... if you want to achieve your goal
just scream "national security"; nice system.

------
ilkan
[https://www.pbs.org/newshour/nation/spy-fears-drive-us-
offic...](https://www.pbs.org/newshour/nation/spy-fears-drive-us-officials-
chinese-owned-hotel) Can't find the article but there was a warning not to
discuss trade secrets or use the free wifi in conference rooms at Chinese-
owned hotels in the US or Canada (which includes Starwood brands). Before
anyone starts talking about "hackers"... why sneak around when you can just
own the building.

------
donttrack
I used to make mobile phones for a European company. High end expensive phones
- very few phones produced. I was responsible for gathering telemetry data and
was always wondering why some of the first telemetry data we got from phones
was from Guam.

~~~
saagarjha
Maybe because Guam is near the international date line, and telemetry that
turns on on a certain day is likely to come from there first?

~~~
rootsudo
Makes sense.

------
neo4sure
Huawei is a government sponsored entity. It will be natural for them to spy on
our citizens and companies and steal their data for the betterment of China.
We just have to be aware of that. Going into conspiracy theories won't help us
much, we have to be clear-eyed.

------
Tasboo
What an odd comment thread. In what twisted world are people holding the
Chinese government as a bastion of liberty compared to the US?

------
booleandilemma
So is it a choice between getting spied on by the Chinese government or my own
government?

Which phone does the US government recommend I buy?

~~~
rootsudo
Buy American.

Buy iPhone.

Made in China*.

~~~
adventured
Hardly any of the iPhone is made in China. Taiwan is not China. The same is
true about Samsung phones, they've almost entirely eliminated China from their
manufacturing process. Three times as many Samsung phones are made in Vietnam
as in China at this point. Before another five or six years out, barely any
non-domestic smartphones will be made in China.

------
gshulegaard
Without evidence this sounds a lot like fearmongering.

But at the same time the FBI, CIA, and NSA are probably best informed about
just how powerful (smart)phone surveillance can be.

I still want to see the evidence though.

------
ENOTTY
Here is a video[1] of the part of the testimony being reported here.

It's also worth mentioning that several years ago, the BT in the UK basically
installed Huawei equipment all over their core telecom infrastructure.[2]

[1]: [https://www.c-span.org/video/?c4714734/zte-
huawei](https://www.c-span.org/video/?c4714734/zte-huawei)

[2]:
[http://www.bbc.com/news/uk-22803510](http://www.bbc.com/news/uk-22803510)

------
3pt14159
You guys, I can't tell if it's foreign bots flooding this thread with
disinformation, but it's _obvious_ that using a Huawei phone isn't going to
keep you off of American intelligence servers. All it's going to do is make it
easier to get on Chinese ones too. I'd take these warnings seriously. The
Chinese have a long history of stealing IP and disregarding norms.

~~~
JumpCrisscross
> _All it 's going to do is make it easier to get on Chinese ones too. I'd
> take these warnings seriously. The Chinese have a long history of stealing
> IP and disregarding norms_

Agreed. To those arguing "the Chinese having all my information is better than
the Americans," three points:

1\. As 3pt14159 says [1], just because the Chinese have access to your phone
doesn't make it safer against American law enforcement.

2\. Every phone isn't made by American or Chinese firms. Don't force a false
dichotomy.

3\. Economic espionage is a scary threat model. Consider what you know that
someone else might find valuable. Few people answer "yes" in respect of
political information. Many more answer "yes" in respect of commercial
information. That is your blackmail value. Choosing to expand your security
cross-section to foreign economic espionage _plus_ domestic political
espionage, versus simply the latter, is irrational.

[1]
[https://news.ycombinator.com/item?id=16381401](https://news.ycombinator.com/item?id=16381401)

~~~
patentlyUnsafe
The argument is not favoring one versus the other.

The argument is that being exposed to _any_ peeping tom is bad, no matter who
it is.

If no one can't prove to me that there are no peeping toms at all, then a
hotel room with a peep hole is still a shitty hotel. But as second class
citizens, for all of us, choosing a room with a peep hole is compulsory. Gee,
who's fault is that?

Sorry. If I have to sleep in a room with a peep hole, it really doesn't matter
much to me who does the heavy breathing on the other side of the wall. I'm
supposed to pretend it's not there anyway, and so I shall.

Can the Chinese arrest me and throw me in jail? No. But, for sure, I could get
thrown in jail, based on the contents of an electronic device. Are the people
who conspire to imprison me friends? Wait, what are they peeping on us for?

~~~
JumpCrisscross
> _The argument is that being exposed to any peeping tom is bad, no matter who
> it is_

This is not the argument I refute. I specifically state what I am refuting:
"the Chinese having all my information is better than the Americans." Two
things being bad doesn't make them equally bad.

Buying a Huawei phone to safeguard against the NSA is akin to leaving one's
door open so there is no peephole for peeping Tom to look through. Yes, within
a narrow construction, one is correct. But practically speaking, now both the
peeping Tom and the person who opened the door can see in.

~~~
patentlyUnsafe
I want a room without a peeping tom. If that’s not an option, then I sincerely
no longer care about my own safety.

------
ggm
This argument has strong extra-territorial qualities because they forced the
"five eyes" compatriots in AU and NZ to drop Huawei as core technology in
domestic and international fibre deployment.

