I am assuming a not-Hauwei-only network.

The idea that a router could send things through other routers without someone who is looking for it noticing is ludicrous.

Of course, most people aren't paying attention, a few extra frames wouldn't be noticed most likely. But if you are worried about it, you should be looking.

Also, I find it difficult to believe Hauwei has the ability to do DPI or something inside their box and still route at reasonable speeds is a bit silly. Perhaps they only duplicate packets based on source/dest IP address or something that is magically messaged from the mother ship, but I am dubious.

It should be trivial to prove to yourself the box is, or is not, doing something evil if you actually try.

::cough:: steganography ::cough::


So, DPI, duplication, injection into frames.

If each Hauwei knows of each other....I supose you could create a Hauwei
backbone and slowly pick and pull peices of what you want out of the flow.
But how realistic is that really...

Well put!


Not really, no one has claimed it's impossible to hide traffic. What is
true is that it's not feasible to do so at scale without it becoming
obvious. Steganography is great for hiding traffic inside of legitimate
traffic between two hosts but if one of my routers starts sending cay
photos somewhere, no matter how cute, I'm gonna consider that suspicious.
That's an absurd example (hopefully funny) but _any_ from one of my routers
over time would be obvious, especially since to be effective this would
have to go on much of the time and in many routers. Hiding all that isn't
feasible for a really technically astute company and they're not in that
category yet (IMO).

It all depends on what you're trying to accomplish. Hijacking many cat photos to
send your cat photo... how deep is your DPI?

Remember also, the answer to the universe fits in 6 bits...


I think one of the possibilities suggested beyond call-home or backdoors
was that they might have installed a secret kill-switch to be activated
against 'enemy' nodes in time of war was an cyber shock and awe campaign.


They are a state controlled company. You think the PRC's party members dont call the shots? I've been to Beijing for work.. I can assure you the government has a very known presence through the private community. Often times, graduates of their state run colleges enter the "private" sector to help their collective needs. China is an odd place, but in my opinion often they are underestimated. Look at their stealth plane, that's a good starting point on their ability to borrow technology and implement it quickly. It's about numbers over there, not sense.

This could be a latent, not used feature from _any_ vendor.

A hard coded backdoor password and username. A sequence of port-knocking that enables ssh on an alternate port with no ACL. Logins through that mechanism not in syslog, not in the currently logged in user table, perhaps the process(es) hidden from view.

Do we really trust Cisco and Juniper more than Hueawei? :slight_smile:

That is far more feasible than mass interception and forwarding of traffic,
though there is (AFAIK) no indication that such a kill switch exists. I
also think that if China wanted to do something nefarious a far better
target would be Lenovo, which still seems to be an accepted vendor in US
government circled judging from the number I've seen in DC this week and
laptops have far more horsepower and storage most pieces of networking

This is a good point; unless your taping your traffic and examining it for
anything outside of the norm then would you ever see it? However, we are
talking transport protocols, no? I would certainly hope the OOB network was
monitored and controlled.

Hmm.....a network of clients/servers strategically located at Huewai POPS
with a sole pupose of creating sessions destined for control servers so as
to create the ability to inject payload into packets that are actually
destined for where you want the data to go.

A hard coded backdoor password and username.


Or alternatively if you want access to any huawei device with software
older than about a year ago:

A sequence of
port-knocking that enables ssh on an alternate port with no ACL.


Backdoors Found in Barracuda Networks Gear – Krebs on Security

There's no need to resort to malice to explain these problems when
alternative explanations exist.


there are lots of other attack scenarios besides the simple one you suggest,
as people who try to analyze malware payloads by their outbound network activity
have figured out.

an attack could be time-driven, or driven by some very hard to interpret network
signalling (such as a response to something the router would have a perfectly legitimate
reason to ask an attacker about). which means you need to watch for an indefinite length of
time (possibly forever) to see behavior. (in the malware world, the question is: how long do you
run this in your sandbox to find the command and control?)

covert channels have been known for many years, and outbound data could be encoded in a covert
channel by timing (which is much more difficult to notice than content modification such as steganography as there
are no specs and few expectations about timing). see

for an wonderful example of a keyboard specially modified to leak passwords by modulating the timing in an ssh channel
snooped between the admin and the router.

the volume of data need not be huge. a login and password, for example, can be leaked out in a covert channel without
the likelihood of anyone noticing, and would provide subsequent access to the router in case of need, which is good enough
for many military purposes.

finally, denial of service on a network component could be implemented by watching for a sequence of out of spec packets of death.
only someone doing impossibly exhaustive fuzzing might see the result, and it would be indistinguishable from a bug.

My objection to ZTE/Hauwei when I was at a cellular telco was just this. I
said "there was no way I can agree with Chinese nationals having unfettered
access to our network".

Sure the CLI was crap/nonexistent and full of bugs, but I never thought the
product was phoning home. I assumed there was a backdoor, like every other
product and this was dealt with via ACL's and bastion boxes.

I did not think highly of the product, and did not want to select it. However
ZTE made the offer to put 6 support engineers in our main switch office 24/7
for the first year, and open an office down the street. Our SVP creamed
himself over this level of "support" and they got the contract.

It's an awesome idea, build gear that's cheap enough you can't say no to, and
use the support personnel as spies. It provides a perfect cover story to
cycle in loads of engineers. Only one or two does the support, the rest can
observe/record/share the internal details of everything they see.

They are playing our love of "But Wait There's More!". Give us everything at
deep discounts or for free and receive direct access to the core of every
major telecom company on the planet. For a few hundred million dollars the
Chinese government has intelligence on anyone or anything world wide, and
their agents are welcomed with open arms.

both cisco and juniper do this as well.. with phone-home full
show-tech-equivalent data collection systems... all pushed into an
internal DB ready for marketing/etc...

I'm sure other vendors (ALU/etc) all do this as well... the addition
of 'Dedicated Support Engineers' sitting in your faciltiy is neat, but
also not 'new' wrt cisco/juniper.

(I also happen to think that this is probably the method most likely
used to exfil data of interest)

Why would anyone outside of the US agree to have US products in their network, using the same rationale? At least with China they don't pretend they're not spying on our own population.

Is that also not possibly the case with Cisco, Juniper, XYZ network
equipment vendors? If the Chinese are doing it, I would imagine we (along
with our pals) are doing it as well. It'll be interesting to see what NSA
dox this guy drops in the coming days and weeks ahead. All of the TV
pundits were screaming Hong Kong was going to give him up, until he
released information on a program relating to penetrating foreign
government networks. I think the dynamics of China and their behavior
after the release(s) will factor in greatly into contract awards in the
future. Granted he hasn't released any information on compromising
physical hardware for the moment, but if that were to come to light it
would murder .cn imports of gear almost immediately. If we were doing it,
and they weren't .. They will now.

At the end of the day, we are almost ALWAYS more than willing to give them
our IP and state secrets in order to (a) buy something really cheap or (b)
sell something really expensive. I'm sure it's completely understood
within the intelligence communities what capabilities the Chinese have,
mostly because we probably gave or sold it to them at some point. They
haven't ALWAYS made their own hardware, and they still bring quite a bit
in through creative channels.

/me taps nose

Apologies for making what could be construed as an off topic, political
comment, but doesn't everyone in the USA know by now that the PRC
represents a dagger aimed at the economic and national security of America?
A military invasion in slow motion as it were?


Please realize that one can make that statement from every side of the

It all just depends on which side of the fence you are born, if you
consider one thing "good" or "evil" and as recent events show, you
should be looking a bit closer at the home base...

And now after this whole flood of messages about this... lets please go
back to operations, thanks!