Huawei Offers 'Complete and Unrestricted' Source Code Access

An anonymous reader writes "The BBC reports that 'Huawei has offered to give Australia unrestricted access to its software source code and equipment, as it looks to ease fears that it is a security threat. Questions have been raised about the Chinese telecom firm's ties to the military, something it has denied. Australia has previously blocked Huawei's plans to bid for work on its national broadband network. Huawei said it needed to dispel myths and misinformation.' But is this sufficient? Will they be able to obscure any backdoors written into their equipment?"

Source

[bjb_admin]

Does the Australian Govt have anyone that can actually properly security audit this? I am sure they are not going to want to spend the money to hire someone who can. Also, who is to say the binary blob firmware doesn't have a back door. Its not like the Australians are going to compile it and install it themselves.

Re:Source

[Lehk228]

not even the firmware, there could trivially be a on-chip backdoor,

Re:Source

Even if they did have someone capable, if you've ever read any submissions to the Underhanded C Contest, you'll know how difficult it is to detect hidden back doors even when scrutinizing code.

Re:Source

[Max+Littlemore]

This is my concern. Why is the Federal Government singling out Huawei and not subjecting everyone to this scrutiny?

I have a simple idea. Why not make it a condition of purchase that all software/firmware/hardware design be fully and publicly disclosed by all potential vendors and crowd source the security checks? (Hey I know it will never happen but I'm allowed to have my Utopian dream on a Thursday morning)

Re:Source

We dont need to compile it ourselves, we have trained kangaroos and drop bears for this purpose.

Re:Source

[AK+Marc]

Yes, though there's no evidence of any improper activities from any Huawei gear, and they are already a step ahead of US voting machines.

In the US, voting machines pick the next president. With secret closed-source code in an industry with proven fraud and from companies with proven previous errors.

In Australia, they have the source code for routers running a residential broadband network, and that's not good enough.

Why does something seem wrong with that?

Re:Source

[anomaly256]

Plus it would mean we could just fabricate new asics from their designs and not pay them, something they probably (and rightfully) don't want

Re:Source

[tibit]

Yup, even when you a-priori know in which couple hundred lines to look. In a large application, like you'd find in a router, it's demonstrably impossible of a task unless they use something safer than C -- and even then it'd take a formal method approach.

Re:Source

[RedPhoenix]

Yes; some very good people who evaluate products for use within the Oz government and Defence:
http://www.dsd.gov.au/infosec/epl/index.php

However, the process is usually long, often expensive, and generally targets a particular software/hardware combination; bump your version number, and there's potentially a fairly significant re-evaluation required.

Huawei could take advantage of this program now, but would either need to front up some dough, or have a sponsor to guide them through it.

Re:Source

[socceroos]

The DSD (Defence Signals Directorate) are the ones in Australia who would vet this equipment - they already do it for all equipment used by ASIO, ASIS and other secretive organisations here. The other thing to remember is that it was the DSD that told the Government not to trust Huawei's hardware. Now they get to have a good look at the code without the need to reverse engineer.

Re:Source

[Charliemopps]

You're not understanding where the governments coming from. They want someone, other than themselves, to have legal liability if there is a breach. Since all contracts, agreements, and laws are subject to the whim of the Chinese government, they could just tell Huawei to put code on their hardware and they'd have to do it. Where-as, in Australia, or the United States, there are constitutions that supersede the federal governments. The feds can come in and demand that Cisco put a backdoor on their hardware, and Cisco could turn around and site existing law to say "No, we wont do that, it's illegal." Now, in reality, does it actually work like that? No... Cisco bends over backwards for the feds out of greed because they want them to do things like we're seeing here. But from the federal governments perspective, Cisco is doing their bidding and are therefor "Good guys"... Huawei on the other hand are at the very best an unknown. Politicians rarely see beyond their own term... and while violating our constitutional rights to ensure our safety seems worthwhile at the time... it's what the guy that gets elected after their gone does with these entrenched systems that brings ruin.

Re:Source

Because the rest of those companies weren't founded and run by ex-Chinese military and long-time Chinese Communist Party members?

