Huawei Telecom Gear Much More Vulnerable to Hackers Than Rivals’ Equipment – WSJ

“Reminds me of  the 1990’s Microsoft Windows/Internet Explorer Security Issues, Not Stuxnet”

-Mayo615

Source: Huawei Telecom Gear Much More Vulnerable to Hackers Than Rivals’ Equipment, Report Says – WSJ

A detailed report, prepared by Finite State, a Columbus, Ohio-based cybersecurity firm, concludes that Huawei telecom switching gear is far more vulnerable to hacking than other vendors’ hardware due to firmware flaws and inadvertent “back doors” that were discovered. The report has been circulated widely among cybersecurity experts in the U.S. and UK, and it is considered credible. The report stops short of concluding that Huawei deliberately inserted the flaws to enable espionage, as it appears more likely that these are flaws that are due to undetected software development errors. The Trump Administration has nevertheless seized on the report to claim evidence of Chinese espionage intent. The report’s conclusions do offer sound evidence that Huawei gear should not be inserted into telecom systems until these errors are removed.  This reminds me of the time when Microsoft Internet Explorer and Windows were suspected of being serious security risks for having so many security holes.

Huawei Enterprise Network Switch

From the Wall Street Journal:

WASHINGTON—Telecommunications gear made by China’s Huawei Technologies Co. is far more likely to contain flaws that could be leveraged by hackers for malicious use than equipment from rival companies, according to new research by cybersecurity experts that top U.S. officials said appeared credible.

Over half of the nearly 10,000 firmware images encoded into more than 500 variations of enterprise network-equipment devices tested by the researchers contained at least one such exploitable vulnerability, the researchers found. Firmware is the software that powers the hardware components of a computer.

The tests were compiled in a new report that has been submitted in recent weeks to senior officials in multiple government agencies in the U.S. and the U.K., as well as to lawmakers. The report is notable both for its findings and because it is circulating widely among Trump administration officials who said it further validated their policy decisions toward Huawei.

“This report supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers,” said a White House official who reviewed the findings. “Huawei does not disclose this covert access to customers nor local governments. This covert access enables Huawei to record information and modify databases on those local systems.”

The report, reviewed by The Wall Street Journal, was prepared by Finite State, a Columbus, Ohio-based cybersecurity firm.

While the report documents what it calls extensive cybersecurity flaws found in Huawei gear and a pattern of poor security decisions purportedly made by the firm’s engineers, it stops short of accusing the company of deliberately building weaknesses into its products. It also didn’t directly address U.S. claims that Huawei likely conducts electronic espionage for the Chinese government, which Huawei has long denied.

A Huawei official said the company welcomed independent research that could help improve the security of its products but added he couldn’t comment on specifics in the Finite State report because it wasn’t shared in full with the company.

“Without any details, we cannot comment on the professionalism and robustness of the analysis,” the Huawei official said.

Based in Shenzhen, Huawei is the world’s largest telecommunications equipment provider and a leader in next-generation 5G wireless technology.

Huawei has emerged as a central fixture in the growing rift between the U.S. and China over technology, especially with the approach of 5G cellular technology.

The Commerce Department in May cited national-security concerns when it added the telecommunications giant to its “entity list,” which prevents companies from supplying U.S.-origin technology to Huawei without U.S. government approval.

Finite State Chief Executive Matt Wyckhouse co-founded the firm in 2017, after spending nearly 13 years at nearby Battelle, a private, nonprofit applied-science and technology firm that does work in the private and public sectors.

Mr. Wyckhouse, a computer scientist who worked in Battelle’s national security division handling defense and intelligence-community contracts, said Finite State did the work pro-bono and not on behalf of any government. He also said he felt the best way to make policy makers aware of the issues was to make his firm’s research available to the public. He plans to publish it this week.

“We want 5G to be secure,” Mr. Wyckhouse said.

Finite State said it used proprietary, automated systems to analyze more than 1.5 million unique files embedded within nearly 10,000 firmware images supporting 558 products within Huawei’s enterprise-networking product lines.

The company said the rate of vulnerabilities found in Huawei equipment was far higher than the average found in devices manufactured by its rivals, and that 55% of firmware images tested contained at least one vulnerability—which the authors described as a “potential backdoor”— that could allow an attacker with knowledge of the firmware and a corresponding cryptographic key to log into the device.

