Sponsored Links

People's Republic of China-Linked Cyber Actors Hide in Router Firmware

HairyLeg

ULTIMATE Member
This one is for @JSHarris

CISA Report here:


Summary report from The Register


Update:

Here's Cisco's version


Worryingly there are no mitigations yet posted and radio silence on the other router manufacturers affected by the compromise.

Update 2:

Arstechnica hot take


What is stunning is CISA claim the hackers are swapping out the complete router firmware, while Cisco claim that's not possible.. somebody is not being truthful.
 
Last edited:
Interesting that it's Cisco, as there's been a long-standing issue over Huawei and their alleged theft of Cisco IP. Been going on for years, and although I think Cisco reached some sort of settlement it does strongly suggest that at least one Chinese company (and hence by default the Chinese state) may have been involved in nefarious practice for a long time.

Can't say I'm surprised at Cisco's response. Last thing they will do is freely admit to any vulnerabilities in their kit.
 
Nothing 'alleged' about it, in 2003-2004 Cisco sued Huawei for using copyrighted material without permission.

It was about 5 copied files in Huawei's routing software. One of which was a standard string function call that is present in most/all C software headers.. Both parties agreed to settle, no admition of liability by Huawei, no further action was taken..

Quote:

<The litigation was between two private companies, not between governments. It’s not about the US or China and we respect the efforts the Chinese government is making to increase intellectual property protection. Rather, this dispute involved a very simple claim that one company used the other’s trade secrets and copyrighted materials without permission>

You can read Cisco's 2012 response on their blog right here..


The industry I work in euphemistically call it 'bench-marking'. An anonymous purchaser buys the competitors product, the company tears the product down, tests it, heats it, cools it, burns it, weighs it, reverse engineers the control software, estimate its BoM & manufacturing costs. Another team collate the information and write a summary report, then it's destroyed.. This happens in every industry, and software is no different. There is nothing particularly concerning about any of this, it's open knowledge and it's businesses keeping up with and trying to overtake their competitors.

Huawei since 2010 have been stellar in their contributions to FOSS projects, they have been neck and neck with Intel for at least a decade as being the biggest contributors to the Linux kernel. There's never been any hint of code being rejected by the maintainers for suspicions or evidence of spying for China. There's often criticism of sloppy coding, but that's also true of many other companies or individuals.

Linux Kernel 6.1 show Huawei as having 117 employees contributing code, you can choose an earlier or later kernel. The table looks pretty much the same.

image.webp


Cisco on the other hand got lazy, outsourcing their software to India primarily but also China. Consequently Cisco's products are rife with software issues, from their telephone end points to their routers & switches. The market caught up with them and in many cases sells a better product for a fraction of the price.
 
Sponsored Links
The difference between the two is that Cisco aren't subject to laws that control everything they do, certainly not to the degree of control that could be exerted over Hauwei. We may like to think that the US is too intrusive, and that the CIA and NSA can access any system they wish, but that's as nothing compared to the draconian powers that the Chinese government have over everyone (including all Chinese companies).

Here are three short articles from Chinese law that illustrate the level of control exerted:

National Intelligence Law
"Any organisation and citizen shall, in accordance with the law, support, provide assistance, and cooperate in national intelligence work, and guard the secrecy of any national intelligence work that they are aware of. The state shall protect individuals and organisations that support, cooperate with, and collaborate in national intelligence work."


Counter Espionage Law
"When State Security organs carry out the tasks of counter-espionage work in accordance with the law, and citizens and organisations that are obliged to provide facilities or other assistance according to the law refuse to do so, this constitutes an intention to obstruct the state security organs from carrying out the tasks of counter-espionage work according to law."

State Security Law
"Citizens of the People’s Republic of China, every state organ and the armed forces, each political party, the militia, enterprises, public institutions and social organisations, all have the responsibility and obligation to maintain state security."
 
The difference between the two is that Cisco aren't subject to laws that control everything they do, certainly not to the degree of control that could be exerted over Hauwei.
I don't disagree with that but perhaps China are being more overt in their desire for control, whereas the US operates much more covertly and with many more decades of prior experience.

Snowden's leaks highlighted the extents that the US goes to to subvert technology products.

The earlier three letter agency/Crypto AG saga is a perfect example of US subversion in foreign government affairs.

