[kictanet] Vodafone denies Huawei Italy security risk
Ali Hussein
ali at hussein.me.ke
Thu May 2 10:26:36 EAT 2019
Dear Adam and listers
How can we as Citizens of the World bring more attention to these issues?
*Ali Hussein*
*Principal*
*AHK & Associates*
Tel: +254 713 601113
Twitter: @AliHKassim
Skype: abu-jomo
LinkedIn: http://ke.linkedin.com/in/alihkassim
<http://ke.linkedin.com/in/alihkassim>
13th Floor , Delta Towers, Oracle Wing,
Chiromo Road, Westlands,
Nairobi, Kenya.
Any information of a personal nature expressed in this email are purely
mine and do not necessarily reflect the official positions of the
organizations that I work with.
On Tue, Apr 30, 2019 at 9:25 PM Adam Lane via kictanet <
kictanet at lists.kictanet.or.ke> wrote:
> Dear Patrick
>
> Please note that Vodafone have responded to the inaccurate report from
> Bloomberg. The report is https://www.bbc.com/news/business-48103430 and
> copied below. You may also be interested in reading this report:
> https://www.zdnet.com/article/cisco-removed-its-seventh-backdoor-account-this-year-and-thats-a-good-thing/
> explaining that Cisco has already found seven “backdoors” into its
> equipment just this year alone.
>
>
>
> This is not a Huawei issue, or an espionage issue. It is a global ICT
> security issue that all companies are constantly struggling with. As you
> can read (or ask a technical expert), there are many bugs in many products
> (your apps on your phone are probably being updated on a weekly basis…) due
> to the nature of software development which are constantly being found and
> addressed; companies like Cisco and Huawei (along with customers like
> Vodafone) to the tests and find these (usually) before going to market
> (though sometimes afterwards) and address them urgently.
>
>
>
> I am not sure how this issue of bugs in software relates to multinationals
> illegally collecting and selling business insights. I am sure the local
> companies have just as many bugs in their software too, and all of us need
> to collaborate to address them, improve software development standards, and
> raise the bar. This is not a policy issue, it is a technical issue.
>
> You are certainly right that trust is good for business; unfortunately
> poor journalism such as that by Bloomberg which published before getting
> the “other side of the story” from Vodafone itself is not helping. I
> appreciate that you understand this, as you also referenced the ZDnet
> article which is much better reporting than Bloomberg, including
>
> *Instead, Huawei says it was "technical flaws in equipment" which were
> fixed. "These were technical mistakes in our equipment, which were
> identified and corrected," the spokesperson said. 'The accepted definition
> of' backdoors' is deliberately built-in vulnerabilities that can be
> exploited -- these were not such. They were mistakes which were put right."
> *
>
> Regards
>
> Adam
>
>
>
> https://www.bbc.com/news/business-48103430
>
>
>
> *Vodafone denies Huawei Italy security risk*
>
> *Vodafone has denied a report saying issues found in equipment supplied to
> it by Huawei in Italy in 2011 and 2012 could have allowed unauthorised
> access to its fixed-line network there.*
>
>
>
> *A Bloomberg report said that Vodafone spotted security flaws in software*
> <https://www.bloomberg.com/news/articles/2019-04-30/vodafone-found-hidden-backdoors-in-huawei-equipment> that
> could have given Huawei unauthorised access to Italian homes and businesses.
>
> The US refuses to use Huawei equipment for security reasons.
>
> However, reports suggest the UK may let the firm help build its 5G network.
>
> This is despite the US wanting the UK and its other allies in the "Five
> Eyes" intelligence grouping - Canada, Australia and New Zealand - to
> exclude the company.
>
> Australia and New Zealand have already blocked telecoms companies from
> using Huawei equipment in 5G networks, while Canada is reviewing its
> relationship with the Chinese telecoms firm.
>
> In a statement, Vodafone said: "The issues in Italy identified in the
> Bloomberg story were all resolved and date back to 2011 and 2012.
