Huawei wants to sell its 5G tech to rivals – report

The latest bid by Chinese kit vendor Huawei to adapt to US sanctions could involve licensing its 5G technology to whoever is willing to pay.

The remarkable claim was made by CEO Ren Zhengfei (pictured) in a recent interview with The Economist. “For a one-time fee, a transaction would give the buyer perpetual access to Huawei’s existing 5G patents, licences, code, technical blueprints and production know-how,” declared the piece. It also noted that the acquirer would be free to muck about with the source code, thus removing the risk of there being nefarious, sneaky bits of spyware or whatever hidden in there.

A technology company’s intellectual property is its crown jewels and under normal circumstances offering it up to competitors would be the very last thing it would do. But these are exceptional times for Huawei and it’s having to consider ever more novel ways of adapting to a time in which many countries around the world are blocking its presence in their 5G networks.

The stated aim for this move is apparently to create a viable non-Chinese competitor to Huawei in order to take the geopolitical heat off it. Ericsson and Nokia would be entitled to take exception to the inference there, but at the same time would surely be tempted to get hold of some of that choice IP.

On further reflection this doesn’t really add up. Ericsson, Nokia and to a lesser extent ZTE and Samsung all have competitive networking offerings, so this feels more like a dig at them than a genuine attempt to move things forward. It also feels like a bit of a public relations gimmick, so Ren can say he’s trying everything to resolve the current situation and the US needs to meet him half way.

This move could also be a further attempt to reassure the US that there are no security concerns with its software by putting it in the hands of competitors that have every incentive to uncover any cyber-naughtiness there may be therein. But how can anyone be sure that the IP Huawei licenses to third parties is identical to that contained within its own kit?

Ren deserves credit for continuing to engage with the western media and for at least appearing to try to come up with solutions to the current impasse. As we saw in the matter of the confiscated Huawei gear, the US isn’t always acting in good faith in this case, but it seems unlikely that this latest initiative will do much to ease its concerns about Huawei’s presence in the 5G networks of itself and its allies.

The nightmare on 5G street – IoT is coming and we don’t know how to secure it

Telecoms.com periodically invites third parties to share their views on the industry’s most pressing issues. In this piece Charl van der Walt, Chief Security Strategy Officer at SecureData looks at some of the security implications that come with the advent of the 5G/IoT era.

There is no doubt that 5G and the Internet of Things (IoT) will revolutionise the ease with which life is lived, business is conducted, manual tasks are performed, and data is analysed. For industry, these innovations will provide a great leap towards quicker and more profitable business, and for the most part, that is a good thing. What is worrying, however, is that IoT security is already developing an unsavoury reputation for being terrible. 5G is likely to be a huge enabler of all kinds of IoT, which will only exacerbate this issue.

Once 5G becomes the standard network we all use, the likely result is that we will all be connected, at all times, wherever we are, and at ridiculous speeds. Given our dismal track record with security for ‘traditional; IT, this is a big challenge, and if left unaddressed, is going to be a lot of headaches at all levels of industry and society. The political, physical, and technical ramifications of 5G and IoT adoption will need to remain front of mind as businesses prepare for the 4th Industrial Revolution.

What are the risks for industries looking to adopt 5G?

The harsh reality is that consumers and industry alike have become obsessed with connecting things to the internet that we never really needed to before. Fridges, cars, pacemakers – you name it, and it’s probably already connected to the web. But we forget that every time we add anything to the internet, there are inherent security risks that aren’t considered, and therefore cannot be completely controlled. With 5G on the horizon, this always-on obsession of ours is going to become a BIG problem in terms of our own security. In short, where the opportunity for innovation exists, we also expose ourselves to cyber risk.

And it might actually be as bad as it seems. Against this backdrop, the US government is considering deprecating the widespread amount of Internet-connected Supervisory Control and Data Acquisition systems (SCADA) used by companies in telecommunications, water and waste control, energy, transportation – the list goes on. So high is the risk of connected technologies, that the US government is promoting deployments of “analog and non-digital control systems”. Unfortunately, the risk is already there, with reports of the very real hacking of control systems within the US national grid.

What about those risks at policy level?

