The title is misleading... my interpretation of the contents is that KPN outsourced the maintenance of their mobile core network to Huawei, and that Huawei personnel as a result had full technical access to the network. There is no evidence given than Huawei actually abused that access, which would indeed be major news.
I assume they had some contract to spell out the legal level of access that Huawei had... the level of technical access would presumably have been exactly the same had they outsourced the maintenance to a western company, the legal protections would presumably just have more weight in that situation.
The worrying part is that the owner of the network apparently lacked audit logs of any such technical level access. That's still just as much of a problem with insider threats if the company manages the network themselves?
"As an icebreaker, [telecommunication operators] were asked if they thought the Chinese could eavesdrop through “backdoors” in Huawei equipment. Every single hand went up. One of the bankers then asked, for balance, if they thought the US could access communications through key Cisco equipment. “All the hands went straight back up without hesitation”
WHY HE WAS EVEN ASKING ??????? What is wrong with suits ?????
Retoric of course. But wrong is that they work in managing things. Not technicaly improving/creating/replacing things. So any action is just manage, risc ma^H^H ditching.
We need to replace our managers with technology peoples.
PS. Still US is preffered option.
PPS. Avoid Cisco at all costs !
I'll echo (but not endorse) the standard reply; I feel better that the Chinese regime can access my data than the US regime who could seriously ruin my life. That balance may (will?) tip at some point.
Wait? Why where the comments here flagged and removed, they where right in that china is most likely abusing such things for industry espionage and pushing political opinions, [rest mine:] and we know (Snowden) that the US does so.
Through in both cases both powers most times don't need to use any backdoors or similar as they can just influence the companies in questions directly. Like don't forget the currently ongoing law suite against a (Chinese) Zoom executive or how they repeatedly successful pressured Apple, to erode how much apple users can go against the CCP... (e.g. removing disliked censor resisting Apps and similar).
And lets be honest for most (but not all) people neither power would ever bother targeting them directly, but the side effects of targeting which isn't against them directly still has a good chance of long term degrading their live quality (IMHO).
Addendum: Just to be clear I don't think Cisco or Huwei or any similar company is doing espionage on their decision. But such companies consist of people and it would be strange if Chine/USA did not install some people their which do their bidding if needed, or in transit manipulate hardware or similar.
> Huawei’s says it never acted inappropriately by abusing its position in the Netherlands.
I believe Huawei (as company) never did so, and the IMHO most likely existing Huawei employed which might do so anyway also likely didn't do so because they had no reason to (as far as I know). The think about people you install somewhere is you don't us them until you necessary. Because then they likely won't get caught.
Your beliefs are uninformed and selfish. The Chinese government wont use its control over networks to target people like you. It will use them to target human rights activists and Chinese dissidents along with stealing technology from your country.
The original article contains more details. Like the discovery of a work around that enabled direct access outside the procedure that was agreed upon. Indeed there is no proof it was actually used, but why was it there in the first place? Something that was not logged does not mean it did not happen. Actually, if it was my work I would make sure not to output something in local logs.
"it has never been established in all years that customer data was stolen by Huawei from our networks or our customer systems, or that it has been tapped."
Isn’t this basically the position that Ubiquiti took in the last few weeks?
There was a case where a backdoor was discovered on cisco devices.
It was a "bug", something a dev forgot. Sorry for that.
I am french and have zero trust in Chinese or US equipment but since we do not have our own (at least style that makes sense) I use theirs and hope for the best.
You are right, although I'd add one observation - when you have hardware from a supplier, and give that same supplier managed service provider access, you are giving them access beyond that which you understand - processes and procedures implemented/enforced by their systems have no independent scrutiny over.
Given the prevalence in enterprise networking equipment of undocumented admin accounts, you need to manage the risk when the vendor itself is the one getting direct manager service access.
