Huawei Telecoms Equipment Targeted by NSA Spies


Analysis of NSA documents released by the whistleblower Edward Snowden has shown that the US spy agency directly targeted equipment manufactured by China’s Huawei.

The documents show that at least two, possibly three projects that were given individual codenames targeted Huawei routers, firewalls and network equipment known to have been sold to at least three major mobile network operators.

As a telecoms equipment vendor, Huawei would have been just one of many telecoms manufacturers targeted by the US spies.

Although Huawei has always denied it, there are these persistent allegations that the company was some sort of backdoor for Chinese spies, and yet it finds itself in the curious position of having been targeted to act as a backdoor for US spies instead.

The documents raise some uncomfortable questions, particularly for politicians who have accused the company of being a front for the Chinese military.

In October 2012, the USA’s House Intelligence Committee carried out an investigation and concluded by recommending that US firms avoid doing business with the Chinese supplier, although much of the report’s allegations appeared to be based on dissatisfaction with the company shareholding structure and openness than any proven security threat.

However, that report did include a classified annex, which was not published, but was said to support the Committee’s findings.

In an unrelated interview last year, the former head of another US spy agency, the CIA Michael Hayden said that Huawei represented an “unambiguous national security threat to the USA and Australia,”

Michael Hayden was head of both the CIA and the NSA for nearly a decade up to 2008. It is likely though, that while at the CIA he would have been unaware of the actions of the rival agency.

To date, none of the allegations against Huawei have ever cited a specific example of software code that acts as a backdoor for the Chinese military. However, if classified investigations passed to US politicians or the CIA have shown evidence of such exploits, the question now has to be asked — who put the exploits there.

Ultimately, all major telecoms vendors have been targeted by the NSA as a routine procedure by the spies, and Huawei would not expect to be exempted from that, but the security of its equipment has come under far closer scrutiny than any other telecoms equipment vendor.

It would therefore be embarrassing for the USA if allegations against Huawei in a number of countries are later found to have been based on security flaws inserted by the Americans, not the Chinese.

The two projects known to have targeted Huawei equipment are as follows:


(TS//SI//REL) The HALLUXWATER Persistence Back Door implant is installed on a target Huawei Eudemon firewall as a boot ROM upgrade. When the target reboots, the PBD installer software will find the needed patch points and install the back door in the inbound packet processing routine.

Once installed, the software communicates with an NSA operator via the TURBOPANDA Insertion Tool (PIT), giving the operator covert access to read and write memory, execute an address, or execute a packet.

The software provides a persistence capability on the Eudemon 200, 500, and 1000 series firewalls and also survives OS upgrades and automatic bootROM upgrades.

The router is reputedly used by O2, Vodafone and Deutsche Telekom, at the very least.


HEADWATER is a Persistent Backdoor (PDB) software implant for selected Huawei routers. The implant will enable covert functions to be remotely executed within the router via an Internet connection.

The software implant can be transferred remotely over the Internet to the selected target router by Remote Operations Center (ROC) personnel. After the transfer process is complete, the backdoor will be installed in the router’s boot ROM via an upgrade command. The backdoor will then be activated after a system reboot. Once activated, the NSA operators will be able to use DNT’s HAMMERMILL Insertion Tool (HIT) to control the backdoor as it captures and examines all IP packets passing through the host router.

HEADWATER is claimed to be the cover term for the backdoor for Huawei routers and has been adopted for use in the joint NSA/CIA effort to exploit Huawei network equipment.

According to the leaked documents, this exploit is ready for deployment. Whether it has been is unknown at this stage.


Little is known about this project. At best, it is understood to be an Insertion Tool allows read/write to memory, execute an address or packet; joint NSA/CIA project on Huawei network equipment

It could however be an overall name for all attacks on Huawei equipment as it is referenced by other attacks as being part of the TURBOPANDA project.

As such there are no specific products being targeted, other than those mentioned above.






Leave a Reply

Your email address will not be published.