But, there is this other quality. The in-senate presentation mainly focussed
on the _governance structures_ behind Huawei. The government is cross because
ex PLA members are vested and its not a transparent company structure.

I think the FBI/CIA/NSA reports are deeply troubling for their lack of
specificity, in a context of international trade I am not drawn to entirely
believe them.

Remember, this is the nexus of people who alleged sound reasons to go to war
in Iraq which turned out to be flawed. Sometimes rumour is conflated with
fact.

I know people who work in Huawei. I do not believe they are people of bad
intent.

------
ketsa
I have a Xiaomi. And given the choice I prefer being spied upon by the
chinese... Rather than the Yankees.

------
tannranger
Do you all think this would apply to the Nexus 6P as well? Google branded but
made by Huawei..right?

~~~
cpncrunch
Presumably. I own a 6P and it is an amazing phone. If I had to buy a new phone
today it would probably be a Pixel 2. However it seems to be having some
issues with a blue screen tint, perhaps due to a poorly manufactured
polariser. That just leaves Samsung, which is out of the running due to their
poor history for android updates.

I don't really give a shit myself whether China is spying on me, as I myself
have nothing to do with China and don't have any secrets worth stealing, but
it would probably be best avoiding any Chinese networking hardware if you have
any concerns.

~~~
yorby
What if they could remotely blow up your battery?

~~~
cpncrunch
Why would the Chinese government want to remotely blow up my battery? Would
the NSA want to remotely blow up my battery?

~~~
yorby
It could be targeted attacks on important targets.... a bit like drone
strikes, but much more precise ...

Reminds me a bit of the Slaughterbots:
[https://www.youtube.com/watch?v=9CO6M2HsoIA](https://www.youtube.com/watch?v=9CO6M2HsoIA)

------
dirtbox
The takeaway being that the Kirin line of CPUs is proving difficult to create
a backdoor for.

------
MBCook
Don’t use those phones because the Chinese government did get information off
them?

Odd. Isn’t that EXACTLY what the US government was trying to do a few years
ago to Apple phones? Get their own personal back door put in?

------
kaltroiqx
[https://www.theverge.com/circuitbreaker/2018/2/6/16979110/hu...](https://www.theverge.com/circuitbreaker/2018/2/6/16979110/huawei-
honor-9-lite-four-cameras-android-budget-smartphone-europe-release) Meanwhile
in western europe? ........

------
bproven
If the FBI, CIA and NSA say I shouldn't use Huawei phones then I guess maybe
that means I should :)

------
toomanybeersies
Between the devil and the deep blue sea; we either let the Chinese spy on us,
or the Americans.

------
emmelaich
Not only TLAs from the USA.

Australia's ASD would have the same opinion.

And I personally wouldn't get an other Huawei phone after seeing the app shit
that had all permissions, was pre-installed, force started and uninstallable.

------
voltagex_
This would carry more weight if someone funded serious reverse engineering
efforts against some of these phones.

------
johnflan
Its kinda surprising they haven't cited any evidence, I would expect they have
numerous examples.

------
neuro_imager
I posted a link to a company making secure laptops and iphones on a previous,
similar thread and got down-voted and accused of shilling/trolling.

If you are interested look for : laptops and phones where you are in control
and have complete visibility into the operating system, all bundled software,
and the deeper levels of your computer.

(The phone has not been released yet.)

------
rootsudo
Makes sense, it was a big deal to never use Huawei equipment in routing or
cell equipment.

------
thinkloop
Extremely easy to have provided proof, none provided, useless fud.

------
mehrdadn
Any reason to believe the same wouldn't go for OnePlus?

------
dis-sys
next time when anyone wants to complain the fact that facebook, google and
twitter are all banned in China, think about this news.

------
yorby
Time to get a Huawei phone and new VPN....

~~~
madisfun
... and then login into Google and Facebook accounts, use Google Maps for
navigation, Whatsapp/Snapchat for private messages, Amazon to buy nearly
everything, Youtube search for political statement. Bonus points if you run
some "free" apps with ads served from all over the world.

If wish it were possible to get off the hook by just changing the phone brand
and IP.

------
rrdharan
I worry that it's sort of the same line of thinking that leads folks to skip
vaccinations for their children, i.e. "What about the Tuskegee experiments and
MKUltra? We can't trust government claims about health risks."

~~~
helthanatos
There are some vaccines that don't make sense. The flu vaccine does not make
sense to get because you still have a chance of contracting that strain after
getting it and you're still as likely to get other strains and it makes you go
to the doctors during flu season (a not-so-smart time to go). As for this
situation, the FCC and NSA should be the ones talking about it. Seeing network
communications is easy enough (especially if you have a backdoor). Buying
Huawei means you have the possibility of them spying on you and the US. I'm
not too thrilled about surrendering random information to the spies...

~~~
na85
Doctors defer to the experts when they need some javascript written. Maybe do
the same when you're so clearly out of your depth?

~~~
TheSpiceIsLife
This comment would have been better without the ad hominem.

Perhaps something like: _" maybe it makes sense for the average person to
defer to a doctor's opinion with regard to flu vaccine"._

------
oblib
I guess we shouldn't bring up the whole "NSAKEY" thing again.

But if we did I'd have to wonder at least a little bit if those phones not
having one is the real motivation behind this "warning".