The lack of technical layer logs is a concern, but these logs also need to be independent and generated by equipment from a different vendor - it would be easy to (for example) not log any received command packets with the TCP evil bit set. An external logging system from another vendor would detect this.
Unfortunately mobile core networks are often relatively limited in vendor diversity, so it's possible you won't have this in place.
Agreed, as a random HN commenter it's way too easy to trivialize the complexity in audit logging such a complex system.
Such audit logs are very much dependent on the integrity of the system generating them, and the vendor themselves is certainly in the best possible position to compromise that integrity.
I suppose that switching from a vendor-operated system to an independently-operated system would simplify the implementation of trusted audit logs for mitigating the remaining insider threats, though.
Absolutely, but to build a suitable independent logging system that understands the protocols used, and all the relevant fields, would be hugely complex.
Ultimately, you'd need to log every packet in full if you don't trust the core vendor - a control packet could contain an undocumented field like 'cmd', whose value is executed by root...
That's the kind of threat you'd be looking to catch. That means you'd need to terminate transport layer encryption on this "firewall/log" system, so that you can see and log the content of control messages.
Ultimately, you'd need the cooperation of the vendor to actually build a system that could meaningfully understand these control/management messages, and therein lies the problem!
Or you could require it in the tender. Once they quote 25% overall cost compared to others, you can ask them to implement such a system for 25% more and come back later.
it can be a minimal requirement, more so if it is such a sensitive system.
Feels like the Huawei bashing is back. Justified or not. It always comes in burst as if one bad article is used as an opportunity to amplify negative press. If it is a state or competitors is hard to tell. Maybe just a result of all these ad algorithms that try to get as much engagement as possible resulting in one story that has a bit of traction getting amplified like crazy.
Just look at what happened to J&J last week. The damage is done, no one will want it if it turns out to be safe.
That is intentional, probably a lot of money is spent by governments to create a narrative, then later they can justify different actions based on fantasies.
If you buy huawei 4g/5g equipment, can you run it yourself completely? It is probably completely standard if you have their gear to also pay for their support and thus needing to give them access to your network.
Most operators take a support and maintenance contract. It's also worth remembering that many operators don't have the staff needed to even install radios and other distributed equipment - often the radio vendor can offer that service to you as well.
You can run a mobile network with minimal external access, but the economics are such that few want to - in an era of outsourcing and managed services, it's less about what can be done, and more about what is done in reality.
Managed service providers have significant levels of access into mobile networks, beyond what many are aware.
There's a few reasons, one is financial - USA wants those installation contracts. Another is that USA wants covert access to those networks (instead of the Chinese).
For me as a private citizen of the UK the Chinese having access seems less likely to impact me than USA having that access.
There's something disturbingly dystopian about governments competing for access to private individual data, and us having to consider which one we're more OK with...
Doesn't explain why the US was equally adamant that western telcos with the know how shouldnt buy "dumb" Huawei equipment, vet it and install it themselves.
This is what made me think that this is at its heart not about security at all and more about just isolating Huawei.
KPN laat vanochtend aan de NOS weten dat nooit is vastgesteld dat er
door Huawei klantgegevens zijn ontvreemd uit het netwerk of de klantsystemen, of dat er is afgeluisterd.
KPN told NOS (the above news site) that there is no evidence Huawei collected customer personal info or that they've eavesdropped. The bad news is that that's because they have no way of knowing, as mentioned elsewehere in the article.
Yeah, it's not that it eavesdropped, but that it gave itself the opportunity to do so, and that no systems were in place to keep track of that - i.e. that whether it happened or not, KPN would not be able to have evidence of that.
That said, a month ago it was reported [1] that Huawei did explicitly add a way for them to access customer data of one of KPN's subsidiaries, and that it used that "regularly". Could theoretically be e.g. to aid debugging or something, but not a great look.
Even if everything was in Chinese, hiring a Chinese translater costs pennies compared to any disaster that this could cause. The translater doesn’t even need to be Chinese; there are probably enough Europeans who have studied in China and returned.