>
> *"The 'backdoor' that Bloomberg refers to is Telnet, which is a protocol
> that is commonly used by many vendors in the industry for performing
> diagnostic functions. It would not have been accessible from the internet.*
>
> *"Bloomberg is incorrect in saying that this 'could have given Huawei
> unauthorised access to the carrier's fixed-line network in Italy'.*
>
> *"In addition, we have no evidence of any unauthorised access. This was
> nothing more than a failure to remove a diagnostic function after
> development.*
>
> "The issues were identified by independent security testing, initiated by
> Vodafone as part of our routine security measures, and fixed at the time by
> Huawei."
>
> A Huawei spokesperson said: 'We were made aware of historical
> vulnerabilities in 2011 and 2012 and they were addressed at the time.
>
> "Software vulnerabilities are an industry-wide challenge. Like every ICT
> [information and communications technology] vendor, we have a
> well-established public notification and patching process, and when a
> vulnerability is identified, we work closely with our partners to take the
> appropriate corrective action."
>
> Several European telecoms operators are considering removing Huawei's
> equipment from their networks.
>
> But the firm's cyber-security chief, John Suffolk, has described the firm
> as "the most open [and] transparent company in the world".
>
> In January, Vodafone "paused" the deployment of Huawei equipment in its
> core networks in Europe until Western governments resolved their security
> concerns about the company.
>
> Huawei has been accused of being a potential security risk and of being
> controlled by the Chinese government - allegations it has always firmly
> denied.
>
> With the introduction of the 5G network in the UK approaching, telecoms
> operators say the way it would work, in a highly integrated system
> alongside 4G, means that excluding Huawei is not realistic without
> significant cost and delay,
>
> That would include potentially removing existing hardware, leading to the
> UK falling behind other countries.
>
> The company is the world's third-largest supplier of mobile phones, behind
> Samsung and Apple.
>
>
>
>
>
> *Senior Director, Public Affairs*
>
> *Huawei Southern Africa*
>
> Mobile: +254-7909-85886
>
> *Read Huawei Kenya’s First Ever Sustainability Report *here
> <https://www.huawei.com/minisite/explore-kenya/pdf/huawei_kenya_csd_report.pdf>
>
>
>
> *From:* kictanet [mailto:kictanet-bounces+adam.lane=
> huawei.com at lists.kictanet.or.ke] *On Behalf Of *Patrick A. M. Maina via
> kictanet
> *Sent:* Tuesday, April 30, 2019 8:59 PM
> *To:* Adam Lane <adam.lane at huawei.com>
> *Cc:* Patrick A. M. Maina <pmaina2000 at yahoo.com>
> *Subject:* [kictanet] [Economic Espionage Risks] Vodafone has
> 'acknowledged' that it Found Hidden Backdoors in Huawei Equipment (but says
> the issues were resolved).
>
>
>
> Dear Listers,
>
>
>
> These kinds of global reports should concern Kenyan business CEOs and
> Boards in all sectors (as well as economic / technology policymakers) -
> unless Kenya has little or no interest in competing regionally or
> internationally to generate new streams of foreign exchange; and even then,
> are we able to protect our local "home turf" competitive advantage, should
> multinational actors decide to illegally collect and sell (or leverage)
> unfairly acquired local business insights, in order to give affiliated new
> entrants unfair advantage over local enterprises?
>
>
>
> These are legitimate and global policy concerns. If such things are
> happening in advanced, tech-savvy economies, what about here in Africa? Is
> the world having a party at our expense?
>
>
>
> Trust is good for business - but its is not wise to trust blindly. If we
> refuse to learn from others, or from history, it will be difficult for us
> to hand over to our children/youth a future that proves that we played our
> part responsibly as present-day custodians.
>
>
>
> We need to start thinking of our existence in less selfish terms: as a
> relay race, where it is our duty to ensure that we pass on a better future
> to our children/youth. Let's wake each other up. We must start BELIEVING in
> ourselves and LOVING ourselves so that our children can believe in, and
> love themselves as well.
