Huawei Telecoms Equipment Targeted by NSA Spies


Analysis of NSA documents released by the whistleblower Edward Snowden has shown that the US spy agency directly targeted equipment manufactured by China’s Huawei.

The documents show that at least two, possibly three projects that were given individual codenames targeted Huawei routers, firewalls and network equipment known to have been sold to at least three major mobile network operators.

As a telecoms equipment vendor, Huawei would have been just one of many telecoms manufacturers targeted by the US spies.

Although Huawei has always denied it, there are these persistent allegations that the company was some sort of backdoor for Chinese spies, and yet it finds itself in the curious position of having been targeted to act as a backdoor for US spies instead.

The documents raise some uncomfortable questions, particularly for politicians who have accused the company of being a front for the Chinese military.

In October 2012, the USA’s House Intelligence Committee carried out an investigation and concluded by recommending that US firms avoid doing business with the Chinese supplier, although much of the report’s allegations appeared to be based on dissatisfaction with the company shareholding structure and openness than any proven security threat.

However, that report did include a classified annex, which was not published, but was said to support the Committee’s findings.

In an unrelated interview last year, the former head of another US spy agency, the CIA Michael Hayden said that Huawei represented an “unambiguous national security threat to the USA and Australia,”

Michael Hayden was head of both the CIA and the NSA for nearly a decade up to 2008. It is likely though, that while at the CIA he would have been unaware of the actions of the rival agency.

To date, none of the allegations against Huawei have ever cited a specific example of software code that acts as a backdoor for the Chinese military. However, if classified investigations passed to US politicians or the CIA have shown evidence of such exploits, the question now has to be asked — who put the exploits there.

Ultimately, all major telecoms vendors have been targeted by the NSA as a routine procedure by the spies, and Huawei would not expect to be exempted from that, but the security of its equipment has come under far closer scrutiny than any other telecoms equipment vendor.

It would therefore be embarrassing for the USA if allegations against Huawei in a number of countries are later found to have been based on security flaws inserted by the Americans, not the Chinese.

The two projects known to have targeted Huawei equipment are as follows:


(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.

Once installed, the software communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.

The software provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls and also survives OS upgrades and automatic bootROM upgrades.

The router is reputedly used by O2, Vodafone and Deutsche Telekom, at the very least.


HEADWATER is a Persistent Backdoor (PDB) software implant for selected Huawei routers. The implant will enable covert functions to be remotely executed within the router via an Internet connection.

The software implant can be transferred remotely over the Internet to the selected target router by Remote Operations Center (ROC) personnel. After the transfer process is complete, the backdoor will be installed in the router’s boot ROM via an upgrade command. The backdoor will then be activated after a system reboot. Once activated, the NSA operators will be able to use DNT’s HAMMERMILL Insertion Tool (HIT) to control the backdoor as it captures and examines all IP packets passing through the host router.

HEADWATER is claimed to be the cover term for the backdoor for Huawei routers and has been adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment.

According to the leaked documents, this exploit is ready for deployment. Whether it has been is unknown at this stage.


Little is known about this project. At best, it is understood to be an Insertion Tool allows read/write to memory, execute an address or packet; joint NSA/CIA project on Huawei network equipment

It could however be an overall name for all attacks on Huawei equipment as it is referenced by other attacks as being part of the TURBOPANDA project.

As such there are no specific products being targeted, other than those mentioned above.






What it’s like when the FBI asks you to backdoor your software


At a recent RSA Security Conference, Nico Sell was on stage announcing that her company—Wickr—was making drastic changes to ensure its users’ security. She said that the company would switch from RSA encryption to elliptic curve encryption, and that the service wouldn’t have a backdoor for anyone.

As she left the stage, before she’d even had a chance to take her microphone off, a man approached her and introduced himself as an agent with the Federal Bureau of Investigation.  He then proceeded to “casually” ask if she’d be willing to install a backdoor into Wickr that would allow the FBI to retrieve information.

A Common Practice
This encounter, and the agent’s casual demeanor, is apparently business as usual as intelligence and law enforcement agencies seek to gain greater access into protected communication systems. Since her encounter with the agent at RSA, Sell says it’s a story she’s heard again and again. “It sounds like that’s how they do it now,” she told SecurityWatch. “Always casual, testing, because most people would say yes.”

The FBI’s goal is to see into encrypted, secure systems like Wickr and others. Under the Communications Assistance for Law Enforcement Act (CALEA) legislation, law enforcement can tap any phone in the US but they can’t read encrypted communications. We’ve also seen how law enforcement have followed the lead of the NSA, and gathered data en-masse from cellphone towers. With the NSA reportedly installing backdoors onto hardware sitting in UPS facilities and allegedly working to undermine cryptographic standards, it’s not surprising that the FBI would be operating along similar lines.

The Difference
It was clear that the FBI agent didn’t know who he was dealing with, because Sell did not back down. Instead, she lectured him on topics ranging from the First and Fourth Amendments to the Constitution, to George Washington’s creation of a Post Office in the US. “My ancestor was a drummer boy under Washington,” Sell explained. “Washington thought it was very important to have freedom of information and private correspondence without government surveillance.”

Her lecture concluded, she proceeded to grill the agent. “I asked if he had official paperwork for me, if this was an official request, who his boss was,” said Sell. “He backed down very quickly.”

Though she didn’t budge for the agent, Sell makes it clear that surveillance and security is a complicated issue. “Ten years ago, I’d have said yes,” said Sell. “Because if law enforcement asks you to catch bad guys, who wouldn’t want to help?”

The difference now, she explained, was her experiences at BlackHat. Among those, Sell pointed to a BlackHat event where Thomas Cross demonstrated how to break into lawful intercept machines—or wiretaps. “It was very clear that a backdoor for the good guys is  always a backdoor for the bad guys.”

How To Be A Good Guy
“I’m not against helping law enforcement, but the most important thing to me is protecting my friends and family the best way I know how,” said Sell. She suggested that the NSA and other agencies go back to a model where individuals are targeted, instead of monitoring all communications and sorting it out later. “There are plenty of ways to track people without trampling human rights,” she said.

As an example of how to do security right, Sell unsurprisingly pointed to Wickr. She said that her company does not hold the encryption keys to decrypt users’ messages, or see their identities. That way, should Wickr be compelled to hand over data from a court order, investigators will only find junk. And in addition to employing who Sell calls the “best crypto people,” Sell said that individual messages are bound to their intended device. “Even in 20 years or 100 years, if the NSA miraculously breaks these [encryption] equations, they still wouldn’t be able to read these messages.”

It’s clear that for Sell, this is about more than good security. “I’m doing the right thing here, and it’s the right thing for them, too,” she said. “I’m not afraid of them.”