Along with the technical risk of IoT systems, we need to consider the role that 5G itself will play as the main infrastructure for IoT and 4th Industrial Revolution (4IR) economies that we are building. The control of 5G, and therefore the power over it, gives countries and companies that are building and maintaining these networks a big head-start over those that aren’t. This power-struggle is already being played out on the global stage with the antagonism we are seeing between the US and Huawei. There is also a knock-on effect being seen with a continued resistance to Huawei and other Chinese companies, such as ZTE, elsewhere in the Western world.

The concern is that if 5G infrastructure is to become the new superhighway for connectivity, that infrastructure may be built and controlled by a foreign state that does not have our best interests at heart. This would essentially place control of the digital economy under the influence of that foreign state, whether directly or through a vassal company.

In security terms, any state-sponsored actors – criminal, intelligence, military or otherwise – would no longer have a need to attack systems running on a network, or place backdoors to gain access, or control the network itself. They will already have that power, whether we like it or not.

A simple mindset to adopt to solve a complex problem

What we need to remember is that even with the best security in the world, we can only ever partially mitigate any risk that comes with connectivity. This said, there are a number of security aspects within the IoT and 5G that should be front of mind.

The first is that every new piece of technology increases an attack surface. The IoT is estimated to be made up of 20.4 billion devices in use by next year, and this number is set to increase exponentially. Secondly, security debt is inherited, and any cost savings made or shortcuts that an IoT vendor took in the manufacturing process will end up being the end-user’s problem. This could be as fundamental as not ensuring that unique and secure passwords are set, managed and readily changed, for example. Finally, CIOs and CISOs will need to consider very carefully how patching is going to work, especially if an IoT network is very large or widely dispersed. Vulnerabilities can occur at any level of the stack, from an application all the way down to the hardware used. The ability to patch at all these levels for security must be considered critical, even for very simple systems.

The security threat to the IoT is real. The only real tangible response in the UK has been the NCSC making steps to address the issues posed by the rise in IoT devices and the potential for security fallout in its Security by Design review. Although this primarily concerns consumer devices, it holds true to wider industry as well. These new rules will help ensure that passwords on new devices are unique and not set to factory defaults. Additionally, any sensitive data transmitted over apps or devices must be encrypted as standard.

While this is a good start, there is some way to go before we can rest relatively easily. Ultimately however, for any IoT manufacturer or 5G connectivity provider, it’s important to think security first, rather than rushing out to market with a device or network that paints a picture of superior connectivity, but is really a security nightmare.

 

Charl SecureDataCharl van der Walt is the Chief Security Strategy Officer at SecureData, and has a background in offensive security and penetration testing. Charl has given courses and lectures for companies and universities the world over and has been a regular on the Infosec conference circuit. He has been a security training advisor to the US DoD for over 5 years, has acted as a network security consultant for the Commonwealth Games and co-authored numerous security books. 

Apple tells Google to stay in its lane over security claims

Apple has hit back at a Google blog post, which emerged last week, suggesting its rival in the smartphone OS segment was ‘stoking fear’ amongst its users.

The presence of vulnerabilities is nothing to be too surprised about, though when the owner of one smartphone OS points out said vulnerabilities to a rival, egos are always going to flare up. This appears to be the case here, with Apple offering its rebuttal to the Google claims, attempting to calm the waters.

“Google’s post, issued six months after iOS patches were released, creates the false impression of ‘mass exploitation’ to ‘monitor the private activities of entire populations in real time,’ stoking fear among all iPhone users that their devices had been compromised. This was never the case,” the statement reads.

Firstly, Apple claims the vulnerability was narrow, not broad-based as suggested by the Google blog post. Fewer than 12 websites were able to exploit the vulnerability. Secondly, Apple has claimed these websites were only operational for two months, as opposed to the two-year period which Google is claiming.

The vulnerabilities were reported to Apple in a responsible fashion in February, though last weeks blog from Ian Beer of Google’s Project Zero is what is irking Apple.

What Google pointed out to Apple in February is that there were several nefarious websites which exploited a flaw in the iOS programming to allow hackers access to iPhone users’ contacts, photos and location, as well as data from apps like iMessage, WhatsApp, Telegram, Gmail and Google Hangouts.

