SamSuka
The Hated One
The Hated One

patreon


The Huawei backdoor [Work in progress]

Introduction

It is [redacted] 2012, and Australian intelligence has just detected an intrusion at [redacted], a major telecommunications provider. They immediately call their U.S. counterparts and share intelligence about the intrusion.

[Redacted] was performing a routine software update that unbeknownst to the operator contained malicious code. The intricate payload was designed to reprogram infected equipment in the network and record all communications passing through it. All captured data was then sent to remote servers in China.

After a few days of covert surveillance, the malicious program deleted itself from the system through a sophisticated self-destructing mechanism.

Australian intelligence claimed attribution to Chinese operatives that supposedly infiltrated the ranks of Huawei technicians who let the update be installed on the telecom’s systems.

No names of the operatives or the Australian telecom provider were shared with the public. Neither was any tangible evidence that would erase doubts as to who really was behind the attack.

Huawei is the world’s largest manufacturer of telecommunications equipment and one of the top smartphone makers in the globe. Despite being banned from numerous Western countries Huawei still managed to maintain global market dominance and triple its annual sales from what they were five years ago.

The Huawei empire now sells products or carries the traffic of Internet users in 170 countries. And for over a decade, the Shenzen giant faced and dismissed accusations that they have pwned billions of users on behalf of the authoritarian Chinese government.

But the accusers of Huawei have a lot to gain from discrediting the world’s largest telecom manufacturer. Especially when doing so means boosting their own dominance on the global market. Most of the accusations made by Western intelligence agencies sound a lot like looking at the reflection of their own image.

Accusations

In May 2020, the US government banned all Huawei products from the country on national security grounds and advised their allies to do the same. This resulted in 60 countries seizing cooperation with Huawei on new telecommunications projects citing cybersecurity concerns. But this wasn’t the first jab the US intelligence directed against Huawei.

In 2013, former NSA and CIA chief Michael Hayden accused Huawei of engaging in espionage on behalf of Beijing. Not much came out of these accusations as they weren’t accompanied by evidence of any kind. Huawei called Hayden’s claims a “politically-inspired and racist corporate defamation.

At the time of Hayden’s statement, he was also on the board of Motorola Solutions, a direct competitor to Huawei. Two years prior Motorola had to pay [redacted] dollars to Huawei to settle an intellectual property dispute. This made it easy to dismiss insinuations of one man as a product of the revolving door in corporate America.

But in 2018, not one but six US Intelligence chiefs testified before the Senate Intelligence Committee to come forward with allegations against Huawei and ZTE products. This time, CIA and FBI directors warned about the dubious ownership of the Huawei company and alleged ties with the Chinese government. At the time, Huawei was about to overtake Apple as the second largest manufacturer of smartphones right behind Samsung. Despite the extraordinary claims, they were supported by no evidence at all. So by Hitchen’s razor, “what can be asserted without evidence can also be dismissed without evidence.

In 2020, US National Security Adviser Robert O’Brien spoke at an Atlantic Council forum. The US Intelligence now claimed to have had evidence of Huawei’s capability to secretly preserve access to sensitive and personal data in network systems they sell to customers around the world. Wall Street Journal was the first to report the US intelligence shared the unequivocal evidence with their allies. Whatever the evidence was, it was never shared with the press or the public. Huawei officials denied all accusations as baseless and the company said no Huawei employee can access the network without an explicit approval form the carrier.

Speculations born out of this instance argued that this ban was just a part of the then president Trump’s trade war with China. Since neither the UK nor the European Union imposed an outright ban, perhaps the evidence wasn’t persuasive enough after all.

But this isn’t all there is to this story. Accusations from intelligence officials say much more about their geopolitical motivations than actual reality. After all, the script is always the same – a source makes a claim about a company; the company officials refute the claim for lacking evidence; news articles report on both sides and call it a day.

Outside of recriminations lies real cybersecurity research and revelations of classified documents that shed light on the inconsistencies on both sides of the argument. The accusations iterate over the cycle of three independent narratives.

  1. Huawei is directly aiding Chinese intelligence to wiretap foreign networks
  2. The Chinese intelligence covertly plants operatives in Huawei employment structure to conduct espionage without the company’s direct cooperation or knowledge
  3. Huawei is essentially controlled or closely tied with the Chinese government and can’t be trusted to be benign.

Let’s take a look at the reality behind each of these insinuations.

Hayden’s accusation

When former NSA chief Mike Hayden accused Huawei of engaging in foreign espionage on behalf of China, it was probably the most ironic statement in history. The reason being it came out right before the NSA leaks revealed it was the National Security Agency that hacked into Huawei’s corporate network in Shenzen, China.

Ironically, the NSA sought to exploit Huawei products because they wanted to use them to attack their intelligence targets in countries serviced by Huawei. The agency monitored communications of the company’s top executives, including the founder and CEO Ren Zhengfei.

