Vodafone discovered that the home routers that Huawei provided for its Italian residential broadband business had a “backdoor” — an open telnet interface that could allow attackers to take over the router and surveil the user’s network — and after they complained to Huawei about it, Huawei released an update that they claimed removed the interface, but that this was a lie.
Bloomberg’s Daniele Lepido broke the story, and it’s a little confusing. The term “backdoor” implies that Huawei left an interface open so that it could do something nefarious, like conducting surveillance on Vodafone’s customers, but Huawei’s statements about the interface imply that it was a sloppy mistake — they say that the telnet interface was used as part of the setup and configuration process, and that they couldn’t remove it altogether without making it hard (or maybe impossible?) to set up their routers.
If Huawei is to be believed, then they are guilty of terrible security practices (that’s a really stupid way to design a router), but not necessarily guilty of a “backdoor” in the customary sense of the word. But as one expert quoted by Bloomberg notes, if you were going to design a deliberate backdoor, you’d be smart to disguise it as a programming error.
Much more damning (and somewhat buried in the Bloomberg reporting) is the presence of telnet interfaces in “optical service nodes” (which are used for managing fiber optic traffic) and “broadband network gateways” (which bridge between customer equipment like home routers and internet backbones). A criminal or state actor who compromised these systems could conduct mass surveillance, as opposed to merely spying on (or compromising the devices of) a single household.
Vodafone told Bloomberg that it discovered these defects (or backdoors, or whatever) in 2011 and 2012, and that Huawei fixed them. But unnamed Vodaphone sources told Bloomberg that this is a lie: when Vodaphone checked to verify whether Huawei had patched its equipment, they discovered that it was still vulnerable.
Vodafone has recently taken up a vigorous defense of Huawei, whose equipment will be used in Vodafone’s UK 5G rollout. Bloomberg’s sources said that Vodafone’s defense of Huawei was motivated by cost-savings, because Huawei is cheaper than its competitors.
Vodafone managers had concerns with the security of the routers almost right away. They were the topic of an internal presentation from October 2009 that pointed to 26 open bugs in the routers, six identified as “critical” and nine as “major.” Vodafone said in the report that Huawei would need to remove or inhibit a so-called telnet service—a protocol used to control devices remotely—that the carrier said was a backdoor giving Huawei access to sensitive data.
In January 2011, Vodafone Italy started a deeper probe of the routers, according to an April report from the year. Security testing by an independent contractor identified the telnet backdoor as the greatest concern, posing risks including giving unauthorized access to Vodafone’s broader Wide Area Network (WAN is a network that spans a large footprint). Vodafone noted that it’s an industry practice by some router manufacturers to use a telnet service to manage their equipment, but the company said it didn’t allow this.
The document chronicles a two-month period during which Vodafone’s Italian unit discovered the telnet service, demanded its removal by Huawei and received assurances from the supplier that the problem was fixed. After further testing, Vodafone found that the telnet service could still be launched.
Vodafone said Huawei then refused to fully remove the backdoor, citing a manufacturing requirement. Huawei said it needed the telnet service to configure device information and conduct tests including on wifi, and offered to disable the service after taking those steps, according to the document.
Vodafone Found Hidden Backdoors in Huawei Equipment [Daniele Lepido/Bloomberg]
A Virginia state judge ruled earlier this month that automated license plate data collection by police qualified as protected “personal information,” and was illegal, because it included the following elements all combined: The license plate number, images of the vehicle and license plate and immediate surroundings, plus GPS location and time and date.
Every year, the Mozilla Foundation releases a massive “Internet Health Report” summarizing the ways in which the internet is being used to both support and subvert human thriving; though these reports cover a wide range of topics, every year the foundation chooses a small number of themes to focus on. This year, they are Let’s […]
An overwhelming vote in the European Parliament last week means that the EU will merge a grab bag of existing biometric databases to create the Common Identity Repository (CIR), with biometric data on 350,000,000 people (both EU- and non-EU persons) that will be available for use by all EU police and border authorities.
We’ve all had it stuck in our head: That catchy song, sometimes a favorite but mostly out of nowhere, endlessly looping just on the tip of our tongue. It can be annoying, but it was only a matter of time before somebody put the addictive properties of music to good use. And the name says […]
Haven’t tried CBD yet? We get it. CBD (or cannabidiol) is a non-psychoactive compound derived from the cannabis plant that has loads of testimonials about its stress-busting properties, but whose products can you trust in a largely unregulated field? Sunday Scaries are emerging as a pretty good bet. The company was started by two avid […]