The controversy over Huawei’s involvement in the 5G telecom gear market ratcheted up a notch this week. U.S. officials said they have evidence that the Chinese equipment giant has had access to backdoors inside mobile carrier networks for more than 10 years.
Officials are trying to make the case that the U.S. and its allies should ban Huawei from supplying infrastructure for 5G networks going forward, due to what they say is the possibility of widespread, Beijing-backed espionage.
Huawei rejected the allegations, and other countries around the world are continuing to build networks using the vendor’s gear despite the U.S. position on the vendor. But security experts say that 5G supply-chain concerns should be taken seriously – whether it’s in the context of Huawei or not.
“A backdoor to a lawful intercept interface could yield a treasure trove of information to a malicious actor — including the current location of a target, details including when and where a call was placed, and even the ability to eavesdrop or listen into a current call,” Russ Mohr, engineer and Apple evangelist at MobileIron, told Threatpost. “A backdoor is an extremely valuable resource to a bad actor, and it is likely that it would be much more valuable as an asset to collect data than as a mounting point for an attack — although it may provide an opportunity to inject ransomware into a 5G network targeting a mobile carrier.”
The feds told the Wall Street Journal that Huawei can make use of backdoors that have been put in place by lawful-intercept legislation. Implemented around the world, these laws allow law enforcement to access call records, location data and other wireless network information during the course of a criminal investigation, under certain circumstances (in the U.S. it takes a special court approval process). The idea of lawful intercept is probably best-known from the Patriot Act, passed by the Bush administration in the wake of 9/11. That expanded law enforcement’s access to electronic records in the context of suspected terror threats.
While declining to offer details, U.S. officials claim that Huawei has had a secret capability to tap into these lawful-intercept interfaces without carriers’ knowledge, since 2009.
According to the Wall Street Journal, national security adviser Robert O’Brien alleged, “We have evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world.”
Huawei has vigorously denied the allegations. A senior Huawei official told the paper: “The use of the lawful interception interface is strictly regulated and can only be accessed by certified personnel of the network operators. No Huawei employee is allowed to access the network without an explicit approval from the network operator,” the official said.
Accessing the backdoors without carrier permission “is extremely implausible and would be discovered immediately,” the official added.
Meanwhile, amidst all of this back-and-forth, the U.S. efforts to bring allies on board with a 5G ban for Huawei have largely fallen on deaf ears. The European Union in October, without naming Huawei, did warn of the danger that “state-backed 5G suppliers” could present. Yet last month, the U.K. said that its analysis of the U.S. evidence did not lead to a conclusion that a ban was necessary. The country has given the greenlight to carriers, allowing Huawei gear in the noncore parts of 5G networks.
And in Germany, a bill is making its way through legislature (with the backing of Deutsche Telekom) that would allow Huawei full access to the 5G market there as long as it meets certain conditions.
Similarly, in Canada, top operator Telus said it will use Huawei 5G equipment “out of the gate,” as it readies its launch later this year.
“We’ve already seen that Huawei equipment, although essentially disallowed in the U.S., will be deployed in more 5G networks than other leading infrastructure manufacturers such as Nokia and Ericsson,” Mohr told Threatpost. “For instance, the U.K. has agreed to allow Huawei equipment to be deployed ‘non-sensitive’ areas, with Germany widely expected to follow suit.”
In general, the geopolitical finger-pointing highlights the continued concern around security for 5G mobile networks, according to security experts.
5G: An Expanding Threat Landscape
5G networks are fundamentally different than prior wireless networks in that they are largely software-defined and virtualized; network functions, historically defined in hardware, become virtual software capabilities in 5G, all orchestrated via a flexible software control plane. Even the air interfaces in the radio access network (RAN) are software-defined in 5G.
Also, 5G networks will make use of edge computing, where applications, general-purpose compute, storage, and associated switching and control functions that are required to run them are housed relatively close to end users and internet of things (IoT) endpoints or both. That’s a shift from centralized architectures common to 4G and before, and creates a much larger computing footprint.
All of this vastly expands the attack surface and the possibility for the emergence of rafts of exploitable vulnerabilities throughout the architecture — in places that were never exposed before, according to the E.U. report.
“Although 5G is regarded as the most secure mobile protocol to date, we’ve seen exploits are possible,” Mohr told Threatpost. “With the widespread adoption of network virtualization — which means that less and less specialized hardware is deployed in carrier networks — it’s possible that malicious actors could gain visibility and control over 5G networks through a single point of entry.”
To protect against cybersecurity concerns, it’s important that carriers put their sourced gear through a thorough vetting, from top layer applications all the way down to the firmware level, where backdoor implants are placed.
“Carriers should make use of existing security tools and hire independent auditors to assess all aspects of their 5G networks,” Mohr said. “They also should take steps to make sure that their vendors are implementing the latest versions of the 5G protocols in the equipment or software they have purchased…Mobile operators should invest in automating and augmenting their internal testing teams to make sure that these releases aren’t held up by extensive internal carrier testing cycles.”
Regulation could also play an important role, according to Mohr. “The European Union recently announced a ‘Toolbox for 5G Security,’ with many expecting greater details to be announced during the now-cancelled Mobile World Congress in Barcelona,” he told Threatpost. “The intent is to examine existing 5G networks, including network supply chains, for vulnerabilities. This said, compliance will vary among nation states and carriers, and of course, any E.U. regulation no longer applies to the U.K.”
Terry Dunlap, chief strategy officer and co-founder of ReFirm Labs, noted that Huawei’s cellular base stations or small cells have significant pricing, size and energy consumption advantages over the other top competitors – which, he said, should not blind carriers as they go about their vetting processes.
“It’s important to note that Huawei gets its foot in the proverbial door via very attractive pricing that is the result of subsidization by the Chinese government,” he told Threatpost. “Their strategy is long-term, slowly over time adding more and more pieces of communications gear until the eventual switching costs you would face from a non-subsidized replacement option become huge. We cannot be penny wise and pound foolish. There’s too much at stake.”
Learn how Operational Technology and Information Technology systems are merging and changing security playbooks in this free Threatpost Webinar. Join us Wednesday, Feb. 19 at 2 p.m. ET when a panel of OT and IT security experts will discuss how this growing trend is shaping security approaches for IoT and 5G rollouts. This webinar is for security and DevOps engineers, IoT edge developers and security executives.