The vulnerability covered each version of the OS from iOS 10 through to the latest version of iOS 12, though it was not immediately clear from the blog post whether any data was actually taken from users. Apple has not offered any insight here either.

As mentioned before, the idea of searching for vulnerabilities is not new. Bug Bounties are often offered to individuals and companies to find and report the flaws to the company which owns the software in a responsible manner. Interestingly enough, bug bounty platform HackerOne has recently announced it has raised $36.4 million in a series D round of funding led by Valor Equity Partners.

We suspect Apple isn’t that concerned about a flaw being highlighted, its more who did the highlighting.

Aside from a few very minor ‘also rans’, the smartphone operating system market is dominated by two players; Google’s Android and Apple’s iOS. This is where you have to take the severity claims about the vulnerabilities with a pinch of salt; it is of course in the benefit of Google to make the vulnerabilities seem as serious as possible.

The publication of the Google post could have come at a better time for Apple considering it is set to unveil its latest iPhone tomorrow (September 10).

“A lack of 5G support in the new iPhone won’t surprise anyone, though it will still disappoint operators looking for 5G devices to help them drive traffic to new 5G networks,” said Peter Jarich, Head of GSMA Intelligence.

“At the same time, new features that are expected – improved camera functionality, improved processor, upgrade to Wi-Fi 6 – may all seem incremental rather than revolutionary, particularly if the product line and form factor line-ups remain relatively constant.”

As it is unlikely the new iPhone will offer anything particularly innovative or revolutionary, combined with the high likelihood of it costing a small fortune, Apple will want to quash any negative connotations. The iLifers are extremely loyal, but with 5G attracting headlines around the world, some might be tempted to jump ship to a 5G-compatible device. Google’s claim of vulnerabilities might encourage a few more.

Losing face in seconds: the app takes deepfakes to a new depth

Zao, a new mobile app coming out of China, can replace characters in TV or movie clips with the user’s own facial picture within seconds, raising new privacy and fraud concerns.

Developed by Momo, the company behind Tantan, China’s answer to Tinder, Zao went viral shortly after it was made available on the iOS App Store in China, Japan, India, Korea, and a couple of other Asian markets. It allows users to swap a character in a video clip for the user’s own face. The user would choose a character in a clip from the selections, often iconic Hollywood movies or popular TV programs, upload his or her own picture to be used, and let the app do the swapping in the cloud. In about eight seconds the swap is done, and the user can share the altered clip on social media.

While many are enjoying the quirkiness of the app, others have raised concerns. First there is the concern for privacy. Before a user can upload their pictures to have the app do the swapping, they have to log in with their phone number and email address, literally losing face and giving away identification to the app. More worryingly, the app, in its earlier version of terms and conditions would assume the full rights to the altered videos, therefore the rights to the users’ images.

Another concern is fraud. Facial recognition is used extensively in China, in benign and not so benign circumstances alike. In this case, when an altered video with the user’s face in it is shared on social networks, it is out of the user’s control and will be open to abuse by belligerent parties. One of such possible abuses will be payment. Alipay, the online and mobile payment system of Alibaba, has enabled retail check-out with face, that is, the customer only needs to look at the camera when leaving the retailer, and the bill will be placed on the users’ Alipay account. By adding a bit fun into the process, check-out by face not only facilitates retail transactions but also continuously enriches Alibaba’s database. (It would not be a complete surprise if this should be one reason behind the euphoria towards AI voice by Jack Ma, Alibaba’s founder.) The payment platform rushed to reassure its users that the system will not be tricked by the images on Zao, without sharing details on how.

Though Zao is not the first AI-powered deepfake application, it is one of the best worked out, therefore most unsettling ones. In another recent case, involving voice simulation and the controversial scholar Jordan Peterson, an AI-powered voice simulator enabled users to type out sentences up to 280 characters for the tool to read out loud in the distinct, uncannily accurate Jordan Peterson voice. This led Peterson to call for a wide-ranging legislation to protect the “sanctity of your voice, and your image.” He called the stealing of other people’s voice a “genuinely criminal act, regardless (perhaps) of intent.”

One can only imagine the impact of seamless image doctoring coupled with flawless voice simulation on all aspects of life, not the least on the already abated trust in news.

The good news is that the Zao developer is responding to users’ concerns. The app said on its official Weibo account (China’s answer to Twitter) that they understood the concerns about privacy and are thinking about how to fix the issues, but “please give us a little time”. The app’s T&C has been updated following the outcry. Now the app would only use the uploaded data for app improvement purposes. Once the user deletes the video from the app, it will also be deleted in the cloud.

Zao Weibo

Poland signs agreement with US to shore up 5G security

The US and Poland signed an agreement on 5G security, effectively barring Chinese companies from participating in building 5G networks in one of the largest markets in central Europe.

The agreement was signed by Mateusz Morawiecki, the Polish Prime Minister, and Vice President Mike Pence during his visit to Warsaw in place of President Trump, who stayed behind to deal with the expected landing of Hurricane Dorian. The presidential visit was made to commemorate of the 80th anniversary of Hitler’s invasion of Poland.

The two parties of the agreement pledged to protect “these next generation communications networks from disruption or manipulation and ensuring the privacy and individual liberties of the citizens of the United States, Poland, and other countries is of vital importance.”

When it comes to supplier selection, the agreement says, “we believe that all countries must ensure that only trusted and reliable suppliers participate in our networks to protect them from unauthorised access or interference.” Though it does not name China or Huawei, the criteria listed for “rigorous evaluation” read almost tailor-made for this purpose.

Specifically, suppliers should be evaluated on: whether they are controlled by a foreign government and subject to independent judicial review; whether they have a transparent ownership structure; whether they have a track-record of ethical corporate behaviour; and whether they are “subject to a legal regime that enforces transparent corporate practices”.

Other US officials were more straight-forward. “We recognize 5G networks will only be as strong as their weakest link,” said Marc Short, Pence’s chief staff, in a statement quoted by Associated Press. “We must stand together to prevent the Chinese Communist Party from using subsidiaries like Huawei to gather intelligence while supporting China’s military and state security services – with our technology.”

Poland has been one of the more vocal European countries calling for a ban on Huawei, especially after a Huawei employee was arrested charged for spying. The country’s officials had called for a coordinated NATO-EU action. But with any EU-wide 5G security measures not expected to be in place by October and member states given another year to test the measures, Poland looked to the US for a faster solution. The two countries have strong cultural ties. “Nearly 10 million Americans trace their heritage to Poland”, according to Pence.

The Polish officials had conceded that they lack legal tools to ban Huawei from the country’s private sector. This agreement would deter such an interest from the privately-owned telecom companies.

The agreement would also be a significant step for the US to get Europe, including the UK, on board its battle with China and with Huawei. Pence called it “vital example for the rest of Europe on the broader question of 5G.”

Juniper pays $11.7m to make SEC bribery investigation go away

Networking vendor Juniper has never admitted or denied it participated in any activities related to bribery, though apparently its bank accounts were simply too full to continue.

The details of this investigation are complicated and nuanced, though the over-arching accusation is simple. The Securities and Exchange Commission accused Juniper of improperly reporting accounts and allowing a subsidiary to continue a practice which smells incredibly similar to bribery.

To conclude the investigation, Juniper has paid the SEC $11.7 million. This is not an admission of guilt from the firm apparently, it has apparently decided to reallocate $11.7 million because it is innocent and would not consider any form of bribery.

The fact that the government agency will stop a bribery investigation after receiving the funds is perhaps a pleasant after-effect.

While this would appear to be the end of the saga, there are some relatively suspect elements to consider. This extract from the ‘Cease and Desist’ document is an interesting one to ponder.

“From 2009 to 2013, local employees of Juniper China paid for the domestic travel and entertainment of customers, including foreign officials, that was excessive and inconsistent with Juniper policy. Certain local Juniper China marketing employees falsified agendas for trips provided to end-user customer employees. These falsified trip agendas understated the true amount of entertainment involved on the trips.”

Another interesting claim is the approval process. Juniper requires approval from its legal department to justify and validate such entertainment expenses, though marketing and sales employees sought approval after the events took place, painting the legal team into a corner.

The period in question took place between 2009 and 2013. It had been going on for an undisclosed period of time prior to 2009, though this was the time in which senior managers at Juniper were alerted to the practice.

At JNN Development Corp., a Russian subsidiary of the Juniper Group, secret discounts were discussed with third-party channel partners. These discounts were not passed onto customers, instead, funnelled into nefarious accounts. These funds were used to fuel corporate entertainment, much of which undermined the Juniper anti-bribery policies.

Managers were alerted to the presence of these funds, as well as the opaque practices and bread crumb trails which were left behind, in 2009. Some effort was made to discourage the practice, though the SEC deemed this was not sufficient, and the nefarious activities continued for another four years through to 2013.

“Juniper failed to accurately record the incremental discounts and travel and marketing expenses in its books and records and failed to devise and maintain a system of internal accounting controls sufficient to prevent and detect off-book accounts, unauthorized customer trips, falsified travel agendas and after-the-fact travel approvals,” the SEC has stated.

As with every slippery corporate firm around the world, Juniper will not admit fault, though apparently it had exactly $11.745018 million to ‘donate’ to the SEC to make the investigation go away.

Connected Home Security: The Best Route is the Simplest Route

There are two certainties about the continued widespread development of connected homes. One, this phenomenon is happening before our eyes – consumers continue to bring home voice assistants, smart lighting, Wi-Fi enabled thermostats and other gadgets. And two, too many of those IoT devices that make our homes connected aren’t being built with your privacy or security in mind. Instead, they’re built to ship quickly. Forgotten are the details of securing them from today’s threats.

This second fact has become abundantly clear as the number of DDoS attacks have risen sharply, largely due to the proliferation of vulnerable IoT devices available on the internet. Netscout is just the latest to confirm this, reporting that DDoS attacks have increased 39% in the past year.* Insecure connected devices are attractive to online criminals, as they can easily infect them with malware, turn them into bots and harness their bandwidth for coordinated denial of service attacks.

While such attacks don’t generally make the mainstream news, consumers are not completely oblivious to the inherent risks of bringing connected “things” into the home. In a recent F-Secure survey, nearly half of respondents said their security concerns about connected devices affected their purchasing decisions.**

Still, as technology providers, we can’t expect the average user to take proactive steps to protect against online threats if our solutions aren’t intuitive and simple. Ideally, protecting a home from digital threats should be no more complicated for your customers than flipping a switch or plugging in a cable.

It starts with the home gateway

“Building a connected home with an insecure router is like building on quicksand, and that is something that is going to have to change if we want smart homes to be secure,” says Andrea Barisani, F-Secure’s head of hardware security.

Part of F-Secure’s hardware work involves pressure-testing home routers that ISPs and retailers make available to their customers, in order to answer a key question: Can it withstand attacks throughout its lifecycle? F-Secure helps router manufacturers and ISPs harden the security of their home gateways to build a rock-solid foundation for the connected home.

And it’s the humble home gateway that is the foundation for securing the future. After all, the router is already perfectly positioned to act as a defense against incoming threats. It’s also the simplest, most sensible way to protect every smart device in the home.

That’s why for over two years now, F-Secure has offered its secure SENSE router directly to consumers. And that’s why the company has answered the call to make the adoption of connected home security simple for consumers who use home routers supplied by their internet service providers. F-Secure now provides router makers and ISPs with an embedded Connected Home Security solution as a software development kit (SDK) mounted onto home WiFi routers.

This security cloud and artificial intelligence-powered kit turns a regular ISP WiFi router into one that protects home users and their internet-connected devices against malware, phishing and online tracking, and secures smart and IoT devices against cyber attacks.

This is the solution that secures consumers’ digital lives without burdening them with unnecessary information or actions. Operators can simply secure customers’ homes, whether those homes are already filled with connected things – or just beginning to be.

Outside the home

Of course, the need for security doesn’t end beyond the doorstep. The blanket of security that protects people’s connected homes must also cover them when on the go with their smartphones, tablets and laptops.

The simple way to secure consumers both at home and on the go is to provide a seamless combination of network security and endpoint protection. In this model, network security through the home router works in tandem with endpoint protection for devices capable of hosting security applications – laptops, smartphones and tablets. This way, all devices, both at home and away, are protected under one umbrella. F-Secure’s Connected Home Security solution integrates security for all these devices into a single, seamless experience for end users.

More benefits for the whole family

As important as blocking cyber threats is, there is even more to Connected Home Security. The solution acts as a convenient window to the home network, allowing users to view and manage security for each and every device that’s connected to their home Wi-Fi. This visibility gives users a greater feeling of control over their network and with it, more empowerment to solve network issues on their own.

While users gain visibility, parents also gain control over which devices their children are allowed to use to access the internet, and when. The solution lets parents set limits on their children’s internet usage by filtering out age-inappropriate or disturbing content and setting boundaries for online time.

Consumers need simple solutions for managing the complexities of the modern world – complexities such as the connected home and the risks that come with it. If your customers lock their doors at night, they probably want to lock down their internet connections as well. A holistic, seamless connected home security solution is the simplest way to do it.

*Source: Netscout Threat Intelligence Report H1 2019

**Source: Survey consisted of online interviews of 4,000 age, gender and income-representative respondents from five countries, 800 respondents per country: US, UK, France, Germany, and Brazil.

Huawei hasn’t given up on Australia as it plugs 6G smarts

Even though Australia blindly followed the US down the Huawei-accusation rabbit hole, the Chinese vendor hasn’t given up on the country, using the 6G carrot to tempt the Aussies back into the fray.

Speaking at the Emerging Innovation Summit in Melbourne, a Huawei executive suggested Australian decision-makers have been short-sighted in addressing cyber-security concerns.

“The current approach being taken towards cyber-security on 5G mobile networks solves absolutely nothing – and that will be exposed further in 6G,” said Huawei Australia Chief Technology and Cyber Security Officer David Soldani.

This is of course assuming Huawei is an innocent party, though as little (if any) concrete evidence to prove guilt has been presented to date, the fair position would be to maintain this assumption of innocence.

“Blocking companies from certain countries does nothing to make Australia any safer from cyber-security issues – in fact it just makes things worse because they are not addressing the real issues on cyber-security.”

This is a point which has been raised frequently but those who advocate the inclusion of Huawei in communications infrastructure moving forward. Banning a certain company or technology from networks does not tackle the issue. For some, the most sensible route forward would be that of risk mitigation, an approach Vodafone in the UK has been very vocal about.

“Huawei is already way ahead of our rivals on 6G research and we can see that the way in which we will be gathering and consuming data on those 6G networks means the cyber security risks will increase,” Soldani added.

Although it might encourage moans from some corners of the industry, 6G is becoming a very real and increasingly important facet of the connectivity mix. 5G is of course not a reality yet, but for the R&D engineers, the job is complete. Work has moved out of the research labs and into production; for these employees it is onto the next task; 6G.

This is another common message which has come out of the Huawei ranks over the last few months; it is critical to work with us, not ignore us. And many of those on the technology side would agree also.

The reason the prospect of a Huawei ban is such a divisive and persistent topic is relatively simple; Huawei produces excellent products. Not only are these products cheaper, while the field support offered to telco customers is largely unrivalled, the products are genuinely at the top of their field. There are large crowds who would suggest Huawei is market leader on in the radio and transmission segments.

“The communique from the Five Eyes was absolutely clear that countries need to ensure entire supply chains are trusted and reliable to protect our networks from unauthorized access or interference,” Soldani said.

“This means there is absolutely no point in simply banning companies from certain countries – it actually makes Australia less secure because it means we have to then increase our reliance on just one or two other vendors – neither of whom are having their equipment tested.”

This is another point which, once again, has been thrown around quite often by Huawei, but is also valid; no-one is 100% free of cybersecurity risk. By reducing the number of attack points for cyber-criminals, arguably it becomes more difficult to defend and the chances of a breach increase.

These are all perfectly valid points, but Huawei is trying to prove a negative here. Nothing which can be said or presented to the world would completely exonerate the firm of suspicion, especially with the US Government constantly hinting there is evidence of wrong-doing. The fact that no-one outside the White House or the Foreign Department has seen this evidence does appear to be irrelevant to some, though that is not to say it does not exist.