Re:Source

[overbaud]

The way this works is: 1. Cisco lobby US gov. 2. US gov put pressure on Aus gov. 3. Aus gov create FUD about cisco rival. 4. Aus gov buy cisco. 5. Profit - cisco and US senators.

Re:Source

[rtb61]

Nothing to do with believable. I came across a disabled prototype on the internet. Based around a larger cheap version of a typical part with a high cost smaller version built into the casing leaving ample room for a chip to be inserted in the power pathway. Simplest function burnout the chip and cut power upon the correct pass code being picked up in the power supply. Imagine inserted that part inserted throughout your infrastructure, upon the code being detected every device using that part is now dead. Attempt to insert a replacement, it receives the signal and dies. You whole supply chain is corrupted and it could take weeks to resolve, especially when it's the telecommunications infrastructure disrupted.

Cisco and Motorola may object

...seeing as how it's their source code being released.

Re:Cisco and Motorola may object

[RivenAleem]

So you're saying that when/if Aus does an inspection of the source code, they WILL find backdoors.

Why stop there? Why not go for public review?

[badger.foo]

Much like I assume a lot of other /. readers, my trust in the equipment I use to do what it's supposed to do comes from my access and ability to read the source code. There have been minor dust-ups in the open source world about allegations that other governments than China inserted back doors in widely used software, and we still see those allegations surfacing from time to time, but never with anything solid to back them up. I believe searches on the obvious keywords will turn up stories linked from here, as well as links to source code repositories of very high quality indeed. So my advice for Huwaei is, let the world see your source code, and please set up a mechanism for reviewing your own code and patches.

Re:Besides

[fredprado]

Sorry, but there is absolutely no company in the world that has this thing called "character".

Compiler Vulnerability

[charon69]

Is Australia planning on building their own code from that source?

Because how would they know that what they were running was actually the source code they were provided?

And would Australia even be interested in jumping through that extra hoop considering that there are other vendor options available where Australia feels this isn't necessary? The price difference between Huawei and other vendors would have to be fairly sizable to warrant that.

Or, even more insidious, I've heard of the possibility to include backdoors via the compiler rather than via the source code.

http://en.wikipedia.org/wiki/Backdoor_(computing)

Quote from that article:
It is also possible to create a backdoor without modifying the source code of a program, or even modifying it after compilation. This can be done by rewriting the compiler so that it recognizes code during compilation that triggers inclusion of a backdoor in the compiled output. When the compromised compiler finds such code, it compiles it as normal, but also inserts a backdoor (perhaps a password recognition routine). So, when the user provides that input, he gains access to some (likely undocumented) aspect of program operation. This attack was first outlined by Ken Thompson in his famous paper Reflections on Trusting Trust (see below).

If Huawei's code requires anything more than generic gcc, Australia may not be able to verify 100% security, regardless... unless they're given the source code to the compiler as well.

Long story short, this just seems like a huge hassle that Australia is probably going to avoid anyway.

Just my 2 cents...

Re:Compiler Vulnerability

[fredprado]

Obviously they would have to compile and compare to audit, and obviously they shouldn't trust any compiling tool given by the very person being audited...

Re:Compiler Vulnerability

[Luckyo]

Even building firmware from ground up wouldn't help this issue. You can install backdoor on a chip. It's all about trusting the vendor not to have these, or have these but only for trusted organisations.

China and its security apparatus is simply not on the trusted list in Australia, while CIA/NSA appears to be.

The US government did it!

[kawabago]

When American telecom companies won contracts to supply soviet satellite, I think it was Poland, with telecom equipment, The CIA or NSA or both managed to get back doors into the equipment to both monitor calls and in the event of hostilities, to shut the phone system down completely. If American companies let their Government subvert their technology in foreign countries, China would be foolish not to.

Re:The US government did it!

[im_thatoneguy]

Yes. Because, it's not xenophobic, it's just plain good sense that critical infrastructure is a huge target. It's what every country should want their intelligence agencies doing. I hope every router sent to China has a backdoor in it that we can shut down in the event of a conflict.