Like most Huawei/Chinese tech fud stories we have seen the last 3~4 years. A lot of posturing but no evidence or proofs strong enough to force a lawsuit.
Reality is the anglo-europeans(atlantic coastal folks) wants to split the world in half at least in cyber space. Pompeo talked about it openly with the Clean network initiative. That means no Chinese tech or hardware in the west.
They will pull the whole of the EU with them either peaceful and if that doesn't work forcefully.
China has split the cyber world in half with their Great Firewall. Until they open their cyber space up to the west I don’t see any reason why the outside world would allow state-controlled Chinese companies to have access to their markets/networks.
We in the west were above those petty things right, we could out innovate the Chinese etc.
But the clean network initiative isn't only about China, its also about Iran and Russian. I expect a big boom in Iran tech, the following next two decade now that China has given them a get out of jail card from the western financial siege war.
Its not like western companies don't have access at all, Facebook for example still earns quiet some money from China selling ads, Google was planning on making a Chinese specific search engine called Project Dragonfly. Would google really allocate all those resources for a market they can't access?
Yes go ahead and innovate around them as they steal your intellectual property.
If the Chinese networks / markets were so easy to penetrate as you are suggesting, why would Google have to spend so much time developing a separate search engine for them to be approved by the CCP? Why wouldn’t they just use the search engines that are already out there? It’s pretty obvious as to why.
History has shown that rising powers take what they need to keep their rise going.
Just like the UK, France and other send spies to the Netherlands and steal our shipbuilding techniques in 17th century for their own naval rise. The same as the US did with the UK steal factory design keep their own industrial rise going.
The Chinese are stealing/buying technical know how to keep their rise going.
Like the saying goes, When in Rome, Do as the Romans Do.
So when in China, follow the Chinese regulations.
The Chinese should do the same when they want to invest here in the EU.
Past abuses of power shouldn't justify modern ones, nor should it be normalized and accepted by anyone. It should be criticized and measures put in place so that it doesn't happen again.
We can do better as a civilization and learn from past mistakes. The fact China downplays and denies theirs while trying to gaslight the world should be reason enough to never do business with them until this changes and they can be transparent and honest.
Unsurprisingly comments like yours come to their defense anytime a news story like this comes along. It's tiring, frankly.
I don't think that taking tech is a mistake or a disaster.
Ultimately it works like this - all rising powers have the choice to stay fully shackled by IP and remain subordinate and poor forever, or they can take that IP and provide a better life for their people. Unless there is some alternative there, I just can't fault a country for doing it. Especially when the current top dog is only there because they did it too.
The concept of IP is already morally questionable to begin with, now we want to use it to keep half of the world poorer and dependent in perpetuity?
I'm not advocating for IP laws, I agree they're not conducive to prosperity. What I'm against is abuse of trust between business partners, theft of information for political gain or commercial exploitation (counterfeit products), and general dishonesty and deceitfulness.
I'm not well versed in game theory, but if tit-for-tat is a winning strategy, it's unreasonable to continue to cooperate with a party that actively tries to screw everyone else over at every turn.
Indeed. From the safety of their proverbial fortress city, they can undermine Western power and project their own in the resulting vacuum. A tried and true tactic adapted to modern instruments.
What I'm not sure about is why anyone is surprised. Especially in an age where everything is framed as a struggle for power, you would expect this to be the case, especially for an emerging superpower. Economics is here just war by other means, and consumerist lust for cheap goods the Trojan horse by which China will succeed.
I don’t think consumer lust is to blame though I hear that often. Perhaps it’s the trade, and those who profit off it that are to blame? Why blame people and not apple, Foxconn or Huawei? Humans must come first, nations and corporations should be subservient. Laws should favor human freedoms over the business of multinational mega corporations. Mega corporations that are controlled directly by the military of a major global superpower, Huawei, should be the most suspect in terms of violating human rights. Yet the posters here in this thread want to blame consumers and defend Huawei and the Chinese military. Astounding to me so many here care more about the right of corporations, military controlled corporations at that, over the rights and dignity of the individual. Disgusting frankly.
