Hacker News new | comments | show | ask | jobs | submit login
British Telecom bars Huawei's 5G kit from core of network (bbc.com)
132 points by zerogvt 3 days ago | hide | past | web | favorite | 73 comments





Recently we had a situation in New Zealand where a large telco announced Huawei would provide their 5G kit for the entire network, then days later had to retract because the national intelligence agency barred the deal [0].

[0] https://www.nzherald.co.nz/business/news/article.cfm?c_id=3&...


Many are asking the same legitimate question - what is the point keeping the free trade agreement with NZ when Chinese products are being treated like that.

Who are the many? One side says the equipment isn’t secure, that isn’t related to free trade. I suppose a lot of countries selling asbestos and aerosol are upset

> Who are the many?

are you assuming that there are not many hardliners in China?

> One side says the equipment isn’t secure

after so many years with so many Huawei equipments used in the west, when all kinds of security experts and law enforcements officials all have 24/7 access to those devices, when the state of the art analysis tools and procedures are all available to them, any actual backdoor intentionally placed by Huawei got busted?


You are making the assumption that a backdoor needs to be active now, not a sleeper backdoor that is a activated on a trigger

What about future firmware upgrade or hardware replacement that isn’t vetted today. What triggered all this was BT found the equipment was too chatty


> What about future firmware upgrade or hardware replacement that isn’t vetted today.

same question for all Cisco/IBM/HP/Apple devices used in countries not that close to the US/UK. should they use the same cheap excuses to ban all those devices? or maybe the standard is simply different here?

> What triggered all this was BT found the equipment was too chatty

please define the term chatty and what is the acceptable threshold? or maybe get the best expert to look into it and present the smoking gun evidence to the world to actually prove something with solid evidence?

before that, what you mentioned above is nothing but fear mongering.


Considering that one can purchase a zero day exploit in pretty much any piece of network equipment for ~$50k, I don't see how these 'national security' claims hold up.

For a government who wants to spy, the difference between inserting your own exploit in a piece of equipment and paying $50k to find an existing exploit is insignificant.

Using an existing exploit is preferable anyway, because then it's harder to trace the origins of the exploit back to you.


It is always better to have more options - but it is also a matter of trust - how much can you trust a bought zero day? Especially when your opponent is the UK state.

Trust? In terms of competency of the exploit?

I've wondered how the security experts privately regard nation state security personnel and teams? For example, no government was competing to employ Barnaby Jack. And of course government is notorious for inefficiency and incompetence when producing goods and services.

Of course nation states also have enormous advantages over any other individual or group.


The only trust risk is that the guy you bought it from also told someone else, and they're just waiting for you to use the exploit so they can 'spy on your spying'.

That risk can be mitigated by just hiring someone in-house to find exploits. Security services employ lots of exploit finders for that reason.


Do you have a source for zero day exploit costs?

Not many public sources, but this is a good reference [1]. Vulnerability in a specific piece of network kit is typically easier to find (and therefore cheaper) than a vulnerability in something like nginx, since many vulnerabilities are in the custom configs, wrapper scripts, and lower quality OEM code used for the software on a specific device rather than the software itself.

[1]: https://zerodium.com/program.html (scroll down)


Compromising a home router or a web server doesn't have the same consequences than compromising the backbone of the infrastructure.

Exploiting a zero day in a telecom’s core router switch requires a lot more, you need to get to the core network equipment. The access the manufacturer has is a different level

> The access the manufacturer has is a different level

totally agreed, that is exactly how NSA works with Cisco.

https://arstechnica.com/tech-policy/2014/05/photos-of-an-nsa...


Not directly related to the story, but just for info - "British Telecom" is an incorrect name (it's not used in the BBC article). The company renamed from that to BT in 1991.

Didn't British Petroleum do the same thing? Now they are exclusively known as BP.

I was reminded of this when Obama still referred to BP as British Petroleum during the oil spill:

https://www.bbc.co.uk/news/10303619


They also use "better together" in a lot of marketing, but don't seem to have officially rebranded.

Life's Good - Lucky Goldstar

ESSO - Standard Oil (well that wasn't voluntary, but still)

> Huawei denies having any ties to the Chinese government beyond those of being a law-abiding taxpayer.

I find it interesting that these kinds of verbal games are continually played out in the public eye despite everyone involved knowing exactly what's going on. And that goes for all APT / nation-state actors.


Australia has effectively banned Huawei since 2012 (NBN participation ban). Therefore, there is plenty of discourse and information from Australia about technology sovereignty.