Why do you think China is working so hard to create their own CPU? They know this would be a massive liability and with 10 Billion transistors its' easy to hide things now a days.

I'm usually dismissive of conspiracy theories because they don't actually result in any parties profiting. But this is exactly the sort of thing that countries not only would profit from--but have already done.

Imagine if every car in China could be turned off with a switch. That's a weapon I have absolutely no question our military would love to have. And one which *of course* the Chinese military would also want. If they could do it and get away with it--they will (just as we would).

Re:The US government did it!

[TheLink]

That's the USA though.

If Australia is that paranoid about China they should be even more paranoid about the USA too. Seems to me Australia should be asking Cisco and all the other US companies for their source code etc. In the global market Australia is not really a competitor with China, whereas Australia competes with the USA in many areas.

China doesn't need to do stuff like this. Why would they want to shutdown Australia? China doesn't even have enough nukes for a decent nuclear offense.

Re:Is this Sufficient? What else could you want?

[Todd+Knarr]

Hardly obscure. The only thing needed is to make it so the code used to build the firmware isn't the code you provided for everyone else to look at. I can think of a dozen ways to do that, starting with the obvious "patch file not in version control and not provided to anyone, applied manually between checkout and compile". If you're doing that, the back-doors don't have to be obscure at all because they won't be present in anything anyone can see.

The only way to truly tell is to build your own binaries from the supplied code and then diff the vendor-supplied firmware against your build. That of course suffers from problems with a large number of benign differences due to embedded source-code paths, timestamps due to the build being done at a different time, slight variations in the exact version of third-party libraries and so on.

IT'S A TRAP!!!

[HPHatecraft]

-signed Admiral Thomas Dalton Ackbar

Re:IT'S A TRAP!!!

[oodaloop]

We can't repel overused movie quotes of that magnitude!

Who are the alternative bidders?

[PPH]

Is their h/w and s/w being audited for back doors and spyware?

No need to audit US sourced equipment. Thanks to CALEA we are 100% certain its been bugged.

Re:hardware backdoors

[AK+Marc]

OK, lets assume that the routers are rooted. So what? Isn't everything over the Internet presumed to be insecure anyway? At worst, China would get some SSL packets from my bank, or some HTTPS packets between me and an email server. Or see that I'm on Slashdot more that I should be. Yawn.

And, if they did send a copy of every packet to China, do you think the carriers wouldn't notice that traffic pattern? It's an absurd accusation, with no basis in fact. And, if true, would be quickly found if it were ever used. All to compromise an unspecific portion of a residential broadband network.

It's more likely that Huawei was behind the assassination of Kennedy and 9/11 than they are inserting router backdoors in an attempt to remotely control Australia. If you've been to WA, you don't need to sniff their traffic to know what they are doing. 99% porn, 1% skype to family.

Not possible

[AaronW]

I'll believe it when I see it. Many, if not most, of their products run on VxWorks, a proprietary closed-source real-time operating system. All it takes is for someone to find a way to access the t-shell and you own the box. I believe this was recently shown to be trivial to do with access to the web interface (no login needed). Once you are in the t-shell you own the box. In VxWorks the t-shell is like root on steroids. You can call any function, access at any global variables or any memory location that you choose.

VxWorks historically has not been a secure operating system, leaving security entirely up to the applications developer.

VxWorks is not like a traditional operating system where you load programs off of a filesystem and execute them, with a clear separation between the OS and applications. Instead, everything is linked together into a single binary blob. Now it's possible it has changed significantly since I last used it, but I doubt it.

Not worth a lot....

[gweihir]

Backdoors cleverly disguised as obscure implementation bugs are very hard to find, and if you find them, you do not know whether they are bugs or obscure implementation errors. Typically, making sure no backdoors are in a piece of complex software is more effort and more difficult than reimplementing it with trustworthy and competent people.

Not enough

[robmv]

Source code access is never enough to guarantee that something is free backdoors? How adds it to the hardware? How can I verify the devices coming in (from China in this case) has the right binaries installed? and don't forget about hardware backdoors. It is like trusting a PC manufacturer with a preloaded Linux installation because I have the source code of it on a DVD to review. If you can't trust the manufacturer there is no source that can help

Re:Besides

[fredprado]

Oh, another offended Anonymous Coward. How cute.