The title of the article doesn't match the content. The article says it's possible they could have eavesdropped because they have access, but not that they did.
It does say Huawei also knew which numbers were tapped by police and intelligence services.
If that's true it's bad enough. But it sounds like they are just saying Huawei engineers had access to the internal network at certain times for debugging purposes. Which is not surprising at all.
The opposite would be infinitely worse. That is if Huawei were one administering the network. Allowing any government organisation option to wiretap any connection without any knowledge or controls is entirely against western values.
Logically police and intelligence services should be ones telling ISPs what to tap. And they should only comply with proper process. Anything else is totalitarianism.
The article seems poorly translated (into English), so I’m going to avoid reading too much into it.
But one thing I want to highlight is the fact that this story appears to be based off a report written by a consulting firm, Capgemini. For that reason alone I would bet that this report identifies hypothetical risks, not actual instances of unauthorized access.
> ”Huawei employees have not had unauthorized access to KPN's network and data, nor have they extracted data from that network. Huawei has at all times worked under the explicit authorization of KPN,”
But doesn't the article also imply (who knows if it's true) that such access would not have been logged, in which case how can Huawei be sure there was no access by an employee which did abuse it (and was neither asked by Huawei to do so nor did Huawei know about it).
Much of the "spying" attributed to companies like Cisco or Huawei are generally not done by the company but by people working for it which act outside of the companies directions (but likely where directed by external powers like the Us or China).
Similar in both countries there are non-public court decisions under which we can't guarantee that the Company wasn't forced to do so and forced to tell everyone they didn't do anything like this. (can't guarantee doesn't mean it happened, just that there is no guarantee).
Which is in the end the whole problem with Huawei (or Cisco) even if the companies clearly have no intention to do such thinks, it's very likely that employees from them or even they themself are forced to do such things in some cases, especially if trade and/or political relationships degrade.
But, maybe we should talk about outsourcing! Most people do not know how awful is their trusted brand at managing its contractors. Often there is no technical team to lead and control. They only hire a bunch of incompetence product managers with power point skills that have no clue about what is going on.
The linked news site changed the title. You can still see the original in the linked URL: chinese-technology-company-huawei-eavesdropped-dutch-mobile-network-kpn
Are we just supposed assume that global superpowers engage in espionage against their enemies? As other posters say, where is there proof China would spy?
This is a classic form of propaganda: The title suggests clearly that Huawei has spied on a Dutch mobile network when none of this is true, so single evidence is given that they really did it.
Thanks for sharing i wasn't aware of this Operation yet, the big example you usually hear is the NSA was recording Merkel's her phone as allies spying on each other.
Once again a huge accusation with zero evidence. It's almost as if people don't trust Huawei (and do trust Apple, Cisco, etc) for purely ideological reasons...
>KPN informed the news source ANP on Saturday that "it has never been established in all years that customer data was stolen by Huawei from our networks or our customer systems, or that it has been tapped."
Apple does have a history of standing up to the US governmental agencies. The CCP will not allow Huwawei to operate unless they bend over to them. See what they did to AliBaba a few days ago, not to mention how they disappeared their CEO.
Apple (rightly) refused to assist the FBI and that's better than many. But the NSA is known to have total access to everything on your iPhone if they want it [1]. Any European politician wonder about eavesdropping has at least as much to worry about from the US (both government and commercial) than China.
I assume they had some contract to spell out the legal level of access that Huawei had... the level of technical access would presumably have been exactly the same had they outsourced the maintenance to a western company, the legal protections would presumably just have more weight in that situation.
The worrying part is that the owner of the network apparently lacked audit logs of any such technical level access. That's still just as much of a problem with insider threats if the company manages the network themselves?