The report includes a case study comparing one of Huawei’s high-end network switches against similar devices from Arista Networks andJuniper Networks Inc. It found that Huawei’s device had higher risk factors in six of nine categories, generally by a substantial margin.

“In our experience, across the board, these are the highest numbers we have ever seen,” Mr. Wyckhouse said.

In one instance in the case study, Huawei’s network switch registered a 91% risk percentile for the number of credentials with hard-coded default passwords compared against all of Finite State’s entire firmware data set.

By comparison, the risk level for Arista and Juniper was rated at 0%.

Chris Krebs, the top cybersecurity official at the Department of Homeland Security, said Finite State’s research added to existing concerns about Huawei equipment and the conclusion that the company hasn’t shown the intent or capability to improve its security practices.

“With Huawei having not demonstrated the technical proficiency or the commitment to build, deploy, and maintain trustworthy and secure equipment, magnified by the Chinese government’s potential to influence or compel a company like Huawei to do its bidding, we find it an unacceptable risk to use Huawei equipment today and in the future,” Mr. Krebs said.

White House officials who reviewed the Finite State report said the findings revealed flagrant violations of standard protocols. They said the report’s findings also suggested Huawei may be purposely designing its products to include weaknesses.

For example, some of the vulnerabilities found are well-known cybersecurity problems that aren’t difficult to avoid. Of the devices tested, 29% had at least one default username and password encoded into the firmware which could allow malicious actors easy access to those devices if the credentials were left unchanged, according to the report.

A particularly unusual finding was that security problems became quantifiably worse in at least one instance for users who patched a network switch with an updated version of firmware compared with the two-year-old version being replaced. Patches are intended to reduce cybersecurity weaknesses, but a comparison of the two versions found the newer one performed worse across seven of nine categories measured.

“For years, Huawei has essentially dared the international community to identify the security vulnerabilities that have so often been alleged regarding the use of the company’s products,” said Michael Wessel, a member of the U.S.-China Economic and Security Review Commission, a bipartisan panel that makes recommendations to Congress. “It’s hard to see the range and depth of the vulnerabilities identified by Finite State to be anything other than intentional.”

The U.K.’s National Cyber Security Centre also reviewed the Finite State research, people familiar with the matter said, and found it broadly aligned with the technical analysis in the agency’s own report, published in March. The U.K. report accused Huawei of repeatedly failing to address known security flaws in its products and admonished the firm for failing to demonstrate a commitment to fixing them.

A 2012 U.S. government review of security risks associated with Huawei didn’t find clear evidence that the company was being used by China as a tool for espionage, but concluded its gear presented cybersecurity risks due to the presence of many vulnerabilities that could be leveraged by hackers.

Rep. Mike Gallagher, (R., Wis.), said the report highlights the urgency for members of Congress and others to stop Huawei from taking over the global telecommunications supply chain.

“I’ve long thought we should treat Huawei as an appendage of the Chinese Communist Party,” said Mr. Gallagher, who earlier this year introduced legislation targeting Chinese telecommunications firms. “But even I was taken aback by the scale of the security flaws within Huawei’s network architecture as revealed by the report.”

Updating My Smartphone Market Analysis: The Market Is At A Strategic Inflection Point

NOTE: My original post, originally published in January 2013, continues to be one of the most viewed on the site.  Android and Apple have enjoyed an estimated 98% market share between the two, and many of my earlier projections regarding this market appear to have been borne out. However, the smartphone market has now matured to the point that it is at a strategic inflection point which has major implications for the future of this market and the major competitors. 

The Rapid Maturation of the Smartphone Market Should Have Been Foreseen

The signs of a dangerous strategic inflection point in the global smartphone market have been evident for some time: the rapid rise of domestic Chinese competition combined with the predictable end of the Western consumer fascination with “the next smartphone.” Five years ago, Samsung Electronics, the South Korean technology giant sat atop the Chinese market, selling nearly one of every five devices there. Today, Samsung is an also-ran, controlling less than 1% of the world’s largest smartphone market. Samsung has trimmed local staff and last month closed one of its two Chinese smartphone factories.  Surely, Apple must have been aware of this and the growing number of much lower cost domestic Chinese competitors that were already hammering Samsung.  Apple’s release of a lower cost iPhone, the XR, in Asia in October 2018 appears to have been a case of too little too late. Sales of the device have been disappointing in both Japan and China, and Apple has been relegated to offering “trade-ins” to camouflage slashing the price of the XR.  Apple had ample warning over at least a five year period.

Meanwhile, I sensed a very different kind of maturation of the smartphone market in North America and Europe. In what I like to call the smartphone market “Star Wars” phenomenon, each new generation of smartphones was greeted with a hysteria that was only paralleled by the Star Wars craze. This simply could not continue indefinitely.  Beginning in 2017 it was apparent the smartphone market as a whole was already shrinking, and there was significant anecdotal information in the media that smartphone hysteria was waning, if not publicly available hard data. I began having discussions about this with Tim Bajarin, one of the top Apple analysts.  As Apple moved to launch the iPhone X and broke the $1000 price point barrier it encountered clear if perhaps not overwhelming evidence that the smartphone market was softening: more people chose not to upgrade their phones. I like to say that the last major feature consumers seemed to want/need was water resistance, as so many had already experienced the disastrous “toilet drop.”  I view the Bluetooth earbud phenomenon as a distraction and perhaps a hint of the coming change. Samsung flirted with water resistance as early as the Samsung Galaxy S5, perhaps because water resistance had become a standard feature in the Japanese market. By 2018, water resistance was standardized, and the market began experimenting with “the next big thing” for phones, folding screens. WTF? It was clear to me that the smartphone market had run out of gas, and was undergoing rapid maturation, as phones were no longer fascinating and novel, but just simply commodity devices.

To my mind, and IMHO, this has been a case study in a classic “strategic inflection point” that was missed by both Samsung and Apple. Samsung might be forgiven for being the first to cross into the inflection point, while the media was still promoting “the next smartphone” hysteria, and not yet recognizing the sense of the market. Apple has no such excuse. The rapid maturation of the smartphone market should have been foreseen by Apple. Apple’s most disturbing move was the decision to increase pricing rather than delivering greater value, at exactly the wrong time. The crucial rhetorical question is what are the larger implications for Apple’s future business?

READ MORE:  Apple Beware: Samsung’s Fall in China Was Swift 

READ MORE: Samsung Profit Outlook Surprisingly Weak

 

Vendor Data Overview

Smartphone vendors shipped a total of 355.6 million units worldwide during the third quarter of 2018 (Q3 2018), resulting in a 5.9% decline when compared to the 377.8 million units shipped in the third quarter of 2017. The drop marks the fourth consecutive quarter of year-over-year declines for the global smartphone market. 

Quarter	2017Q1	2017Q2	2017Q3	2017Q4	2018Q1	2018Q2	2018Q3
Samsung	23,2%	22,9%	22,1%	18,9%	23,5%	21,0%	20,3%
Huawei	10,0%	11,0%	10,4%	10,7%	11,8%	15,9%	14,6%
Apple	14,7%	11,8%	12,4%	19,6%	15,7%	12,1%	13,2%
Xiaomi	4,3%	6,2%	7,5%	7,1%	8,4%	9,5%	9,5%
OPPO	7,5%	8,0%	8,1%	6,9%	7,4%	8,6%	8,4%
Others	40,2%	40,1%	39,6%	36,8%	33,2%	32,9%	33,9%
TOTAL	100,0%	100,0%	100,0%	100,0%	100,0%	100,0%	100,0%

 

 

 

2009 to 2012

In one of the most interesting high tech scenarios in years, the “smart mobile” OS (operating system) market is shaping up to be a classic Battle of the Titans. Key strategic issues, theories, speculation, and money, lots of it, are making this a great real-time strategy and marketing case study for management students of all ages (smile).  So as Dell prepares to fade into the sunset, get yourself a drink of your choice, and some popcorn, sit back and watch it all unfold.

The best metaphor I can apply to this might be a “destruction derby” featuring at least two players,  or perhaps a bizarre multidimensional Super Bowl or Rugby World Cup match, with four teams on one playing field with four goal posts at each cardinal point of the compass..  At the moment all four teams are tackling, passing, and running at each other in a confused pile. There are scrums, rucks and mauls in multiple locations. Two competitors, Google and Apple appear to be winning. The other two, Microsoft and Research in Motion, are pretty banged up, but still playing.

The two currently dominant competitors, Google Android with its acquisition of Motorola Mobility, and Apple IOS are rapidly consolidating and expanding their global market positions, via partnerships, vertical integration, and application development ecosystems. Microsoft has publicly committed to spending massively to make Windows 8 the third OS option, but a recent IDC mobile OS market forecast projects Microsoft with only a miniscule share in 2015.  Something tells me that Steve Ballmer will go on a rampage if that happens, rather like the video of him screaming and dancing on stage in my post “Extrovert or Introvert, Authentic Presentations Take Practice,” November 30th. http://mayo615.com/2012/11/30/introvert-or-extrovert-authentic-presentations-take-practice/

The key question is whether Microsoft or RIM, will be able to establish a third mobile OS to a survivable market position.  It is not at all clear that either can do so at this point.  The market is also speculating that mobile hardware market leader Samsung, is possibly considering making its own play by creating its own mobile OS ecosystem.  While this may seem far fetched, this kind of vertical integration seems to be making a resurgence as a strategic move, after having been discredited.  Then there is the perennial Nokia, who has seemed to be on death’s door, but may be coming back. As a strategic partner for Microsoft, Nokia’s fate may have a huge bearing on Microsoft’s strategy to reinvent itself as the PC goes into atrial fibrillation. Will Amazon enter the fray with its own smart phone entrant, and if so, with whose OS?  Will Research in Motion and the Blackberry be able to achieve a survivable market share, or is RIM already a walking zombie?

Finally, in a kind of death dance patent dispute reminiscent of the film, Gladiator, Nokia and RIM are now locked in new lawsuits and counter-lawsuits, as if to say, “If neither of us are going to survive, we might as well kill each other for the entertainment value.”

Here’s a more concise overview of the race to be the third mobile platform:

• The argument in favor of a third platform is straightforward and compelling: A new, robust competitor will prevent the dominant platforms from growing complacent or stifling innovation. Apple and Google are pretty happy with the status quo. Consumers are probably not consciously pining for a third mobile platform. Developers would happily get behind a third platform if it widened their revenue streams.
• Microsoft has a head start: It launched Windows Phone in 2010, and tablet-friendly Windows 8 this year. It is experienced in building developer communities. However, Windows Phone has so far only managed a paltry 3 percent platform market share.
• Amazon has the most potential to upend the market: A smartphone would be a natural extension of Amazon’s distribution empire, and its Kindle Fire tablet play. Unfortunately, the most recent E-reader forecasts show them in sharp decline as growth in full-functional tablets squeeze them out.  Amazon has 106 million unique visitors accessing its sites, many of them with credit cards on file. 
• Samsung is a dark horse: Its dependency on Android may become a liability and push the South Korean manufacturer into the platform business. Samsung’s strength is its hardware sales prowess — Samsung shipped over 56 million smartphones in the third quarter of 2012. 

Read more: http://www.businessinsider.com/bii-report-the-race-to-be-the-third-mobile-platform-2013-1#ixzz2IepLaaka

For Management students, this real time case study offers the opportunity to apply and ponder:

1. The time tested 1976 Boston Consulting Group (Bruce Henderson) “rule of three and four.”  In a stable mature market there can be no more than three surviving competitors, the largest of which can have no more than four times the share of the smallest of the three.   Here, the question is whether a third competitor can successfully emerge at all?

2. Barriers to market entry. Former Intel Marketing VP, Bill Davidow‘s book, Marketing High Technology, An Insider’s View, still considered the standard on the topic, suggested his own metric for a barrier to a new market entrant, or even a competitor just struggling to survive the market shakeout. The market entry barrier rule of thumb in dollars is three-quarters the most recent annual revenue of the market leader. In this case, that is a very big B number…  Microsoft has the bucks, but is it just too late?

3. Vertical integration. Rumors of Samsung introducing its own mobile OS seem implausible, but hey Nvidia just announced its own gaming console to compete with Microsoft, Nintendo, and Sony.

4. Resources and capabilities. It is necessary to consider the respective resources and capabilities of each of the many direct players, and those playing in related markets that bear on the mobile OS market.

