May 2, 2019

The curious case of Bloomberg's Huawei scoop

A Huawei logo. Photo: Jaap Arriens/NurPhoto via Getty Images

Bloomberg reported Tuesday that Vodafone's Italian division had discovered "backdoors" in its Huawei-brand telecommunications equipment in 2011 and 2012.

But, but, but: The story did not play well in the security community, where the evidence is seen as insufficient to the central claims. It didn't make a strong case that the "backdoor" was anything more than a minor, unintentional problem. Vodafone's official stance was it wasn't.

Reality check: The story was based on internal memos leaked to Bloomberg.

  • The "backdoors" were a number of security flaws that Vodafone found in security testing. All hardware and software have security vulnerabilities, so that doesn't seem particularly malicious.

Details: One "backdoor" was Telnet, an extremely common communications protocol that many hardware manufacturers use for configuration. While Huawei used the industry standard way to make Telnet inaccessible via the wider internet, Vodafone has a policy of not allowing Telnet.

  • When Huawei fixed the equipment, it claimed it resolved the Telnet issue, but Telnet was still accessible.
  • According to the memos, Huawei said that Telnet couldn't be entirely removed from the router.

To be clear: This chain of events is common for manufacturers. It's hard to make the leap to claiming this was a backdoor based on the story.

  • This is where the story stopped.

However: Bloomberg may not have given the full account of the technical reasoning that the Telnet issue was intentional.

  • Bloomberg did not release the memos, so it's hard to verify any technical details.
  • Still, according to Stefano Zanero, an expert quoted in the story who did see the memos, the memos make Huawei seem sketchier than the story suggested.

According to Zanero, the following was left out of the story:

  • The Telnet service wasn't in guides explaining how the hardware worked.
  • The passwords to the Telnet service couldn't be changed, meaning the manufacturer would always know how to hack the hardware.
  • It accepted connections in a nonstandard way, which made it seem hidden.
  • The Telnet was successfully removed once but reintroduced later.

The bottom line: It still isn't a smoking gun. Even with Zanero's elaborations, to most of the security community, this has read like Vodafone employees attributing malice to incompetence.

Go deeper: Vodafone denies Bloomberg report on security flaws in Huawei equipment

Go deeper

John Kelly defends James Mattis against Trump attacks

John Kelly in the White House in July 2017. Photo: Cheriss May/NurPhoto via Getty Images

Former White House chief of staff John Kelly defended James Mattis on Thursday after President Trump attacked the former defense secretary as "the world's most overrated general" and claimed on Twitter that he was fired.

What he's saying: “The president did not fire him. He did not ask for his resignation,” Kelly told the Washington Post in an interview. “The president has clearly forgotten how it actually happened or is confused."

Barr claims "no correlation" between removing protesters and Trump's church photo op

Attorney General Bill Barr said at a press conference Thursday that there was "no correlation" between his decision to order police to forcibly remove protesters from Lafayette Park and President Trump's subsequent visit to St. John's Episcopal Church earlier this week.

Driving the news: Barr was asked to respond to comments from Defense Secretary Mark Esper, who said Tuesday that he "did not know a photo op was happening" and that he does everything he can to "try and stay out of situations that may appear political."

Updates: Cities move to end curfews for George Floyd protests

Text reading "Demilitarize the police" is projected on an army vehicle during a protest over the death of George Floyd in Washington, D.C.. early on Thursday. Photo: Yasin Ozturk/Anadolu Agency via Getty Images

Several cities are ending curfews after the protests over the death of George Floyd and other police-related killings of black people led to fewer arrests and less violence Wednesday night.

The latest: Los Angeles and Washington D.C. are the latest to end nightly curfews. Seattle Mayor Jenny Durkan tweeted Wednesday night that "peaceful protests can continue without a curfew, while San Francisco Mayor London Breed tweeted that the city's curfew would end at 5 a.m. Thursday.