Huawei Technologies Co. Ltd is based in China and provides telecommunications equipment and consumer electronics such as smartphones to consumers in more than 170 countries – except the United States. The company, founded in 1987, employed more than 188,000 workers as of September 2018.
Huawei operates 21 Research and Development institutes globally and had invested $13.8 billion US dollars as of 2017. It is estimated that, as of 2011, this large Asian telco served fully one-third of the international community. In 2018, Huawei bested Apple as the second-largest smartphone manufacturer in the world, behind Samsung Electronics.
The Chinese telco ranks #72 on the Fortune Global 500 list. In December 2018, corporate revenues for that year reached $108.5 billion – a 21 percent rise from the previous year.
Huawei stopped selling its goods and services in the U.S. in 2018 after the U.S. government accused the telco giant of building devices that allow the Chinese government to spy on Huawei users. At the same time, President Donald J. Trump began waging a tariff war with China.
Huawei has vehemently denied U.S. allegations of espionage. maintaining that its products present “no greater cybersecurity risk” than those of their competitors.
In May 2019, as the trade war between the U.S. and China continued to seethe, Huawei was restricted from doing business with U.S. companies over charges of prior intentional violations of U.S. sanctions against Iran.
On June 29, 2019, President Trump agreed to resume trade negotiations with China and pledged to ease the Huawei ban. Trump stated:
“U.S. companies can sell their equipment to Huawei. We’re talking about equipment where there’s no great national security problem with it.”
Under these new trade terms, Alphabet (GOOGL) company Google will be able to sell its Android operating system for use in Huawei smartphones.
The problem is that Huawei is under direct orders from the tyrannical Communist Chinese government. To test how safe Huawei products are, in terms of cybersecurity, a comprehensive IoT (Internet of Things) cybersecurity for enterprise networks company called Finite State got involved.
In a report released in June 2019, Finite State detailed its findings after using an automated system to analyze “more than 1.5 million files embedded within 9,936 firmware images supporting 558 different products within Huawei’s enterprise networking product lines.” Targeted were “hard-coded backdoor credentials, unsafe use of cryptographic keys, indicators of insecure software development practices, and the presence of known and 0-day vulnerabilities.”
What Finite State discovered was both shocking and concerning:
“Out of all the firmware images analyzed, 55% had at least one potential backdoor. These backdoor access vulnerabilities allow an attacker with knowledge of the firmware and/or with a corresponding cryptographic key to log into the device.”
The cybersecurity report from Finite State went on to decry the Chinese tech company’s insistence that it builds safe products that couldn’t possibly spy on anybody:
“Overall, despite Huawei’s claims about prioritizing security, the security of their devices appears to lag behind the rest of the industry. Through analysis of firmware changes over time, this study shows that the security posture of these devices is not improving over time – and in at least one case we observed, it actually decreased. This weak security posture, coupled with a lack of improvement over time, obviously increases security risks associated with the use of Huawei devices.”
A Huawei spokesperson repeated the corporate denial of wrongdoing:
“We have not and will never implant backdoors. In addition, we will never allow anyone to do so in our equipment. Cybersecurity is a technical issue that should be addressed through technical means. We will carefully analyze the report, and proactively and openly engage with the relevant parties regarding it. We welcome in-depth communication between Finite State and Huawei’s in-house security experts.”
This is not the first time a Chinese plot to steal massive amounts of confidential data has surfaced in the U.S. In 2015, American company Elemental Technologies (ET) had national security contracts related to the CIA’s order for Amazon Web Services (AWS). During a third-party security audit on ET’s video-compression servers, “the testers found a tiny microchip, not much bigger than a grain of rice, that wasn’t part of the boards’ original design.”
The mysterious intruder chip raised U.S. national security concerns because ET had supplied tainted servers to the Department of Defense data centers, the CIA’s drone operations, and the onboard networks of Navy warships. The chips provided “a stealth doorway into any network that included the altered machines” and were added in China by manufacturing subcontractors who were operatives from a unit of the People’s Liberation Army.
More recently, on October 4, 2018, the U.S. Department of Homeland Security (DHS) issued a warning that a hacker group linked to the Chinese government had launched attacks on American and European technology service providers to steal data.
Joe Gilbertson is a former U.S. Central Intelligence Agency (CIA) officer who removed any doubt from what the Chinese are up to:
“Of course, they have back doors. Why would China NOT put a back door in there? This is a blatant and notorious spy technique but China has put it on an industrial scale. They are trying to do to us, what they do to their own people.”
“This is not just a possibility, this is a certainty. There is no possible way that an intelligence service as sophisticated as the Chinese would not take advantage of such a backdoor. They have whole divisions of people whose job it is to find this kind of exploitable weakness. The advantage in China is that the government can direct Huawei to create them. They would not be there but for the direction of the government.”
As of this writing, representatives from Huawei have declined comment on the Finite State report amid ongoing and growing U.S. concerns about consumer safety and national security.