There’s a lot of controversy now about Huawei. They’re a tech manufacturer with direct connections to the Chinese government, and they make networking infrastructure for telecommunications companies worldwide, plus networking devices, and mobile devices such as smartphones. Because of allegations that their products have backdoors for Chinese espionage, non-Chinese companies are now less likely to want to use Huawei as a vendor. Google is also making it a lot more difficult for Huawei to make Android phones. As per the BBC:
“New designs of Huawei smartphones are set to lose access to some Google apps.
The move comes after the Trump administration added Huawei to a list of companies that American firms cannot trade with unless they have a licence.
Google said it was ‘complying with the order and reviewing the implications.’
Huawei said it would continue to provide security updates and after-sales services to all existing Huawei and Honor smartphone and tablet products, covering those that have been sold or are still in stock globally.
‘We will continue to build a safe and sustainable software ecosystem, in order to provide the best experience for all users globally,’ it added.”
Just this May, it was reported that Cisco Nexus 9000 Series Switch software contains default SSH keys which can allow external cyber attackers to acquire privileged access to networks. That’s a rather grave vulnerability indeed. Here’s what Cisco’s security advisory says:
“A vulnerability in the SSH key management for the Cisco Nexus 9000 Series Application Centric Infrastructure (ACI) Mode Switch Software could allow an unauthenticated, remote attacker to connect to the affected system with the privileges of the root user.
The vulnerability is due to the presence of a default SSH key pair that is present in all devices. An attacker could exploit this vulnerability by opening an SSH connection via IPv6 to a targeted device using the extracted key materials. An exploit could allow the attacker to access the system with the privileges of the root user. This vulnerability is only exploitable over IPv6; IPv4 is not vulnerable.
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.”
Cisco says that the vulnerability was an accident, not an intentional backdoor. A Cisco spokesperson said:
“Per the Cisco Security Vulnerability Policy, Cisco's product development practices specifically prohibit any intentional behaviors or product features that are designed to allow unauthorized device or network access, exposure of sensitive device information, or a bypass of security features or restrictions. This includes undisclosed device access methods or 'backdoors.’ Unfortunately, despite the best efforts of technology vendors, security vulnerabilities do still occur. When we identify these serious vulnerabilities, we address them with the highest priority."
Huawei was not convinced, and used the Cisco vulnerability to bash their competitor and the idea that networking equipment from American companies is more secure for American networks than their networking equipment from China:
“Backdoors in Cisco's network switches prove that U.S. homegrown tech equipment is just as flawed as any other.”
This isn’t just a squabble between two different vendors, it also reflects growing tensions in American-Chinese international relations.
But whether a vulnerability is an accident or a deliberate backdoor, the security implications are the same. It’s very dangerous for networking equipment and mobile device endpoints to have an easy way in for cyber attackers. Unfortunately, some governments believe networking devices should have backdoors so that they can easily access third-party networks. Eva Hanscom reported recently passed Australian legislation here on this blog:
“Last December, Australia’s parliament passed legislation requiring technology businesses to create encryption backdoors within their products. Security and privacy advocates responded with shock and disappointment, with Nate Cardozo of the Electronic Frontier Foundation writing he ‘can see a potential dystopic future in the Land Down Under: one where only backdoored communication tools are permitted in Australia, and all other services and protocols will face government-mandated blocking and filtering.’”
Venafi has noticed that many cybersecurity professionals have some very understandable concerns about government backdoors. At this year’s RSA conference, Venafi evaluated the opinions of over 500 convention attendees. 69% believe that countries which mandate encryption backdoors for government are economically disadvantaged in the global marketplace. That makes perfect sense. A company in one country doesn’t want backdoors for another country’s government in their networks. 70% believe that governments shouldn’t be able to force companies to provide access to encrypted user data. And only 25% believe companies are doing enough to protect the personal information of consumers.
“Strong encryption means unbreakable encryption. Any weakness in encryption will be exploited -- by hackers, by criminals and by foreign governments. Many of the hacks that make the news can be attributed to weak or -- even worse -- nonexistent encryption.
The FBI wants the ability to bypass encryption in the course of criminal investigations. This is known as a ‘backdoor,’ because it's a way at the encrypted information that bypasses the normal encryption mechanisms. I am sympathetic to such claims, but as a technologist I can tell you that there is no way to give the FBI that capability without weakening the encryption against all adversaries. This is crucial to understand. I can't build an access technology that only works with proper legal authorization, or only for people with a particular citizenship or the proper morality. The technology just doesn't work that way.
If a backdoor exists, then anyone can exploit it. All it takes is knowledge of the backdoor and the capability to exploit it. And while it might temporarily be a secret, it's a fragile secret. Backdoors are how everyone attacks computer systems.”
Venafi’s own Kevin Bocek agrees:
“This is a tense moment for industry professionals because they know backdoors make our critical infrastructure more vulnerable. This is not rocket science; backdoors inevitably create vulnerabilities that can be exploited by malicious actors. It’s understandable that so many security professionals are concerned because backdoors are especially appealing to hostile and abusive government agencies and more governments are considering these mandates.”
I believe that backdoors are a growing threat to networking infrastructure worldwide and it’s a matter that should be watched with great interest.