Speaking as the ex-Gartner analyst, and Ofcom Advisor, I’m glad I advised the US Dept of Homeland Security (DHS) to ban Huawei in 2012, quoted with then Vice Premier Xi on his lies to Obama, in the WSJ, and described the hacking of Nortel by China as a wakeup call in the Huffington Post and then quoted in the WSJ on “No Way for Huawei.”
WHAT ARE THE CONCERNS with TikTok?
According to the NY Times in their article, entitled: “TikTok Browser Can Track Users’ Keystrokes, According to New Research,” TikTok captures not only keystrokes for it’s application, it captures keystrokes for other applications and websites, including login credentials and passwords!
In the web browser used within the TikTok app, supplementary code lets the company track every character typed by users. The company said the capability was for troubleshooting. Yes, troubleshooting of people!
WHAT ARE THE CONCERNS with Pinduoduo?
According to CNN’s report entitled: “‘I’ve never seen anything like this: One of China’s most popular apps has the ability to spy on its users, say experts”, on April 2nd, 2023, they stated researchers found code in Pinduoduo designed to achieve “privilege escalation”: a type of cyberattack that exploits a vulnerable operating system to gain a higher level of access to data than it’s supposed to have, according to experts.
The app was able to continue running in the background and prevent itself from being uninstalled, which allowed it to boost its monthly active user rates, while breaking privacy laws as it also had the ability to spy on competitors by tracking activity on other shopping apps and getting information from them. Researchers quoted in the CNN article also stated Pinduoduo designed code which could be used by malware developers to inject malicious code into applications that have legitimate functionality, by mis-labelling plug-ins to appear as Google code.
Temu the popular Chinese shopping is owned and operated by PDD Holdings, which also owns Pinduoduo.
WHAT ARE THE CONCERNS with Huawei?
Cybersecurity experts, intelligence agencies, and political leaders have argued that Huawei’s products, especially if used in 5G networks or associated critical infrastructure, pose significant security risks. A PBX or Telephone Switch can be used for Cyber-Espionage, as these switches also perform Lawful Intercept, and can capture call logs (who you are calling), and even the call content (call recording) and other personal information, for legal purposes, but this can also be misused, for Cyber-Espionage.
Given Huawei’s theft of IPR that has been documented and adjudicated in the US with their theft of IPR from Cisco Systems, and TMobile, as well as significant evidence directly tying both Huawei and their founder Ren Zhengfei to the CCP and People’s Liberation Army (PLA), of China, Western democracies have expressed concerns especially given classified studies on their Espionage activities. In 2013, the former head of the CIA and National Security Agency (NSA) Michael Hayden stated that there is tangible classified evidence that Huawei has engaged in CCP-directed Cyber-Espionage activities.
Huawei Technologies Co. Ltd. is a major Chinese telecommunications company that has been banned in the US, and many Westernized democracies have banned them for core functions in 5G, including Australia, Japan, UK, and India for their Telecom gear. Their products range from smartphones to advanced 5G network equipment, and has faced growing criticism from security experts and governments regarding cybersecurity and espionage risks.
What is not well known is over 3500 Enterprises, mostly in Asia, EU, Africa, and South America are using their Enterprise Service Bus, and iPaaS: integration Platform as a Service, called ROMA, for a variety of mission-critical applications like Smart City deployments, Smart Grids, and other critical applications infrastructure.
They now have announced a database platform called GaussDB as a potential Oracle replacement platform. It has been rated by IDC as the No.1 Market Share Chinese Database, which is meaningless as their deployments within Huawei’s deployments should be self serving. How is the IDC’s former ownership by a Chinese firm influencing things?
WHAT ARE THE CONCERNS with China?
Despite, what TikTok or Huawei states, under Chinese law, the CCP could force TikTok or Huawei to provide customer data or network access upon request. China’s 2017 National Intelligence Law, applies to all private enterprises based in China and their foreign subsidiaries, and can force Chinese entities to provide active support to Chinese intelligence-gathering activities. Despite this fact, TikTok and Huawei denies this.
In March 2019, Microsoft discovered a piece of software in Huawei’s MateBook laptops that utilized code similar to a leaked NSA hacking tool, which was stolen from the NSA by Russia’s KGB (now called the FSB) using Kaspersky’s software, and shared or stolen between the Communist countries of Russia and China. A report by SentinelOne in 2021, noted how a hacker group called ThunderCats (associated with China) hacked the websites of Russian government agencies, to obtain the NSA tools.
Analysts at Microsoft revealed that they found a back door in Huawei laptops that allowed unprivileged users access to all laptop data. NSA’s DoublePulsar , a malware instrument, leaked in early 2017, has been used by hackers in the WannaCry ransomware attack, as an example.
