While everyone was distracted with Justice Department controversies and the New Hampshire primary, a senior Huawei official has conceded that the company can clandestinely access users’ mobile networks.
On Feb. 11, the Wall Street Journal ran a story citing U.S. officials who claimed that Huawei can “covertly access mobile-phone networks around the world through ‘back doors’ designed for use by law enforcement.” In other words, these officials claimed that Huawei can exploit backdoors intended for law enforcement in order to access user data without the permission of either users or the network operator. The Journal also quoted National Security Adviser Robert O’Brien as saying, “We have evidence that Huawei has the capability secretly to access sensitive and personal information in systems it maintains and sells around the world.”
As always, Huawei denied these allegations. Huawei asserts that it “has never and will never do anything that would compromise or endanger the security of networks and data of its clients.” The company adds, “We emphatically reject these latest allegations. Again, groundless accusations are being repeated without providing any kind of concrete evidence.”
But in the Journal story, Huawei itself has provided evidence that it builds backdoors into its products. In particular, the Journal quoted a senior Huawei official as saying that network access without operator permission “is extremely implausible and would be discovered immediately.” This statement is extremely significant in understanding what Huawei equipment can and cannot do.
Assuming that these words accurately represent the Huawei position, Huawei has not said that network access without operator permission is technically impossible—only that it is implausible and would be discovered immediately. These are very different claims. The first claim is that network access without operator permission categorically cannot happen. The second claim is that network access without operator permission can happen (though it is implausible) but that any such access would be discovered. Indeed, if an event does not and cannot happen, what would be there to discover?
Perhaps it would be discovered. But only with constant vigilance by the network operator could discovery of such network access occur. Anyone with security experience can tell you that requiring constant vigilance is a guaranteed path to eventual security failure.
So there you have it. A senior Huawei official has acknowledged that network access without operator permission is technically possible, as Huawei has gone from saying “it cannot happen” to “it can happen but someone would notice it.” For me, the comments from the unfortunately unnamed Huawei official are far more damaging to Huawei’s claims of “no backdoors” than the assertions from U.S. officials, who have not yet made public any of the evidence they say they possess regarding Huawei’s capabilities.