Return to site

Huawei Security Concerns

Continue with New Products

 

· Articles

Huawei Technologies Co. Ltd. is a major Chinese telecommunications company that has been banned in the US, and many Westernized democracies have banned them for core functions in 5G, including Australia, Japan, UK, and India for their Telecom gear. In this research I present my opinions about these two products:

  • Should you use Huawei’s Enterprise Service Bus: ROMA to connect your Apps?
  • Should you use their new Database Platform: GaussDB?

Their products range from smartphones to advanced 5G network equipment, and face growing criticism from security experts and governments regarding cybersecurity and espionage risks. What is not well known is over 3500 Enterprises, mostly in Asia, EU, Africa, and South America are using their Enterprise Service Bus, and iPaaS:

  • Integration Platform as a Service, called ROMA, for a variety of mission-critical applications like Smart City deployments, Smart Grids, and other critical applications infrastructure.
  • Huawei now have announced a database platform called GaussDB as a potential Oracle replacement platform. The Register reports that it has been rated by IDC as the No.1 Market Share Chinese Database, which in my opinion is misleading, as their deployments within Huawei’s deployments should be self serving.

WHAT ARE THE CONCERNS?

Cybersecurity experts, intelligence agencies, and political leaders have argued that Huawei’s products, especially if used in 5G networks or associated critical infrastructure, pose significant security risks. A PBX or Telephone Switch can be used for Cyber-Espionage, as these switches also perform Lawful Intercept, and can capture call logs (who you are calling), and even the call content (call recording) and other personal information, for legal purposes, but this can also be misused, for Cyber-Espionage. Given Huawei’s theft of IPR that has been documented and adjudicated in the US with their theft of IPR from Cisco Systems, and TMobile, as well as significant evidence directly tying both Huawei and their founder Ren Zhengfei to the CCP and People’s Liberation Army (PLA), of China, Western democracies, have done classified studies on their Espionage activities. In 2013, the former head of the CIA and National Security Agency (NSA) Michael Hayden stated that there is tangible classified evidence that Huawei has engaged in CCP-directed Cyber-Espionage activities.

Under Chinese law, is is widely held that the CCP could force Huawei to provide customer data or network access upon request. China’s 2017 National Intelligence Law, applies to all private enterprises based in China and their foreign subsidiaries, and can force Chinese entities to provide active support to Chinese intelligence-gathering activities. Despite this fact, Huawei denies this.

In March 2019, Microsoft discovered a piece of software in Huawei’s MateBook laptops that utilized code similar to a leaked NSA hacking tool, which was stolen from the NSA by Russia’s KGB (now called the FSB) using Kaspersky’s software, and shared or stolen between the Communist countries of Russia and China. A report by SentinelOne in 2021, noted how a hacker group called ThunderCats (associated with China) hacked the websites of Russian government agencies, to obtain the NSA tools.

Analysts at Microsoft revealed that they found a back door in Huawei laptops that allowed unprivileged users access to all laptop data. NSA’s DoublePulsar , a malware instrument, leaked in early 2017, has been used by hackers in the WannaCry ransomware attack, as an example.

Huawei has consistently denied such claims of backdoor unprivileged access, stating that no such backdoor incident had ever been detected before, even when confronted with evidence to the contrary.

What’s at Issue with an ESB, and iPaaS from Huawei?

An integration Platform as a Service (iPaaS) and an Enterprise Service Bus (ESB) solution typically handles massive data volumes across multiple Application sources, as well as support the ever-increasing number of cloud solutions that an Enterprise business wants to use, and often this is private information. To quickly, efficiently, and cost-effectively integrate data from legacy, on-premises data sources as well as new cloud applications, Enterprise Service Bus and iPaaS solutions are leveraged, with direct access to an Enterprise’s API’s and internal databases.

ESB and iPaaS solutions have to be trusted with sensitive data. Investing in an iPaaS and ESB solution has to have robust security mechanisms such as data encryption, password protection, and information security standards in place, ideally with Role-based Access Controls, and with a Policy-controlled Workflow Engine, documenting process compliance, and flagging or preventing any non-compliance, should they occur, in real-time. For example, should the IT Manager access HR records at 3AM? Should the CRM tool access HR Records? Should an internal database be transmitted to a foreign actor, by the ESB? Should an internal API be invoked by the foreign actor, via the iPaaS solution?

The Solution!

According to Gartner’s report entitled: “Magic Quadrant for Web Application and API Protection” solutions exist such as web application and API protection (WAAP) which are firewalls that have been extended, with the following features:

  • WAF: Web Application Firewall
  • Distributed denial-of-service (DDoS) protection
  • Bot management
  • API protection

Which is good as the above can protect applications and APIs running on different types of host environments such as web servers, service containers and PaaS: Platform as a Service solutions.

What’s at Issue with the Database Platform from Huawei: GaussDB?

Apart from having proprietary information stored in a database, Dark Reading has identified several Cybersecurity Vulnerabilities for Databases:

  1. Passwords and Login Credentials shared with a banned actor
  2. SQL injections: When your database platform fails to sanitize inputs, attackers can execute SQL injections similar to the way they do in Web-based attacks, eventually allowing them to elevate privileges and gain access to a wide spectrum of functionality.
  3. Role Based Access Controls given to the Database vendor: Extensive user and group privileges provided.
  4. Increased Attack Surface with unknown vendor specific features and access including software updates and maintenance. What’s to prevent the vendor from sending privileged data?
  5. Unsafe Configuration Management, what’s to prevent database replication outside?
  6. Buffer Overflow Vulnerabilities and Denial of Service Attacks is a common attack vector. Coming from a banned network solutions vendor increases this eventuality.
  7. Unencrypted data in motion, or keys in usage being shared with rogue actors.

Now, what is at issue is these platforms do not protect against Rogue Employees, at the Enterprise, or at the solutions vendor of the Database, or Enterprise Service Bus or iPaaS offerings, which are valid during normal times, but turn rogue occasionally. These platforms need to be trusted and verified to not transmit any data other than for its proper usage, with policy-based controls.

This requires careful scrutiny of the security solution offered by the Database, ESB and iPaaS vendor, the API protection supported, the country it’s founded in if it’s trusted, and the security it provides, along with Role-based Access Controls offered, Security Vulnerability Assessments provided and verified, and if they are used and validated by Trusted Defense Agencies or Government agencies or Vendors in the Security arena.

If the answer, is no, as in the case of Huawei’s ROMA solution, and their GaussDB, Enterprises in westernized democracies should explore other vendors that are reputed, deployed in trusted government and defense agencies, as well as cybersecurity providers.

 

- Akshay Sharma, CTO Kovair Software, Advisor Lionfish Tech Advisors.

 

Cover image source: Dall-e