According to the documents, the agency gathered “more data than they knew what to do with.” Alongside emails and business intelligence, the NSA also stole Huawei’s proprietary source code. These revelations prompted suspicions that the agency could have engaged in corporate espionage on behalf of Cisco, a major US competitor of Huawei.

A senior Huawei executive in the United States called out the irony of these revelations – that while the US always blamed Chinese companies for conducting espionage for the communist government, it was the US intelligence that was doing it to them all along. And this time, the allegations were supported by mountains of leaked classified documents proving their campaigns.

The NSA operation began way back in 2007 but the original justification wasn’t to weaponize Huawei infrastructure sold to US allies and adversaries. It was to find any link between Huawei and the Chinese state. A link which the documents conclude, the operation failed to find.

Microsoft research

Absence of evidence doesn’t equate to evidence of absence. Any properly implemented backdoor is by design going to be evasive and look like a mistake rather than intent. Huawei’s record is laden with mistakes that raise suspicions about their intents.

In 2019, security researchers at Microsoft discovered an anomaly in one of Huawei’s Matebook laptops. The incongruity was traced to a driver component running a software called PCManager. This is a device management tool Huawei pre-installs into their Matebook lineup by default.

The PCManager was designed to run with the highest set of privileges in the kernel. This isn’t unusual as manufacturers commonly ship their devices with similar device management software.

What was abnormal about the Huawei driver was that its behavior lead the Microsoft team to discover a software flaw sitting inside PCManager. What Microsoft saw was a vulnerability that deeply resembled NSA backdoor techniques. It would allow an attacker to gain superuser privileges and take control over the whole device. The biggest oddity of this vulnerability was that experts suggest it most likely was intentionally introduced at the manufacturing stage.

Curiously, security professional weren’t so quick to attribute the flaw to Huawei. One professor of computer science in the UK commented that it is not known how the flaw was introduced during manufacturing. It was speculated a criminal hacker gang or an advanced group could have interfered with Huawei’s supply chain to discredit the company. The vulnerability itself didn’t suggest Hauwei had anything to do with it.

A similar incident happened to Microsoft several years before. The NSA used a Microsoft vulnerability to build an exploit, which was later stolen by a hacker group and leaked to the public.  By the time the vulnerability was weaponized for ransomware attacks, Microsoft had already released a security patch. Which is what Huawei did as soon as the Microsoft security team reported the vulnerability in PCManager.

So while this vulnerability would meet the definition of a backdoor all the way, it couldn’t be attributed to Huawei or Chinese threat actors with any degree of confidence.

The spy

How the backdoor made its way through Huawei’s manufacturing supply could be explained by the insinuation that Chinese intelligence infiltrated the corporation’s hiring process and polluted the employment pool with their operatives.

In the decades of the company’s existence, there has so far only been one instance of a spy agent getting caught among the employee ranks. In 2021, the Polish government made two high-profile arrests involved with Chinese espionage. Former intelligence officer, Piotr Durbajlo, and Wang Weijing, a Huawei employee. Durbajlo and Wang supposedly conspired to help the Chinese penetrate the highest security levels in the Polish government networks.

Wang was immediately fired by Huawei and the company distanced itself from any allegations it works as an extended arm of Beijing.

The arrests prompted further examinations of Huawei’s source code to look for possible backdoors. British and American officials asserted Huawei could remotely access and control networks on their hardware. But Huawei’s network-control software wasn’t found to be malicious nor hidden and adhered to industry standards.

Poland is Huawei’s central hub for Eastern and Northern Europe and the country is a strategic NATO member and a US ally. It isn’t unexpected it would invite attention of Beijing.

After all, it is well documented that the US intelligence routinely intercepted supply chain of US products sold abroad. This happened to Cisco on multiple occasions from both the NSA and CIA as well as possible foreign state-sponsored actors. There is no reason to assume Chinese intelligence would refrain from attempting to do the same as their Western counterparts.

If Huawei products contain any backdoors, this would be the most likely vector of infection. The company acknowledged publicly that employee compromise is a “valid threat”. This particular statement was in response to Australia’s allegations that a software update in one of Huawei’s products once contained a malicious code designed to compromise a major Australian telecom provider. Since this insinuation wasn’t accompanied by any tangible evidence, both Beijing and Huawei refuted the claims. But Australians shouldn’t be acting surprised as they too have more than enough experience with bugging foreign governments.

Working for the state

What governments decide to do is often outside of the companies’ control. In Western countries, the collusion of corporations and governments manifests itself in the form lobbying and revolving door. Businesses try to influence the law by financing lobbying campaigns and offering lucrative positions to favorable candidates and officials. Many government positions in the West are filled with former board members or executives of corporations they are supposed to regulate. But governments or political parties don’t legally own or control major corporations.