The article at [1] directly addresses the claim:

> Huawei denies having any ties to the Chinese government beyond those of being a law-abiding taxpayer.

Articles at [2] also provide more in-depth analysis.

[1] https://www.aspistrategist.org.au/huawei-and-the-ambiguity-o...

[2] https://www.aspi.org.au/report/huawei-and-australias-5g-netw...


The irony here in that Australia just passed laws requiring local vendors to put in backdoors at the governments request, not just for national security but also in regards to "national economic well-being" aka industrial espionage.

So something has changed, because there used to be a weird little collaboration/supervision operation going on between BT, Huawei, and UK Intelligence at Martlesham Heath.

https://www.eadt.co.uk/business/martlesham-heath-huawei-pled...


Well, to be clear, that article just says that Huawei has an R&D Centre on Ad Astral Park. There are about 100 companies there.

It does go further than that. The best introduction is probably the latest annual report:

https://assets.publishing.service.gov.uk/government/uploads/...

From the report:

"HCSEC is a facility in Banbury, Oxfordshire, belonging to Huawei Technologies (UK) Co Ltd, whose parent company is a Chinese headquartered company which is now one of the world’s largest telecommunications providers.

HCSEC has been running for seven years. It opened in November 2010 under a set of arrangements between Huawei and HMG to mitigate any perceived risks arising from the involvement of Huawei in parts of the UK’s critical national infrastructure. HCSEC provides security evaluation for a range of products used in the UK telecommunications market. Through HCSEC, the UK Government is provided with insight into Huawei’s UK’s strategies and product ranges. The UK’s National Cyber Security Centre (NCSC, and previously GCHQ), as the national technical authority for information assurance and the lead Government operational agency on cyber security, leads for the Government in dealing with HCSEC and with Huawei more generally on technical security matters."


This report also included this statement in the summary:

"Due to areas of concern exposed through the proper functioning of the mitigation strategy and associated oversight mechanisms, the Oversight Board can provide only limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks have been sufficiently mitigated."

The publication triggered headlines in multiple news outlets at the time, e.g.

https://www.bbc.co.uk/news/technology-44891913


HCSEC is a different facility from Adastral Park

I wasn't imply otherwise, just following up on the original poster.

Not often I find my local rag referenced in HN, but I'm intrigued... where in the article does it mention UK intelligence? Martlesham is BT's R&D facility.

CSIS raised the same alarm, article also cites the head of MI6 calling out Huawei 5G products https://www.theglobeandmail.com/politics/article-canadas-spy...

5 eyes alliance wants the monopoly on selling backdoored telecom equip is my cynical take from all the Huawei shenanigans lately like their CFO getting arrested yesterday.


It doesn't. I doubt it would be legal for them to mention things covered by the Official Secrets Act. Remember that GCHQ was "officially invisible" for years despite being a hugely visible building and major Coventry employer. The Martlesham Heath connection is less conspicuous but something I've had people in the know hint at.

> I doubt it would be legal for them to mention things covered by the Official Secrets Act.

Official Secrets act only applies to people who signed it.

A journalist would have to be insane to sign the official secrets act as it is hilariously broad.

If you don't sign it then you can print (almost) whatever you want.

Even the much vaunted "D-Notices" are not mandatory, it's an informal agreement between the press and the government that occasionally the government will ask them not to print something and the press will (mostly) trust them, it seems to work fairly well, one thing I've wondered is that because the D-Notices are voluntary rather than mandatory the government can't abuse them the way they could if they where mandatory (since if they did the press would stop ignoring them).


> Official Secrets act only applies to people who signed it.

No it doesn't. It's a law, not a contract. They only get you to sign to it in order to remind you of the fact you're bound by it.


Sorry you are wrong.

They have to either sign it or be notified that they are covered under it generally by employment contract that you sign.

Without either of those you are not bound by it.

> It is not necessary for a person to have signed the Official Secrets Act in order to be bound by it. The 1989 Act states that a person can be "notified" that he or she is bound by it; and Government employees will usually be informed via their contract of employment if they must observe the Act. [1]

[1] https://researchbriefings.parliament.uk/ResearchBriefing/Sum...

Since I've never signed it nor a contract notifying me that I'm bound by it, I'm not bound by it nor would a journalist be.

This is how you end up in the somewhat funny situation of a government employee not been able to confirm something because they are covered but the person asking for confirmation not been.


Well its now Adastral Park and before that BT labs.

It Was/Is the equivalent of Bell Labs.


Yeah I know the place, drive past it often (although the name change had passed me by). Was wondering where the UK intelligence link was in the original article.