Re:Is this Sufficient? What else could you want?

[mhotchin]

http://cm.bell-labs.com/who/ken/trust.html

If you haven't read it, or even if you haven't read it recently, you really should.

BBC reports only part of the offer

[GumphMaster]

What the BBC is reporting is not quite what was offered. The ABC quotes Mr Lord as:

"Huawei is willing to offer complete and unrestricted access to our software source code and our equipment in such an environment," he said. "And in the interests of national security, we believe all other vendors should be subject to the same high standard of transparency."

The reference to "such an environment" is an industry funded organisation dedicated to vetting this stuff.

The exercise is nothing more than a PR spin. Huawei knows full well that the other players will neither want to fund a centre that effectively lets a competitor back into the race nor subject their own code to such scrutiny and risk rejection. He is the local face of Huawei so he has to say these things, but they will not change anything.

Re:hardware backdoors

[RocketRabbit]

Wow, you're just really naive. Really, really naive.

Even without decrypting the information all the way back in WWII, traffic analysis allowed some major victories on the battlefield. With this technique, being automated and in near real time, one could infer a lot about an adversary without actually decrypting one single thing.

Maybe you're not concerned with privacy, but that's why you're not working in this field!

Who needs a back door?

[Minupla]

Who needs a back door when you have a range of security vulnerabilities to choose from.

Here's the slide deck from the talk on Huawei talk at Defcon 20 this year. At the end of the talk the presenter addressed the topic of backdoors by saying (my paraphrase) given the state of the code, who knows if a given hole is a backdoor or unintential security vulnerability.

The deck is worth a read if only for the fortune cookie slides, which contain actual quotes from the object code:
http://phenoelit.org/stuff/Huawei_DEFCON_XX.pdf

Min

Re:Who needs a back door?

[wer32r]

When I read through the PDF I started to suspect that these "bugs" must have been put there on purpose. The most convincing slide (IMHO) that supports this is the slide about the Web UI session vulnerability.

* Uses a Session-ID, called UID: the hex representation of a 32Bit value
* We only need to test 11 Bit of the UID in order to gain access
* We can log in with a simple Perl script

Who would leave such a door open by mistake?

Anything new from Slashdot ?

[Taco+Cowboy]

Is there anything new Slashdot can offer, other than this same old China bashing orgy?

If you think that equipments from Huawei is dangerous, what makes you think that Cisco equipment don't come with backdoors?

Which equipment the Stuxnet virus targeted?

Equipment from China or those from the Western countries?

It's easy to bash China - as China has become the poster boy for bashing orgy - from Presidential debate to this one in Slashdot - but I do expect MORE from those who come to Slashdot.

Unlike the tweedledee and tweedeldum on the presidential debate, you guys do have brains.

It's time you use your brain to think, rather than letting others doing the thinking for you.

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

Re:Anything new from Slashdot ?

[anomaly256]

I never said China was dangerous. I was just stating a fact that releasing the VHDL for their ASICS would be commercial suicide, and that releasing source doesn't prove there's no backdoors in the silicon. It's a futile exercise on the part of *both* sides. It boils down to nothing but America trying to defend it's own businesses and market share - not national security.

Please 'take your own medicine' and apply some critical thinking before making assumptions and lumping me in one category or another. And FYI, my wife is Chinese and I go there a lot to visit my delightful in-laws. I'm also American. Amazing eh? ...

Re:Anything new from Slashdot ?

[cold+fjord]

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

Hmmm . . . are there any other one party communist states with aspirations of hegemony, a long history of enmity against democratic government, free enterprise, and personal liberty, that currently have intense foreign espionage efforts directed against the West, that make direct threats against the United States while being armed with intercontinental ballistic missiles armed with nuclear weapons, on the list? No, China. . . make that the People's Republic of China, one of the few remaining Communist dictatorships on earth, is unique in that regard. Isn't that clear? China is reforming economically much faster than politically, although that is coming along in small fits and starts. But fundamentally, China is still a dictatorship run by the Chinese Communist Party.

