Vulnerabilities / Threats
5/10/2013
10:47 AM
50%
50%

Huawei CEO Dismisses Security, Spying Concerns

Company founder denies that Huawei employees would ever be forced to spy for China.

The founder and CEO of Chinese networking equipment manufacturer Huawei, in his first-ever media interview, Thursday dismissed allegations that backdoors may have been built into the company's products to facilitate Chinese espionage.

"Huawei has no connection to the cybersecurity issues the U.S. has encountered in the past, current and future," Huawei CEO Ren Zhengfei, 68, told local reporters -- through an interpreter -- while on a visit to New Zealand this week, according to news reports.

Since founding the company 26 years ago, Ren had previously refused to conduct media interviews. But during his visit this week to New Zealand, he agreed to meet with reporters from four of the country's news outlets.

In response to reporters' questions, Ren dismissed allegations that his employees might be colluding with state security services, instead likening the relationship between his company and the Chinese government to that between New Zealand companies and their government, reported Fairfax Media in New Zealand. Furthermore, he said he was confident that his employees would be free to refuse any request from a Chinese intelligence service to spy on a foreign entity.

[ U.S. officials are trying to ratchet up pressure on China. See Senate Bill Calls For Cyberespionage 'Watch List'. ]

Ren's comments can be read as a criticism of the U.S. singling out Chinese firms Huawei (the world's second-largest telecommunications manufacturer) and ZTE last year in a Congressional report warning that the two companies "cannot be trusted to be free of foreign state influence and thus pose a security threat to the United States and to our systems." Accordingly, the U.S. House of Representatives Permanent Select Committee on Intelligence's Oct. 2012 report "strongly encouraged" all U.S. businesses "to seek other vendors for their projects."

American businesses appear to be listening. A recent survey of 454 IT professionals conducted by InformationWeek found that the U.S. government's recommendation to avoid Huawei equipment would influence their buying decision-making. Indeed, 37% of surveyed businesses cited the warning as a major concern, and 34% said it would be a deal-breaker.

But Ren Thursday downplayed his company's presence in the American market. "Huawei equipment is almost non-existent in networks currently running in the U.S. We have never sold any key equipment to major U.S. carriers, nor have we sold any equipment to any U.S. government agency," he said.

His comments echoed those of Huawei executive VP Eric Hu, who last month said, "We are not interested in the U.S. market any more," according to the Financial Times.

Despite that apparent vow to quit the U.S. market, the company subsequently changed its story, saying it would continue to actively sell its products in the United States. "We continue to sell in the U.S. in all three business areas: Device, Carrier Network and Enterprise," Huawei spokesperson Jannie Luong told Network Computing in April.

In the wake of the Oct. 2012 Congressional report, Australia, India and the United Kingdom were already evaluating whether they would continue to work with Huawei and ZTE. Notably, India's Research and Analysis Wing -- the government's main intelligence service -- issued a report warning that "Huawei Technologies is known to have links with the People's Liberation Army (PLA) and the ministry of state security of China."

In response, Huawei proposed that Australia create an information security test center to vet the company's products.

But fears of Chinese espionage were further compounded this week, after an annual report from the Pentagon to Congress directly accused China of running a military cyber-espionage operation that directly accessed U.S. government systems. "China is using its computer network exploitation capability to support intelligence collection against the U.S. diplomatic, economic and defense industrial base sectors that support U.S. national defense programs," according to the report.

In the wake of that warning, Huawei and ZTE appear to be facing fresh scrutiny by Indian government officials, who said this week that they're creating a testing lab to assess all foreign-built telecommunications and networking equipment. "We know about the concerns of intelligence agencies and are expediting developing [a] system for testing the telecom equipments of foreign manufacturers in networks," an India government telecommunications official told India's Hindustan Times.

Information security experts, however, say that backdoors purposefully built into networking hardware can be notoriously difficult to detect, and warned that devices could also be clean when purchased but later updated with firmware that enables spying.

Furthermore, in a 2012 teardown of the Huawei AR8 and ARE 29 series routers, Felix "FX" Lindner, who heads Berlin-based Recurity Labs, found that the firmware contained sufficient numbers of coding errors that anyone studying the code base might find ways of remotely compromising the devices without needing to resort to purpose-made backdoors.

People are your most vulnerable endpoint. Make sure your security strategy addresses that fact. Also in the new, all-digital How Hackers Fool Your Employees issue of Dark Reading: Effective security doesn't mean stopping all attackers. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
jries921
50%
50%
jries921,
User Rank: Ninja
5/18/2013 | 6:06:38 PM
re: Huawei CEO Dismisses Security, Spying Concerns
I don't believe a word of it. If he were to refuse a request for cooperation from State Security, he'd would go directly to prison and may never be seen again. But if he were to have said anything but what he said, he'd never be able to go home again.
Ronjon13
50%
50%
Ronjon13,
User Rank: Apprentice
5/13/2013 | 2:01:31 PM
re: Huawei CEO Dismisses Security, Spying Concerns
Ren suddenly appears, dismisses all allegations and expects we should just take his word for it?

No mention of Huawei sales to Iran and the efforts to conceal ongoing operations that were uncovered, and no mention of the employees he has at Huawei that aren't really telecom employees but actually are working for the PLA intelligence agency, and no mention of the employees who are monitored and threatened if they do not go along or keep quiet.

Mr Ren, you can buy some people, some favourable articles and some desperate customers but we still do not believe you.
JSmithy67
50%
50%
JSmithy67,
User Rank: Apprentice
5/10/2013 | 6:00:27 PM
re: Huawei CEO Dismisses Security, Spying Concerns
Huawei CEO Ren Zhengfei: " Furthermore, he said he was confident that his employees would be free to
refuse any request from a Chinese intelligence service to spy on a foreign
entity."
While the employees may be "free to refuse" what if they personally choose to obey the request?
It would have been more reassuring for Mr. Zhengfei to say, "Huawei company policy forbids our employees to act on a request from anyone not in their chain of supervision. We will immediately fire or prosecute anyone breaking this policy."
elleno
50%
50%
elleno,
User Rank: Apprentice
5/10/2013 | 5:59:17 PM
re: Huawei CEO Dismisses Security, Spying Concerns
To quote a famous prostitute, Christine Keeler, when she heard one of her high profile politician clients denied all charges.

Ren denies all cybersecurity issues with Huawei: "He would say that wouldn't he".
Companies Blindly Believe They've Locked Down Users' Mobile Use
Dawn Kawamoto, Associate Editor, Dark Reading,  11/14/2017
Microsoft Word Vuln Went Unnoticed for 17 Years: Report
Kelly Sheridan, Associate Editor, Dark Reading,  11/14/2017
121 Pieces of Malware Flagged on NSA Employee's Home Computer
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/16/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Managing Cyber-Risk
An online breach could have a huge impact on your organization. Here are some strategies for measuring and managing that risk.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.