>
>
>
> Excerpts below:
>
> -------------------------------
>
>
>
> Reported by Bloomberg today (30th April 2019):
>
>
>
> "[Vodafone] identified hidden backdoors in the software that could have
> given Huawei unauthorized access to the carrier’s fixed-line network in
> Italy, a system that provides internet service to millions of homes and
> businesses, according to Vodafone’s security briefing documents from 2009
> and 2011 seen by Bloomberg, as well as people involved in the situation.
>
>
>
> Vodafone asked Huawei to remove backdoors in home internet routers in 2011
> and received assurances from the supplier that the issues were fixed, but *further
> testing revealed that the security vulnerabilities remained,* the
> documents show.
>
>
>
> Vodafone said Huawei then *refused to fully remove the backdoor, citing a
> manufacturing requirement.*
>
>
>
> The April 2011 document was authored by its Chief Information Security
> Officer at the time, Bryan Littlefair. 'What is of most concern here is
> that actions of Huawei in agreeing to remove the code, then trying to hide
> it, and now refusing to remove it as they need it to remain for ‘quality’
> purposes,' Littlefair wrote.
>
>
>
> 'There’s no specific way to tell that something is a backdoor and most
> backdoors would be designed to look like a mistake,' said Stefano Zanero,
> an Associate Professor of Computer Security at Politecnico di Milano
> University. 'That said, the vulnerabilities described in the Vodafone
> reports from 2009 and 2011 have all the characteristics of backdoors:
> deniability, access and a tendency to be placed again in subsequent
> versions of the code,' he said.
>
>
>
> Vodafone also identified backdoors in parts of its fixed-access network
> known as optical service nodes, which are responsible for transporting
> internet traffic over optical fibers, and other parts called broadband
> network gateways, which handle subscriber authentication and access to the
> internet...
>
>
>
> In Vodafone’s case, the risks included possible third-party access to a
> customer's personal computer and home network, according to the internal
> documents.
>
>
>
> However, Vodafone’s account of the issue was contested by people involved
> in the security discussions between the companies. [who allege that] *Vulnerabilities
> in both the routers and the fixed access network remained beyond 2012 and
> were also present in Vodafone’s businesses in the U.K., Germany, Spain and
> Portugal*. Vodafone stuck with Huawei because the services were
> competitively priced, they said."
>
>
>
> Links:
>
>
>
> 1. Vodafone found Hidden Backdoors in Huawei Equipment
>
>
> https://www.bloomberg.com/news/articles/2019-04-30/vodafone-found-hidden-backdoors-in-huawei-equipment
>
>
>
> 2. Huawei denies existence of ‘backdoors’ in Vodafone networking equipment
>
>
> https://www.zdnet.com/article/huawei-denies-existence-of-backdoors-in-vodafone-networking-equipment-brands-them-technical-flaws/
>
>
>
> Best regards,
>
> Patrick.
>
>
>
> Patrick A. M. Maina
>
> [Cross-domain Innovator | Public Policy Analyst - Indigenous Innovations]
>
>
>
>
> _______________________________________________
> kictanet mailing list
> kictanet at lists.kictanet.or.ke
> https://lists.kictanet.or.ke/mailman/listinfo/kictanet
> Twitter: http://twitter.com/kictanet
> Facebook: https://www.facebook.com/KICTANet/
>
> Unsubscribe or change your options at
> https://lists.kictanet.or.ke/mailman/options/kictanet/info%40alyhussein.com
>
> The Kenya ICT Action Network (KICTANet) is a multi-stakeholder platform
> for people and institutions interested and involved in ICT policy and
> regulation. The network aims to act as a catalyst for reform in the ICT
> sector in support of the national aim of ICT enabled growth and development.
>
> KICTANetiquette : Adhere to the same standards of acceptable behaviors
> online that you follow in real life: respect people's times and bandwidth,
> share knowledge, don't flame or abuse or personalize, respect privacy, do
> not spam, do not market your wares or qualifications.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.kictanet.or.ke/pipermail/kictanet/attachments/20190502/c7318697/attachment.htm>
More information about the KICTANet
mailing list