US distrust of Huawei linked in part to malicious software update in 2012

Suspicions about the integrity of Huawei products among US government officials can be attributed in part to a 2012 incident involving a Huawei software update that compromised the network of a major Australian telecom company with malicious code, according to a report published by Bloomberg.

The report, based on interviews with seven former officials, some identified and some not, says that Optus, a division of Singapore Telecommunications Ltd., had its systems compromised through a malicious update in 2012 – a claim the company disputes.

"The update appeared legitimate, but it contained malicious code that worked much like a digital wiretap, reprogramming the infected equipment to record all the communications passing through it before sending the data to China, [the sources] said," Bloomberg's report explains.

After several days, the snooping code reportedly deleted itself, but Australia's intelligence services decided China's intelligence services were responsible, "having infiltrated the ranks of Huawei technicians who helped maintain the equipment and pushed the update to the telecom’s systems."

Australian intelligence is said to have shared details about the incident with American intelligence agencies, which subsequently identified a similar attack from China using Huawei hardware in the US.

The report seeks to provide an evidentiary basis for efforts by the US and other governments to shun Huawei hardware amid global 5G network upgrades and to give that business to non-Chinese firms.

Notably absent is any claim that Huawei leadership knew of this supposed effort to subvert Optus' network. "Bloomberg didn’t find evidence that Huawei’s senior leadership was involved with or aware of the attack," the report says.

In short, the claim is that China's intelligence agencies compromised an Australian network by placing agents within Huawei, an ongoing risk for any number of prominent global technology firms.

'Australia's slander'

China has denied "Australia's slander." It's perhaps worth noting that The Register is unaware of any nation owning up to recent intelligence activities. Even Russian President Vladimir Putin, faced with compelling evidence unearthed by investigative news service Bellingcat of the FSB's attempt to poison political opposition leader Alexey Navalny, denied that Russian agents had anything to do with Navalny's near-fatal poisoning.

But the statement from China's Ministry of Foreign Affairs is unusual in that it suggests mutual guilt more than wounded innocence: "Australia’s slander on China carrying out cyberattacks and espionage penetration are purely a move like a thief crying to catch a thief."

In other words, everyone spies and Australia has poor manners to air its grievances in public. Consider that the US National Security Agency by 2010 had already penetrated Huawei's network to spy on founder Ren Zhengfei and associates, based on prior concern that Huawei could create backdoors in its equipment. That's according to documents made available by former NSA contractor Edward Snowden.

• Huawei's AppGallery riddled with malware-infected games
• UK Telecommunications Act – aka 'power to strip out Huawei' – makes it to the statute book
• HPE sees 'no indication' its tech was sold to Chinese military, seeks answers from Uncle Sam on sanctions
• Psst. Hey kid. Want a lipstick? Huawei slips new earbuds into cosmetics case

The Register asked Huawei to comment and a spokesperson provided us with a copy of the remarks John Suffolk, Huawei’s global cybersecurity officer, offered to Bloomberg.

"[W]ithout specifics, it is not possible to give you a detailed assessment as each operator is different," said Suffolk in an emailed statement. "It is fanciful to suggest that 'Huawei's software updates can push whatever code they want into those machines, whenever they want, without anyone knowing.' It does not work that way."

"It is fanciful to suggest engineers can reprogram the code as they have no access to source code, cannot compile the source code to produce binaries and the binaries have tamper proofing mechanisms within them. We are leaders in encouraging governments, customers and the security ecosystem to review our products, look for design weaknesses, provide feedback on vulnerabilities or poor code examples and it is this openness and transparency that acts as a great protector."

"Finally no tangible evidence has ever been produced of any intentional wrongdoing of any kind."

But this isn't about evidence presented in a public forum or court room. Huawei is not on trial, at least in this context.

Yes, there was that dustup with its CFO, resolved to avoid a serious diplomatic row, the US government's trade secret theft lawsuit against Huawei based on T-Mobile's civil lawsuit, and claims that Huawei screwed over a California IT consultancy and backdoored a network in Pakistan.

Can't catch a break

Even so, Huawei's guilt or innocence as it applies to helping China spy is largely irrelevant. As far as the US is concerned, Huawei can't be trusted because the Chinese government could, in theory, make demands the company could not refuse. The feds are worried about precrime, to use the terminology of Philip K. Dick's Minority Report, a story about a police unit that apprehends people predicted to commit crimes.

The US Federal Communications Commission recently used future concerns, alongside past behavior and secret accusations, to ban another Chinese firm from operating in the US. In October, the FCC announced that China Telecom Americas could no longer do business in America. The agency said it based its decision [PDF] partly on classified evidence provided by national security agencies.

But it also said "the totality of the extensive unclassified record alone" was sufficient to justify its decision. The agency concluded that China Telecom Americas could potentially be forced to comply with Chinese government requests and company officials have demonstrated a lack of candor and trustworthiness to US officials.

And trust is key. The changeable nature of software and the possibility of concealed hardware functions make it inherently risky to accept IT systems from untrusted sources. The risk can be mitigated through source code inspection, auditing, and other precautions, but not completely.

Trust is an issue for everyone involved. In February, Bloomberg followed up on its controversial 2018 report of covert spy chips with word that similar snooping hardware was found in 2015 on the motherboards of servers made by US computer maker Supermicro, a claim the company disputed. The Register at the time spoke with a former executive at a prominent chip making firm who insisted such devices exist and that he'd personally held some of them. We trust our source but still, more concrete proof would be nice.

In retrospect it seems obvious any intelligence agency with enough funds and know-how would want such a thing. And it's difficult to believe no one has ever successfully deployed a surveillance chip or backdoored a system destined for a geopolitical rival. But the absence of samples that have been publicly dissected and analyzed means again, we're left to interpret national-state shadowplay with hints and whispers.

Coincidentally, this state of affairs – where lack of trust means nation-based IT stacks – works just fine for companies based in the countries where they can make claims about spying behind closed doors and see government funding that puts their products in the place of ousted competitors.

We can only imagine the cheer that went out among network switch vendors when the FCC announced it would pay US telecom providers to rip and replace their Huawei gear. And given the ways in which China has tilted its market toward local firms, it might be fair to say turnabout is fair play, if anyone were actually concerned about fair play. ®