Huawei Could Rebuild Trust in Their Products Through Open Source

Posted on Apr 24, 2019 by Derek Zimmer
Share Tweet Plus

Chinese Megacorp Huawei has been in the news over the last few months because companies and entire nations have been banning their equipment over spying concerns. There has been little public evidence of such spying taking place on a large scale, but the action of multiple countries within the fourteen eyes surveillance alliance suggests that there may be confidential evidence that countries do not want to disclose.

This is a big blow to Huawei, who has been gaining not only in the cellular handset market, but also in the lucrative cellular equipment market for wireless providers. Huawei has been poised to take over the 5th generation cellular tech race with fast and cheap equipment.

Now, those gains have all been erased by these spying concerns. Huawei equipment has been banned in Australia, New Zealand, Canada, the United States, Japan, and individual companies in the UK and within the EU are cancelling contracts for Huawei equipment.

State Security or Economic Security?

Interestingly, the language that is being used by the American intelligence community does not seem to point to any specific evidence other than Huawei works closely with the Chinese government, and that they could update the firmware of their equipment to spy if they wanted to.

While this is a very real possibility, there’s nothing barring any other company around the world from doing the same. Much of the world’s networks, including China’s Great Firewall, run on equipment made by Cisco and Juniper, both of which were victims of the NSA’s programs to tamper with the devices while they were in shipping to hostile nations. Even further, most of the signing keys for the firmware and operating systems of the worlds network devices lie with the manufacturer, but there’s no way to verify that no other party has access to those keys.

So why is Huawei a concern but Cisco isnt? Or Ericsson? Or Nokia? Or Samsung? Or Juniper? Or any of the companies that own fiber in the ground? One must wonder if there’s an economic component to the xenophobia. If there’s a concern that China may overtake the West in a key technology market.

Regardless of the real motivations of the concerns…

There’s a Way Out of this Mess – Open Source

Open source code for Huawei equipment would allow nations, companies, and individuals alike to verify that the code is free of malware, and that it contains no obvious security problems.

Reproducible builds allow everyone to be reassured that the code running on the network devices matches the open source code that is reviewed by the public. This removes another layer of distrust.

And if you want to protect against the advent of Chinese “malicious updates” you can use multi-party key signature schemes for firmware updates, to ensure that updates are approved by the government/company before they are rolled out.

This 3-part solution (which the open source community has been working on for over a decade), allows you to use Huawei equipment without having to inherently trust Huawei. There’s still some problems with this system, such as hardware backdoors in the actual chips, but even that can be reviewed and approved for a particular design that is going to be utilized worldwide. Spot-checking equipment for deviations would be costly, but on the scale of nation-wide deployments would not be prohibitively expensive.

A world with verifiable firmware, on verifiable bootloaders, with verifiable software, that you can reproduce yourself from open source code, is what the open source community has been pushing for. Huawei could step light-years ahead of their competition in trust with this level of open-source commitment.

About Derek Zimmer

Derek is a cryptographer, security expert and privacy activist. He has twelve years of security experience and six years of experience designing and implementing privacy systems. He founded the Open Source Technology Improvement Fund (OSTIF) which focuses on creating and improving open-source security solutions through auditing, bug bounties, and resource gathering and management.

VPN Service

Leave a Reply