The problem is that Huawei kit does not have GCHQ/NSA backdoor capabilities. Hence it has to be banished.

The story has not changed since five years ago:

https://www.theregister.co.uk/2014/04/25/huawei_responds_to_...

It would be commercial suicide for Huawei to have backdoored their export products. For the Chinese domestic market they may have 'Great Firewall' extras to them but for export products it simply makes no business sense.

There is zero evidence in the public domain to support the hysterical allegations of the crazy folks in our domestic military-industrial-espionage complex.

In former times there was this quaint notion of innocent until proven guilty. It is time we grow up a bit and stop slandering our Chinese friends. Xenophobia has never helped.

Edit: Instead of downvoting, please explain the flaws in my comment, whether they be based on unsubstantiated claims, tone of voice or just personal grudge. Thank-you.


> The problem is that Huawei kit does not have GCHQ/NSA backdoor capabilities. Hence it has to be banished.

GCHQ/NSA don't need to add their own backdoor capabilities. Huawei gear ships with support for what is refered to as Lawful Interception.[0]

I agree with the rest of your comment and I said something similar myself a few days ago[1]. But the idea of Huawei being barred by a British carrier because of GCHQ not being able to snoop on it is absurd.

Full disclosure: I am a Huawei employee.

0: http://support.huawei.com/enterprise/en/doc/EDOC0100412586?s...

1: https://news.ycombinator.com/item?id=18514607


I like the Huawei employees I have met in Surrey, it does seem a pity that their world is being ruined by the brainfarts of politicians and those spooks that told so many lies about Iraq and every other war.

Nobody is slandering the Chinese people and this has nothing to do with xenophobia. This is purely about the actions of the Chinese government who have built their military on the back of IP theft. Much of which has been obtained through backdoors etc.

And this isn’t a courtroom so the whole innocent until guilty concept makes no sense.


>And this isn’t a courtroom so the whole innocent until guilty concept makes no sense.

In fact, if anything, the opposite principle should apply in the context of systems security.


are you suggesting that Chinese should ban all UK high tech stuff in China until it can be proven to be backdoor free? sounds like a fair reaction to me.

It’s not xenophobia to be wary of a non-allied state having access to your sensitive computer networks.

Hell, the U.K. should be just as worried about American products, tbh. Having a home grown electronics manufacturing industry seems like it should be a national security priority for everyone.

America moving all of its electronics manufacturing to China was complete madness, imo, though I understand the chain of events that led to it.


>There is zero evidence in the public domain to support the hysterical allegations of the crazy folks in our domestic military-industrial-espionage complex.

Key phrase "in the public domain". As someone with access to info that is NOT in the public domain.......every organization basically has one of two choices: either your data ends up on an NSA server, or your data ends up on a server in China. Which you choose largely depends on your government's politics and which superpower they are currying favor with.

Reasons factory-installed backdoors could NOT negatively impact business: -customers that aren't tech-savvy enough to notice

-customers that feel data security isn't important

-customers who are too cheap for more expensive alternatives (overlaps with the last category)

-customers who have an antagonistic relationship with the US, so Chinese backdoors are "more secure" than US backdoors by default

I think you'd be surprised how many people, globally, fall in those above categories. But major UK telecom companies certainly don't.


Well, they almost certainly _are_ "backdoored" in some sense, because the UK (like almost all countries) mandates that law enforcement be able to wiretap calls. It would never have been deployed in the first place without it.

Not sure I entirely buy your argument here without more information.

The ability to wiretap does not depend on every bit of kit on the chain being wire-tap-able. From what I understand Huawei provide the radio access network components that work with existing 'Cisco/Ericsson' core infrastructure, with the core bit being where the wire tap happens and not the radio access bit.


Yes, I would have thought (pure speculation) that GCHQ could tap the backhaul at many different points and not have to depend on having backdoor access to every piece of equipment.

> The problem is that Huawei kit does not have GCHQ/NSA backdoor capabilities. Hence it has to be banished.

As yes. The problem is the Chinese kit is too free.


If people can readily refute this then citations would be appreciated?

Edit: UK outage vendor confirmed as Ericsson: https://uk.reuters.com/article/us-o2telefonica-outages/erics...

Old paranoia filled post left below for reference. Thanks to saaaaaam for pointing the above link out.

----

There's something going on here, political or technical.

O2/Telefonica subcontracted out a lot of their core to Huawei in 2012 [1]. Literally today, after their CFO was arrested in Canada [2], we've been hit with a massive telecoms outage here in the UK which has taken out data / SMS. O2 have stated that it's due to one of their technology provider's software [3].