However minor distinction this is in the eyes of the general public is irrelevant to the Huawei accusers. According to them, Huawei can’t be trusted because it is directly controlled by the Chinese state and hence by the single-ruling Communist Party.

Huawei is a multi-billion-dollar global conglomerate. Unlike its Western counterparts, Huawei is actually not a publicly traded corporation. Investors can’t own stocks or buy ownership shares of the company.

So how is Huawei actually run and who really owns the giant from Shenzen?

According to the company structure, Huawei is an umbrella term that actually covers two entities – Huawei Technologies, Inc. and Huawei Investment & Holding Co., Ltd. Huawei Technologies is the operating entity that does all the heavy lifting with manufacturing and production. The holding company is the single shareholder that owns 100% of stocks of the operating company.

Huawei Holding is in turn owned by two shareholders. Ren Zhengfei, the founder and CEO, owns 1.14% of the holding company while the remaining 98.86% is owned by yet another entity called the Union of Huawei Investment & Holding.

What is known about Ren was that he founded Huawei as a former engineer of the People’s Liberation Army. His mythos to the Chinese is that of Steve Jobs in the US. He built his empire from just a few thousand dollars and overtook corporate giants of his time.

When it comes to the Huawei Union, the facts get a lot murkier. The union is comprised of Chinese nationals employed at Huawei. Most employees ownc stocks of the company with a voting power to elect representatives of the Trade Union Committee which in turns elects members of the Huawei board. This on paper makes Huawei an employee owned company, but reality isn’t so simple.

The employee shares are not traditional ownership stocks. They give employees no decision-making power and no control over the company. It’s a virtual stock with no property rights. When an employee leaves the company, their stock cannot be transferred or sold but Huawei buys it back. Huawei stocks are de facto a profit-sharing incentive scheme.

Not much else is known about the Huawei Trade Union entity. Constitutional documents are not available to the public so there is nothing to know about the actual governance structure. Do employees hold one vote for each person, or does more shares equal more votes? Do all employees get to vote on their union matters, or just the ones owning the shares?

Where things lead to critics’ suspicions of Huawei’s ties with the government is how the law effectively treats unions in China. Chinese trade unions have a strict hierarchical structure where superior union officers are loyal and accountable to the All-China Federation of Trade Unions. The head of ACFTU sits on the Politburo and the union federation is controlled by the Communist Party. This and the fact that superior union officials are treated as state employees leads to a conclusion that unions in China are de facto state organs which essentially makes Huawei 98.86% state-owned. Ren Zhengfei still has a veto power on decisions made by Huawei Technologies and Huawei Holding.

Huawei still maintains they are an independent company and are not beholden to the state. But the company’s record doesn’t support their defense.

According to Huawei’s internal materials, the company build several surveillance technologies to help authorities identify individuals with voice fingerprints, track location of political targets, or provide tools for corporate monitoring.

Huawei surveillance system boasts tracking subjects with facial recognition and tracking smartphones by unique device identifiers. The facial recognition software has a built-in “Uighur alarm” that detects ethnic or cultural features of the Xinjiang minority members and alerts Chinese authorities when finding a match.

Another tool to aid China’s authoritarian overreach is a software called Smart Prison Unified Platform. This software helps manage and monitor detainees in China’s reeducation and labor camps to measure efficacy or monitor labor.

Huawei spends between 10 to 15 percent of their annual revenue on research and development. But the Chinese government also puts finger on the scale in the form of subsidies, loans and grants and tax incentives. In total, Beijing poured $75 billion in financial assistance to Huawei between 2008 and 2018. Chinese diplomacy has also aided Huawei in closing an exclusive deal with Pakistan, making the country bypass the competitive bidding process and grant the contract to Huawei.

It is evident that Chinese state is heavily invested in making their telecom giant succeed globally. This kind of protectionism is beneficial to Huawei on its own but whether other conditions had to be agreed upon is speculation.

Conclusion

Does any of this prove accusations against Huawei? So far, not a single incriminatory evidence exists that could conclusive decide one way or the other. There will always be a room for speculation. And that’s by design.

There is no cyber-proliferation treaty that would set international limits on what conduct countries can engage in with their cyber weapons. All major powers are testing the waters with espionage, intrusions and potential cyber attacks. Attribution in computer systems is extremely difficult to prove. State actors have immense resources at their disposal for covert operations and deleting their tracks for plausible deniability.

So we are in the state of perpetual cyber cold war where companies, technologists and users are caught in the crossfire between those hungry for global dominance. Some are participating willingly, others are unwitting bystanders.

China doesn’t need a backdoor in Huawei products to achieve their goals. They can exploit zero day vulnerabilities just like all other major cyber powers do. Since no intelligence agency has ever come forward with a conclusive evidence, all we are left with is a spy crying ‘stop the spy’.


More Creators