Bloomberg Seemingly Botches a Report on Backdoors in Chinese-Made Equipment. This Is Not a Repeat From October 2018

Daniele Lepido, Bloomberg:

Europe’s biggest phone company identified hidden backdoors in the software that could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy, a system that provides internet service to millions of homes and businesses, according to Vodafone’s security briefing documents from 2009 and 2011 seen by Bloomberg, as well as people involved in the situation.

Vodafone asked Huawei to remove backdoors in home internet routers in 2011 and received assurances from the supplier that the issues were fixed, but further testing revealed that the security vulnerabilities remained, the documents show. Vodafone also identified backdoors in parts of its fixed-access network known as optical service nodes, which are responsible for transporting internet traffic over optical fibers, and other parts called broadband network gateways, which handle subscriber authentication and access to the internet, the people said. The people asked not to be identified because the matter was confidential.

Tim Culpan doubled down on this in an editorial for Bloomberg, calling it a “smoking gun”:

Having Huawei, or its compatriot ZTE Corp., taken off the tender list reduces operators’ bargaining power even if they lean toward a Western option. That’s among the reasons we’ve seen telecom executives play down the risks and even defend Huawei. Money is a powerful incentive, and a penny saved is a penny earned.

Expect Huawei proponents and telecom operators to dismiss this revelation as an aberration that proves nothing. Huawei’s newly invigorated PR machine will whip into overdrive, and Chinese authorities will spin the report as propaganda. Meanwhile, Western politicians will crow “I told you so.”

However, on a purely technical level, this report may have grossly overstated the apparent “backdoor”. Gareth Corfield, the Register:

Unfortunately for Bloomberg, Vodafone had a far less alarming explanation for the “backdoor”.

“The ‘backdoor’ that Bloomberg refers to is Telnet, which is a protocol that is commonly used by many vendors in the industry for performing diagnostic functions. It would not have been accessible from the internet,” said the telco in a statement to The Register, adding: “Bloomberg is incorrect in saying that this ‘could have given Huawei unauthorized access to the carrier’s fixed-line network in Italy’.”

It added: “The issues were identified by independent security testing, initiated by Vodafone as part of our routine security measures, and fixed at the time by Huawei.”

Bloomberg owns Businessweek, which in October published that deeply problematic story about unauthorized chips apparently being found implanted on Supermicro servers made in China for Amazon and Apple. So far, that story has not stood up to scrutiny and has remained a permanent exclusive.

Maybe that was just a one-off. After all, today’s piece is from a different writer and Vodafone’s denial is not as comprehensive as the affected companies’ responses to the Businessweek story. But Bloomberg’s history of spurious allegations of Chinese espionage has poisoned the well. I’m not naïve; I know that China, like all big nations, is probably trying to spy on communications in any way it can, and its position as the “workshop of the world” gives it unique leverage. Even so, I simply don’t know how to trust Bloomberg’s reporting on such matters.