The first was a joint statement by the US Department of Homeland Security, the FBI and GCHQ’s National Cyber Security Centre. This is the latest in a series of alerts about an ongoing Russian campaign known in the West as Grizzly Steppe.
The statement confirms that hackers, believed to be working directly or indirectly for the Russian government have been attempting to compromise the security of internet devices known as routers and switches. A huge number of routers and switches are responsible for directing traffic on local networks as well as national networks and the internet itself. Your home will have at least one router (usually combined with a switch) connected through a modem to your internet service provider. Your switch/router allows data to move between computers in your household such as sending a video to your television or games console, or backing up a file to a networked hard disk, or sending a document to your network printer; whilst the router directs traffic from your computer to the wider internet.
The alert mentions that attacks have been made against all types of router – from those used by major telecoms operators, through to domestic routers sold to customers. It points out that many of these devices are either poorly secured by manufacturers, or do not receive the necessary updates to fix security issues. The attacks are known as ‘man in the middle attacks’ where hackers compromise a device involved in an exchange of data (such as between yourself and a distant website) and use that compromised device to steal data – such as passwords, userIDs and sensitive documents.
One company, Cisco, has previously warned customers that its Smart Install software was being misused to attack Cisco devices and given advice to users about how to reduce their risk. Unfortunately, if the past is anything to go by, suppliers of domestic routers and switches will not be anywhere near as proactive in fixing bugs with their hardware. For most of us, there is very little we can do to protect ourselves against such attacks and we have to hope our telecom companies and security services can detect and stop intrusions.
The second story involves a Chinese state-owned telecoms manufacturer called ZTE. The National Cyber Security Centre has written to UK telecom operators warning them that using ZTE devices and software could risk national security. ZTE is not a major brand in the UK, although it has sold its Blade Android mobile phones here for some time and also supplies modems to companies including BT.
The announcement appeared at the same time that the US banned the American chip maker, Qualcomm from supplying ZTE with essential hardware. This followed a 2017 court case in which ZTE was found to have sold US technology to Iran in contravention of American sanctions. The company was fined $1.2 billion for that infringement.
At this point, there is no public evidence that ZTE hardware or software can be used to harm national security – either by spying, or by offering ‘backdoors’ to essential infrastructure, but there is obvious concern that ZTE has not been sufficiently open about its workings.
This is not the first time a Chinese telecom operator has been accused of being a threat to security. In February, six US intelligence agencies warned, on security grounds, against using devices from ZTE and Huawei; again, no direct evidence was provided and some people suggest this is simple protectionism from two increasingly-successful foreign companies.
Huawei is the world’s second-largest maker of mobile phones and a major supplier of telecommunications products to companies such as BT. As part of its expansion in the UK, Huawei is obliged to work with government agencies and telecom operators to prove the security of its hardware and software at a specialised facility near Banbury in Oxfordshire.
Are Huawei and ZTE spying on us? There’s no public evidence that Chinese phone companies are doing so. But, a recent study of the security of Android mobile phones did show that both companies are amongst the worst at fixing critical security problems in their devices - perhaps that should be the real worry about Huawei and ZTE, and it’s something we can all fix – if your phone company won’t patch your phone, don’t buy another one from the same company.