This issue is quite frankly becoming tiresome. Of course, governments around the world have a duty to ensure companies are acting responsibly through the sourcing and deployment of secure and resilient products, but the issue is become tedious to discuss week on week. Unfortunately, as the UK Government continues to kick the can down the road, the debate is likely to continue.

Although the UK is finding it difficult to maintain friendships with its peers inside and outside of the European Union, it is still an incredibly influential voice. The Supply Chain Review has attracted interest from numerous parties around the world, and the decision will be carefully scrutinised. It might be rubbing nations up the wrong way with Brexit, but its opinion still matters.

Some nations of course benefit from the on-going stand-still and some don’t. The UK doesn’t benefit as telcos are still no wiser whether supply chains will be in tatters and numerous other countries that rely on Huawei, Germany, Spain or Italy for example, are in the same boat. Australia is in a tricky position as banning Huawei limits the options which are out there. This present complications from a resilience and competition perspective.

The US appears to be one of the few nations which is not going to be impacted. Deployment might be a bit more expensive due to decreased competition, but the telcos have never had the opportunity to include Huawei in plans so there is no disruption from this on-going saga. The US might well be a lost cause, but it does appear Huawei believes it can charm Australia back on-side.

Huawei might not have given up on Australia, but as long as the White House is singing from this hymn sheet, it is likely to be nothing more than a Sisyphean task.

Google exposes massive iPhone hacking operation

Google’s Project Zero security team has revealed a vulnerability in iOS that exposed large numbers of users to a hack that allowed the installation of a monitoring implant.

This kind of hack is called ‘zero-day’, the definitions of which vary, but which refers to a vulnerability in a piece of software that leaves it open to exploitation by outside actors. The stated aim of Project Zero is to make zero-day hard and it goes about doing so by trying to find such vulnerabilities. Apparently it always publishes these findings after giving the owner of the software time to address the vulnerability and Apple was told about this one back at the start of February this year.

“Now, after several months of careful analysis of almost every byte of every one of the exploit chains, I’m ready to share these insights into the real-world workings of a campaign exploiting iPhones en masse,” wrote Ian Beer of Project Zero in the blog post detailing the findings. “Let’s also keep in mind that this was a failure case for the attacker: for this one campaign that we’ve seen, there are almost certainly others that are yet to be seen.”

This is at best very embarrassing for Apple, which prides itself on the relative lack of malware on its close software platforms. The malware was able to install itself on iOS devices if they merely visited an infected website, with no manual download required. Upon successful installation the malware apparently granted the bad guys access to everything on the phone, including passwords, chat histories, etc.

Google is, of course, Apple’s sole rival in the mobile operating system space, so it does seem pretty convenient that it should be discovering iOS vulnerabilities and publicising them. Project Zero’s policy, it seems, is to publish all such findings after an appropriate delay to allow for patching, which it should be stressed Apple did immediately, but you have to wonder whether it’s quite as keen to bring Android’s failings into the public domain.

Smart Home Threat Landscape

The explosion of IoT devices in people’s homes and offices is attracting attention from cyber criminals. And thanks to the security problems commonly found in these devices, they present attackers with low hanging fruit to pick. According to F-Secure Labs, threats targeting weak/default credentials, unpatched vulnerabilities, or both, made up 87% of observed threats.

In late 2018, F-Secure’s network of reconnaissance honeypots servers observed a huge spike in threats targeting exposed telnet ports. Mirai uses this infection method to go after devices through default passwords. This explosion of attacks suggests that there is still plenty of “easy prey” out there and criminals are going after it. Of the attacks observed by F-Secure’s honeypots in 2018, 59%, were attacks targeting Telnet 4 – a trend F-Secure Labs attributes to the spread of Mirai malware.

Securing the smart home requires confronting the rampant vulnerabilities in IoT devices. In addition, the rising number of connected devices on home networks must be as secure as PCs and mobile devices. By inviting more and more tools into the home that can be used to track and observe consumers, security and privacy will play an increasingly crucial role in our lives.

Download this whitepaper to learn the following:

  • A quick history of IoT threats
  • Common IoT threat characteristics
  • How do we stop this growing attack vector in the smart home?