Which equipment the Stuxnet virus targeted?

That was SCADA controllers made by Siemens, a German company, being used by Iran - a Shia lead theocratic government imposing Sharia law in Iran while they seek hegemony in the region. Iran is using that equipment to run centrifuges to develop highly enriched Uranium, and has been discovered to be engaged in activities applicable to only nuclear weapons development. Iran tries to intimidate its neighbors, is a state sponsor of terrorism world-wide, fund, trains, and arms Hezbollah with tens of thousands of rockets and missiles to control Lebanon and attack Israel until it can make good on it barely veiled threats of genocide against Israel, and general threats against Europe and the United States. Until the Islamic revolution in Iran in 1979, Iran and Israel had been on good terms. It is the theocratic government in Iran that has declared them to be enemies - the conflict isn't Israel's fault - Iran was not part of the Arab-Israeli wars. And yet some people take the bankrupt position that it is Iran that needs protection from Israel. Stuxnet and its kin may be the only reason the world isn't in a shooting war in the region now.

It's easy to bash China - as China has become the poster boy for bashing orgy - from Presidential debate to this one in Slashdot - but I do expect MORE from those who come to Slashdot. Unlike the tweedledee and tweedeldum on the presidential debate, you guys do have brains. It's time you use your brain to think, rather than letting others doing the thinking for you.

Some people use their powers of reason to understand the facts above and their implications, others use their reason to rationalize away uncomfortable facts, like those above.

In much of the West, the well educated have been taught to believe that they can know nothing and that they can draw no independent conclusions about truth, unless they cite a study and "experts" have affirmed it. "Studies show" is to the modern secular college graduate what "Scripture says" is to the religious fundamentalist. -- Dennis Prager

Re:Anything new from Slashdot ?

[OeLeWaPpErKe]

I imagine a similar argument was made in the USSR about Xerox photocopiers. Oh, right, those spying photocopiers.... Now while you can argue that it's just the US being evil and therefore expecting everyone else to be evil, anyone who deals with the Chinese government has absolutely no illusions about which government is the best of the two.

The Chinese government has been caught red handed on several occasions attacking private companies, so ... what doubt is there, really, that Huawei equipment is too dangerous, even if it's not outright sabotaged from the start ?

Re:hardware backdoors

[AK+Marc]

Sure, they'd take it all down. And then what? Invade Australia? That'll start WWIII, same as if they launched a bomb at every network POP. We should be scanning them all to make sure there aren't hidden bombs in every Huawei router, and even if they come back clean, open them all up and make sure. What would happen if the code had every battery in every Huawei phone outside China blow up at the same time? And every Huawei home router shorted , taking our the electric grid? Then they got up, walked to other routers, and assembled themselves into a large robot that calls itself Megatron-san (yes, I know we are talking Chinese and san is Japanese).

Re:Answer

[Matt.Battey]

That may be true, but based on past events, like when counterfeit Cisco routers were produced in China and sold world wide, even to US military institutions, the fear is very real. Besides the attempt to maximize profit by selling falsely produced patented and copyrighted digital equipment, there is the nefarious aspect that these systems could have any sort of direct back-door, data rewriting, or side channel attacks built-in.

The question comes down to this: Do you purchase digital computing products constructed in a Communist country that is actively engaged with you in digital warfare? This is the cyber equivalent to smallpox blankets.

it depends on who you are

[r00t]

If Huawei (and all equipments from all Chinese companies) are suspicious, what makes you think that equipments from Germany or Japan or Britain or Korea or Canada or USA aren't?

If I'm running a business in Australia, each of the listed non-Chinese countries is a minor concern. All have strong intellectual property protection. They mostly don't have a reputation for cloning foreign products. China is a different matter entirely.

If I'm running a business in any of the listed countries, China or otherwise, obviously my own country is preferred. They'd kick in my door if they wanted something; it's easier and more fun than hacking. I'd like protection from the others.

If I'm running a business in Iran, I probably want Korea or Japan. China is trying to pry into my finances for trade negotiation, and everybody else just hates Iran.