Edit: Giffgaff (virtual provider) have also stated that this is a global problem which is even more worrying [4]

I hope this is a coincidence.

We've had data down here in UK from 0500 to 14:00 so far...

China stock is falling, this happened, Huawei already have a somewhat iffy reputation and now BT is throwing out news about jumping ship from them suddenly.

[1] http://telecoms.com/44197/huawei-wins-managed-services-deal-...

[2] https://www.bbc.co.uk/news/business-46465768

[3] https://twitter.com/O2/status/1070612301110226944

[4] https://twitter.com/giffgaff/status/1070674248606339072


The outage was apparently caused by Ericssons software: https://www.theguardian.com/business/2018/dec/06/o2-customer... - our domestic, trustworthy and great company.

But it's sad to see that Chinese scaremongering propaganda is so effective even on educated people.


The Chinese equipment isn't being rejected because it can fail. It's because Chinese companies aren't as separate from the government as in the West. And they don't trust China of course.

I think it's still valid but at the same time our stuff is crap too.

It’s being reported that the outage is probably related to Ericsson.

“The company said that the problem stemed from a global software issue at a third-party supplier, understood to be Ericsson, which has also affected other mobile operators around the world.”

https://www.theguardian.com/business/2018/dec/06/o2-customer...

Edit: also apparently confirmed by Ericsson themselves.

https://uk.reuters.com/article/us-o2telefonica-outages/erics...


Interesting - thanks for posting!

You’re welcome!

> Edit: Giffgaff (virtual provider) have also stated that this is a global problem which is even more worrying

They're virtual, but wholly owned by the same parent as O2 (Telefónica).


Huawei is rumored to have backdoored the African Union and Trump has been pushing other countries to get tough on China in general for stealing IP. This is essentially an extension of the trade war and valid fears that the Chinese government may be spying on you if you use Huewei

> still plans to use the Chinese company's phone mast antennas and other products deemed not to be at the "core" of the service.

So apparently phone masts aren't "core" to a _phone network_?


It likely refers to the technical definition of the core of a telco network, see e.g. the evolved packet core part of a 4g/lte network https://i.ytimg.com/vi/6dt9xVMvtB8/maxresdefault.jpg , of which the eNodeb's ("phone masts") are not part of.

At least for 4g some layers of the control plane and all the user plane data are encrypted when passed through the eNodeb's. Albeit an eNodeb can probably do a lot of nefarious things if it wants to.

Or they mean literally just the phone masts and antennas - which are just inert components.


That makes more sense. Cheers :)

I'm going to assume that stuff that doesn't have software in it is probably trustworthy. It's hard to backdoor a metal pole.

> However, critics point out that its founder, Ren Zhengfei, was a former engineer in the country's army and joined the Communist Party in 1978. There are also questions about how independent of state influence any large Chinese company can be.

Is this really the best they can come up with? I've never heard any more specific accusations, in any media. Sounds pretty racist.

(I have seen specific accusations that Huawei is violating sanctions, but that is a separate concern from national security in infrastructure.)


Corporate espionage and military intelligence are not clearly separated in China, and this is due to the culture and values of the Chinese Communist Party. This is seen as the same thing, advancing towards the same goal.

This is arguable less of the case in other countries, which is why people in other countries don't understand what is going on right now (i.e. why Huawei is seen as a security threat). The concern is, if you in the future cross the will of the Chinese Communist Party, your national infrastructure may suddenly...behave differently.


> Corporate espionage and military intelligence are not clearly separated in China, and this is due to the culture and values of the Chinese Communist Party.

Any specific examples or accusations????


It’s mostly science fiction at this point. You’ll only get vague comments at best. It may well be true, but the people you’re talking to don’t know.

Always remember: you’re almost certainly talking to a software engineer with an active imagination using Wikipedia to selectively back up their stories.


They always make sure to put a TON of "citations” in their comments too lmao.

Their intelligence tactics are pretty widely known at this point, here's four different sources.

https://en.m.wikipedia.org/wiki/Chinese_intelligence_activit...

> It is believed that Chinese espionage is aimed at the preservation of China's national security through gaining commercial, technological, and military secrets.[2][3][4][5]


Seems like they started fight with Huawei via non-market means. Does it mean its actually a successful hardware company, threatening Apple/Samsung dominance?

As for fears, they could mandate open source with reproducible builds for all security critical infrastructure hardware.


Pretty sure Huawei is getting targeted for a reason, and not just because it's a "successful hardware company".

Neither the US nor the UK have any interest in protecting Samsung from competition.

My guess is that there's been some discoveries related to how aggressively Huawei is spying.





Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: