[Analytics] Could Huawei be using Trojan circuits to help Beijing spy on the US?

Attendees walk past signage for Huawei at the MWC Shanghai exhibition in Shanghai. Numerous American politicians have called for a ban on Huawei equipment and technology. Photo: Bloomberg. Sketched by the Pan Pacific Agency.

US is regarded as the world leader in hardware hacking. Its allies have found no evidence of planting ‘back doors’, and Chinese researchers insist their work on Trojans is separated from telecoms firms. Stephen Chen specially for the South China Morning Post.

Speaking on CNBC recently, US Senator John Barrasso was adamant that Huawei, the leading Chinese telecommunications equipment maker, represented a clear threat to the United States.

“Huawei is a true threat. It could be a Trojan horse,” the third-ranking member in the Senate Republican leadership said.

Barrasso is one of the many American politicians who have called for a ban on Huawei equipment and technology.

They have said that the conglomerate, based in Shenzhen in southern China, installs “back doors” or “Trojans” in its devices to siphon off sensitive data to the Chinese government without detection.

US Secretary of State Mike Pompeo has travelled the world warning allies to stay away from Huawei lest they put intelligence sharing with the US at risk.

Huawei, meanwhile, has repeatedly denied the allegations, saying that it is not a proxy for China’s security apparatus.

Despite its warnings, some of the US’ traditional allies such as Britain and Germany have said they have found no evidence that Huawei’s devices contain Trojan circuits, also known as hardware Trojans – modifications of integrated circuits in computer chips that can give third parties access to data.

In May, the US put Huawei on its Entity List, prohibiting the sale of US technology to the smartphone maker. The government said it had cause to believe Huawei was involved in activities that threatened American national security or foreign policy interests.

US President Donald Trump last month appeared to have backed off a little from the ban after meeting Chinese counterpart Xi Jinping at the Group of 20 summit in Japan.

And US Commerce Secretary Wilbur Ross said on Tuesday that American firms could be allowed once again to sell technology to the blacklisted Chinese firm where there was no threat to US national security.
Ross maintained, however, that sales of sensitive equipment would remain off limits.

But from a technology perspective, are these warnings credible, or fantasies straight out of the pages of spy fiction?

Trojans come in all shapes and sizes.

Some can be triggered by heat, a clock on a motherboard, GPS coordinates (activated when a target device enters a designated area), or typing a word – for instance, a government agent in the US typing “Beijing” and inadvertently triggering a Trojan that sends information to China.

Last year, a Bloomberg report alleged that China added a Trojan component to a Supermicro server board that has been used by Western tech giants such as Amazon and Apple.

In the report, Bloomberg cited 17 unidentified sources that it claimed worked for the companies and the US government. Apple, however, said there was “no truth” to the story; Amazon, too, denied the claims.
Such a hack was “technically plausible”, according to Dr Markus Kuhn, an award-winning computer scientist studying hardware security at the University of Cambridge in Britain.

After all, it is well known that China, like other countries including the US, has been conducting research on hardware Trojans.

Since 2010, more than 400 papers have been published on the topic, mostly in Chinese-language domestic journals, with various proposals for Trojan circuit designs.

Although China has made strides in the field, security researchers said Beijing still lagged the US, widely regarded as the world leader in hardware hacking.

The US’ National Security Agency (NSA) is alleged by some researchers to have inserted a Trojan into the firmware of Juniper Networks, an American supplier of networking technology.

“That back door has been observed to have been carefully implemented and then replaced several times,” Kuhn said.

functionality – possibly a firmware modification – in Cisco routers, according to Kuhn.

His opinion is shared by many in the information security community.

But the question is whether the work of researchers and government-funded institutes on hardware Trojans is linked to Chinese telecommunication companies, and whether the Chinese government can spy on countries that buy hardware from those firms.

According to a government researcher involved in a Trojan circuit design programme, the answer is a flat “no”, partly because it would be too easy to get caught.

“A back door on [Huawei’s] HiSilicon chip is more likely to be caught than one on a chip of [American semiconductor company] Xilinx,” said the researcher, who spoke on condition of anonymity.

His research team modifies different models of processors and tests how well a Trojan circuit cheats various detection methods, such as infrared imaging and electromagnetic emission sniffing.

“We are working separately from Huawei,” he said. “That means one’s work never comes across the other’s, even though we may attend the same international conferences and sit side-by-side.”

In their laboratory, the chips were all those of foreign brands, said the researcher, whose work covers both detection and planting of Trojans in processor chips.

In Europe, Huawei products have gone through strict security screening to gain access to markets, Kuhn wrote in an emailed response to the South China Morning Post’s queries.

The British government, for instance, publishes an annual report on the security of Huawei products. In the latest report, released in March, hundreds of vulnerabilities were identified by an independent oversight board chaired by a senior cybersecurity official.

“It does not identify any deliberately planted back doors, but lists numerous problems that are very common in commercially developed programs,” the official said.

The problems included frequent use of potentially unsafe functions in source code, use of outdated third-party software components and the lack of “reproducible build” – showing an independent reviewer that the source code they review matches the binary code that drives a machine.

“While all these requirements are very sensible and desirable, I think it is also fair to say that Huawei is unlikely to be exceptional in selling commercial products that would disappoint in such a security review,” Kuhn wrote.

“I would be surprised if most of Huawei’s competitors did substantially better when faced with similar scrutiny,” he added.

“The Huawei thing is political,” said Grady Summers, executive vice-president and chief technology officer of global cybersecurity firm FireEye, at a media briefing in Hong Kong on Wednesday last week.
“It’s a very convenient thing to rile up a political base about the fear of foreign technology.”

Summers said this was at odds with the internet’s intended lowering of boundaries and exchanging of ideas across countries.

“I hate to see this Balkanisation of the internet, where countries don’t want to use technology that [others] build, where we’re going to see increasing firewalls and we’re all going to use our own national social media and our own national internet infrastructure,” Summers said.

“Speaking strictly from a security perspective, we have seen nothing from Huawei that would give us alarm.”

Additional reporting by Laurie Chen

Share it


Exclusive: Beyond the Covid-19 world's coverage