What are the risks of buying Chinese IT?
There are four commonly mentioned threats associated with buying goods from Chinese companies such as Huawei, ranging from the imagined and unlikely to clear and serious business risks.
1)
The Magic Kill Packet: Straight out of a Hollywood summer blockbuster, the Magic Kill Packet threat is that someone, somewhere, can cause network equipment to shut down by sending some special combination of ones and zeros. This magic kill packet would be sent during a real-world cyberwar involving China and, one supposes, everyone who bought Huawei equipment. (Huawei’s domestic sales represent about one-third of its total revenues.) While the idea of a Magic Kill Packet (and similar ticking time bomb threats) doesn’t hold up to any serious analysis, it makes for good chatter in the blogosphere. Security and network managers who have to calm anxious senior managers can point out that the control plane for enterprise routers is always separate and firewalled from the data plane, so to inflict the Magic Kill Packet, an attacker would already have to have cracked into the network. And such a packet at the data plane would also be nearly impossible to inject, given the heavy use of access control lists, firewalls and NAT in enterprises. Even then, there’s no way a Magic Kill Packet could shut down an entire network, because each individual device would have to be carefully targeted with a specifically engineered strategy to deliver the payload.
2)
Intentionally bad software: This threat suggests that Chinese-manufactured devices have hidden back doors that would allow an attacker to gain special access. One example is a master password that allows an attacker to log into the device as an administrator at any time. For example, in 2003, Dave Tarbatt discovered that most manageable UPS backup devices made by American Power Conversion Corp. (APC) could be accessed with a secret factory default password, intentionally placed there by the APC. (Of course, the “A” in “APC” stands for “American,” so this isn’t just a Chinese issue.)
If we all stopped buying from every vendor that has had security flaws in its products, we’d have a hard time moving beyond pencil and paper.
A more complicated version of the Intentionally Bad Software threat applicable to a Chinese vendor might include a hidden intentional bug that would allow an attacker access through some other path. For example, the SSH server in the device might be susceptible to a particular
buffer-overflow attack. An intrusion exploiting this would seem like a typical
zero-day attack. Of course, intentional bugs and master passwords would, like the Magic Kill Packet, only work for a short period of time and for a few devices once the intrusion was detected.
Intentionally bad software in telecommunications hardware could also expose encrypted data in virtual private networks (VPNs). If the random number generator used in an IPSec or SSL VPN device is not truly random, then an outsider who knows about the lack of randomness may be able to decipher data secured with even the most advanced encryption protocols, and no evidence of any tampering left behind. If an attacker can passively tap encrypted traffic, information disclosure could go on for years without anyone finding out.
Intentionally bad software—factory default passwords, known bugs that would allow access and defective random number generators—seem like plausible outcomes if one assumes Chinese manufacturers are operating under direct instructions of the Chinese government or military.
Like the Magic Kill Packet, these threats don’t make a lot of sense. Since Chinese manufacturers also dominate the Chinese marketplace, any dangling backdoor intentionally left in network equipment would also be accessible to someone wanting to monitor Chinese communications. Chinese manufacturers, or their shadowy military puppet masters, couldn’t risk installing a secret backdoor unless they were sure only they could take advantage of it. And as groups like
Anonymous and
Wikileaks have shown us, even the best-kept secrets can quickly be revealed.
3)
Unintentionally Bad Software: If intentional backdoors are unlikely, then what about plain old bugs? What about the possibility that critical infrastructure devices and servers have software or hardware errors in them that could possibly compromise the security of a network? Would that be a reason to knock a vendor off one’s preferred suppliers list?
Of course, this question can only be asked in jest, because every single software, hardware and chip vendor has released products with bugs. Everyone knows it, and these bugs have created an entire industry. Most of the IT security world, including anti-malware, vulnerability analysis, patch management and intrusion prevention software, sprung up to compensate for the effects of lousy software, buggy hardware and poor configurations. If we all stopped buying from every vendor that has had security flaws in its products, we’d have a hard time moving beyond pencil and paper.
In the “intentionally bad software” category, we put “poor random number generators for VPNs.” But poor random number generators happen accidentally all the time, sometimes with spectacular results. For example, early versions of the Netscape browser used only a 16-bit random number generator for SSL communications, making a brute-force attack on encrypted data simple even using the slowest computers. MIT’s
Kerberos key management system, now at the core of the Windows security architecture, had a random number generator with a key space limited to about 20 bits (about 1 million keys, easy to brute force), for nearly 10 years.
But it isn’t fair to put, for example, Huawei in the same category as Cisco and Juniper when it comes to security awareness. Huawei claims to be a willing participant in the world of information security. On its website, Huawei said that it “… is willing to work with all governments, customers and partners through various channels to jointly cope with cyber-security threats and challenges from cyber-security.”
However, while Huawei is talking the talk, it isn’t exactly walking the walk. A combination of factors, including significant cultural and language issues, has kept Huawei from following the path of other vendors. We have come to expect responsible disclosure of security problems, prompt product updates for known issues, active participation in industry security forums, and easy access to security-patched software images from our network and security product vendors. Huawei security isn’t up to snuff in any of these areas.
But this is an issue with a single vendor and completely transcends national boundaries. Yes, Huawei may be a poor bet for buggy software, but that’s not because it’s Chinese; it’s because Huawei behaves more like a bargain-basement, release-and-forget , releasehardware vendor in the routing and switching space than a high-end security-focused networking company like Cisco, Juniper or HP.
In other words, the standard for choosing a network product vendor isn’t necessarily the pattern on the flag above the company headquarters, but the way that the vendor participates in the worldwide information security community. Vendors who pay more than lip service to maintain the security of their products are better equipped to serve the needs of enterprise users. Network and security managers considering the purchase of critical infrastructure must pay attention to these issues, no matter what the origin of the equipment.
4)
Business Issues: Not every threat to network security has its origins in bad or malicious software and hardware. An important, non-technical issue when considering suppliers from China is the differing cultural frameworks for both competition and intellectual property. The Chinese government and political infrastructure requires that any successful company be intertwined with the Communist Party, which itself is integrated into the government and military infrastructure of the country. This is normal in China. As long as buyers are aware of this as a standard part of doing business with Chinese manufacturers, and act accordingly, there is no particular reason to worry about one Chinese supplier over another. Huawei’s ties to the government and military are not a quiet conspiracy—this is just how big business happens in China.
However, the commingling of interests between Chinese companies and the Chinese government means that Chinese companies owe their first loyalty to China, and not necessarily to their customers. The implication of this loyalty structure is that network equipment buyers must be sure to engage in secure practices when working with all of their vendors. Many IT employees have come to regard equipment suppliers as trusted partners, offering broad access to help in troubleshooting and sharing sensitive information about network configurations and growth plans. Network and security managers dealing with Chinese companies should consider the different attitudes and loyalties of these companies, and maintain a healthy distance when it comes to sensitive information and access controls.
There are a number of concerns worth mentioning that aren’t specific to information security. One is company stability. Is there any way to really know if Huawei and ZTE will be around next year, supporting the products they’re selling now? A related concern is a relative lack of transparency compared to most U.S. and European companies. When reports on company financials or even company ownership are unaudited or, in some cases, completely unavailable, cautious buyers may have little to validate their choices. Even when information is available, it may not be easy to compare Chinese companies with their competitors. Huawei and ZTE, as two of the largest telecommunications vendors in the world with tens billions of dollars in sales, seem to be strong companies, but it is impossible for a typical network manager—or U.S. congressional committee—to say for sure.
http://searchsecurity.techtarget.co...-Factors-to-consider-before-buying-Chinese-IT