Huawei has consistently denied such claims of backdoor unprivileged access, stating that no such backdoor incident had ever been detected before, even when confronted with evidence to the contrary.
What’s at Issue with an ESB, and iPaaS from Huawei?
An integration Platform as a Service (iPaaS) and an Enterprise Service Bus (ESB) solution typically handles massive data volumes across multiple Application sources, as well as support the ever-increasing number of cloud solutions that an Enterprise business wants to use, and often this is private information. To quickly, efficiently, and cost-effectively integrate data from legacy, on-premises data sources as well as new cloud applications, Enterprise Service Bus and iPaaS solutions are leveraged, with direct access to an Enterprise’s API’s and internal databases.
ESB and iPaaS solutions have to be trusted with sensitive data. Investing in an iPaaS and ESB solution has to have robust security mechanisms such as
data encryption, password protection, and information security standards in place, ideally with Role-based Access Controls, and with a Policy-controlled
Workflow Engine, documenting process compliance, and flagging or preventing any non-compliance, should they occur, in real-time. For example,
should the IT Manager access HR records at 3AM? Should the CRM tool access HR Records? Should an internal database be transmitted to a foreign
actor, by the ESB? Should an internal API be invoked by the foreign actor, via the iPaaS solution?
The Solution!
According to Gartner’s report entitled: “Magic Quadrant for Web Application and API Protection” solutions exist such as web application and API protection
(WAAP) which are firewalls that have been extended, with the following features:
WAF: Web Application Firewall
Distributed denial-of-service (DDoS) protection
Bot management
API protection
Which is good as the above can protect applications and APIs running on different types of host environments such as web servers, service containers and PaaS: Platform as a Service solutions.
What’s at Issue with the Database Platform from Huawei: GaussDB?
Apart from having proprietary information stored in a database, Dark Reading has identified the following Cybersecurity Vulnerabilities for Databases:
- Passwords and Login Credentials shared with a banned actor
- SQL injections: When your database platform fails to sanitize inputs, attackers can execute SQL injections similar to the way they do in Web-based attacks, eventually allowing them to elevate privileges and gain access to a wide spectrum of functionality.
- Role Based Access Controls given to the Database vendor: Extensive user and group privileges provided.
- Increased Attack Surface with unknown vendor specific features and access including software updates and maintenance. What’s to prevent the vendor from sending privileged data?
- Unsafe Configuration Management, what’s to prevent database replication outside?
- Buffer Overflow Vulnerabilities and Denial of Service Attacks is a common attack vector. Coming from a banned network solutions vendor increases this eventuality.
- Unencrypted data in motion, or keys in usage being shared with rogue actors.
Now, what is at issue is these platforms do not protect against Rogue Employees, at the Enterprise, or at the solutions vendor of the Database, or Enterprise Service Bus or iPaaS offerings, which are valid during normal times, but turn rogue occasionally. These platforms need to be trusted and verified to not transmit any data other than for it’s proper usage, with policy-based controls.
This requires careful scrutiny of the security solution offered by the Applications, Database vendor, and ESB and iPaaS vendor, the protection supported, the country it’s founded in if it’s trusted, and the security it provides, along with Role-based Access Controls offered, Security Vulnerability Assessments provided and verified, and if they are used and validated by Trusted Defense Agencies or Government agencies or Vendors in the Security arena.
If the answer, is no, as in the case of TikTok, Pinduoduo and Huawei’s ROMA/GaussDB solution, Enterprises and Governments in westernized democracies should explore other vendors with the correct security solutions provided.
Bio: Akshay Sharma is a Computer Engineer, tech analyst, ex-Gartner, having authored 280+ research notes, on emerging technologies like Cybersecurity, 5G, and IoT. He has worked for Canada’s Dept of Defense, advised and deployed solutions with DISA: Defense Information Security Agency, at Nortel and Siemens, and advised various 3-letter agencies in the US. A frequent speaker at tech events, he is often quoted in leading institutions like CNN, Wall St. Journal, and CIO.com. He is a former CTO of one of the first video/WiFi smartphone firms and an entrepreneur in the tech sector, having worked for firms that are now part of leading firms like Intel, IBM, Nokia, and Ericsson. He advised the UK’s Ofcom, the US’s Dept. of Homeland Security, and was quoted in the Wall Street Journal banning Huawei in 2012, and stated in the Huffington Post, the Chinese hacking of Nortel is a “wakeup call”. Sharma contributed to the Flight Control protocol ARINC 629 Databus used in commercial avionics and military fighter jets for “fly-by-wire” systems, including the newer Boeing 777X. Additionally he is a Cybersecurity analyst, and CTO for Kovair.com with clients like the World Bank, India’s DRDO and US Defense sector clients.