5. Related markets, new markets, peripherally involved competitors and products which all could play a role in the eventual outcome of this. The integrated Internet HDTV market is only one example. Featuring Apple, Microsoft, Google, and Samsung, and the HDTV manufacturers, it could influence things.  What if Amazon were to vertically integrate and introduce its own smart phone?

This is the hairball of this Century so far.  Are you all still with me, here?

The Digital Utopian Vision of Marshall McLuhan and Stewart Brand Is Cracking

It appears to me that the original vision and promise of the Internet, referred to by many as Digital Utopianism, is at severe risk of deteriorating into a “balkanized”  and severely impaired World Wide Web.

Internet barriers, censorship, protectionist Internet policy, and ubiquitous surveillance seem to be the emerging new reality.  Notable digital luminaries the likes of Vin Cerf and Bill Gates have been questioned on this point, and both have expressed no major concern about deterioration of the freedom of the Internet or with the original Utopian vision.  The argument is that the World Wide Web cannot be effectively blocked or censored.  Google would probably respond that their “loon balloons” could simply be launched to counter censorship. As a long time Silicon Valley high tech executive, I understand this optimistic view, but the facts on the ground are now providing serious evidence that the Internet is under attack, and may not survive unless there is a significant shift in these new trends.

This week alone, Turkey’s Erdogan has tried to block both Twitter and YouTube to prevent Turks from viewing evidence of his corrupt government. This morning’s New York Times reports Edward Snowden’s latest revelation.  While the U.S. government and media were investigating and publicly reporting on Chinese government Internet espionage and Chinese network equipment manufacturer Huawei, the NSA, the British GCHQ and Canada’s  Security Intelligence Service (CSIS) ,  were all collaborating, doing exactly the same thing. The hypocrisy and irony of this is not lost on either the Chinese or the Internet community. CBS 60 Minutes reported on the Chinese espionage, but has been essentially silent on NSA’s own transgressions. 60 Minutes even broadcast a report that NSA metadata was essentially harmless, which has now been shown to be false. The 60 Minutes objective reporting problem is the canary in the coal mine of the corporate takeover of media and the Web.  Protectionist policies in various countries targeted against Google, Microsoft and others are emerging. One of the many negative effects of the NSA revelations was the announcement this week that the United States was giving up control of the International Committee for Assigned Names and Numbers (ICANN), which essentially sets Internet traffic policy. Finally, this week, Netflix spoke out forcefully against the “peering agreement” it was blackmailed into signing with Comcast to insure “quality of service” (QOS) for Netflix programming to the edges of the Web.

Read more: NSA breached Chinese servers

Read more: Netflix Thinks Peering Should Be A Net Neutrality Issue

I recently came across Professor Fred Turner, Professor of Communication at Stanford. It has been a revelation for me.  His book, “From Counterculture to Cyberculture’ is an acclaimed milestone work. Turner has articulated the World I lived in the counterculture of the 1960’s and in the early Silicon Valley. His work explaining the evolution from the “counterculture” of the 1960’s to the emerging new “cyberculture” of the late 1980’s and 1990’s is an excellent record of that time in northern California.  This was the World of Steve Jobs at that time and his personal evolvement to a digital Utopian.  It is detailed in Jobs biography, and in Jobs wonderful Stanford University 2005 commencement speech, in which he also acknowledged the importance of Stewart Brand and the Whole Earth Catalog.  This was also my countercultural World as a Communications student at San Jose State at that time, in the heart of the Silicon Valley, and subsequent high tech career, beginning at Intel Corporation.  But even Professor Turner has expressed his own ambivalence about the future direction of the Web, though only from the standpoint of less worrying lack of diversity of Web communities. My concern is much more deeply based on current evidence and much more ominous.

Fred Turner, Stanford Professor of Communication – Counterculture to Cyberculture

Stewart Brand, the father of the Whole Earth Catalog and the original digital utopia visionary, has been rethinking its basic concepts. Brand has come around 180 degrees from environmental Utopianism based on “back to the land,” and is now embracing the future importance of urban enclaves. While this new urban view is now a widely held idea by many futurists, it can also be viewed as another facet of the end of digital utopia.  This TEDTalk by Brand lays out his new vision.  Where we go from here is anyone’s guess.