Perhaps there is two things going on here: 1) Copyright theft (happens in every industry since time immemorial) 2) State organized spying (in Huawei's case that's yet to be proved, in Cisco's case it's proven product has been tampered with in the factory en route to customers)
 
IPR theft has been rife in China for years. Copying stuff is the cultural norm there, as a friend of mine discovered a few years ago (although in his case it was Taiwan).

He used to make high end bicycles and partnered with a Taiwanese company to produce some of his parts. Didn't take long for his supposedly custom parts to be for sale from several other vendors. When he challenged his partner company in Taiwan they were (apparently) confused as to what his problem was. There was just no real understanding of the concept of someone holding any sort of design rights.
 
I've got an even better example about copying of very expensive capital equipment sold into China. Subsequently stripped to its individual parts and then copied wholesale, except they were stupid enough to call for tech support as they didn't fully understand the control aspects when running the cloned machines back up..
 
Sponsored Links
Doesn't surprise me, TBH. Another thing I've noticed is that lots of Chinese companies make clones of the same design.

I bought a Chinese made lathe several years ago. Not a bad machine, but it needed a lot of fettling and adjustment to get it to work well. I broke one of the gears, and didn't hold out much hope of getting a replacement. To my surprise I discovered that several companies apparently unassociated with the one I'd bought the lathe from sold the same parts. Seems they were all just copying each other.

I can't help but wonder if these cultural difference regarding IPR and copying aren't at least a part of the reason for the anti-Chinese paranoia. The US, and to a lesser extent the UK, have long tried to protect the commercial interests of their own companies. Watching Chinese companies just copying stuff and selling it at a lower price may well be part of the reason for governments to sow seeds of suspicion about Chinese products.

Mind you, there is also the appalling safety record of a lot of Chinese made kit. I bought a battery charger from Amazon a few years ago. Chinese made and shipped from China (not that I noticed that at the time I placed the order). When it arrived I was suspicious about the mains cable, it was exceptionally thin and flexible. I tested the unit and was astounded to find that the mains live wire was connected directly to the battery charger negative lead! It had been assembled with the live and neutral crossed, used a switched mode power supply with zero isolation and the dodgy mains cable turned out to have very thin aluminium cores. It's a wonder there aren't more fires and deaths from dodgy electrical stuff like this.
 
I broke one of the gears, and didn't hold out much hope of getting a replacement. To my surprise I discovered that several companies apparently unassociated with the one I'd bought the lathe from sold the same parts.
Chinese standard gears, like 'not quite' or 'just a bit' helical bevel gears :unsure:
Watching Chinese companies just copying stuff and selling it at a lower price may well be part of the reason for governments to sow seeds of suspicion about Chinese products.
Good observation.. China can do high quality/high technology without doubt, check their space & military programmes, or PV panels for example.

But China does shovel wear exceptionally well as well and much of the world, Europe included wants cheap products (shame product safety isn't regulated more rigorously, Amazon takes zero responsibility for the products sold on its online bazaar )

Feels too much like the capitalist west exported manufacturing out to low cost China in the 80's and 90's and now it's all coming home to roost. Now the western governments belatedly waking up to the 'potential' threat they pose..
 
I do wonder quite why we decided to bin product safety inspections. Used to be that anything sold here had to be "kite" marked, which showed it had been independently checked and was safe to use. Now we have the ubiquitous fake "China Export" mark, made to look as if the product carries a CE mark (not that a CE mark means anything). The new CA mark seems to be pointless, with zero enforcement for true compliance (much like the CE mark)

Given the increasing number of lithium battery fires caused, almost certainly, by dodgy Chinese made chargers and battery packs, I can't help but think that the old product safety checks were a pretty sensible idea. I wonder how many house fires are needed before we wake up and realise that we are being deluged with unsafe electrical goods.
 
made to look as if the product carries a CE mark (not that a CE mark means anything).
CE is conformity assessment mark indicating that the product is in conformance with such and such ISO, EN or BS standard. It's not and has never been a "safety" mark like the BS Kitemark once was. Saying that of course many of the international standards are of course 100% 'safety related' but not in the simplistic sense that the Kitemark was focused on.

CE is also a self certifying, other than in very specific areas where a third party has to confirm conformity. Many companies use a 3rd party to verify their 'technical file' is in conformance as it can be easier to manage, but it doesn't have to be.

In the industries I work in CE marking is taken extremely seriously and is policed by the purchasers very thoroughly. In 20 plus years its pretty much become the world standard for product quality and compatibility.

There was never any point in the UK gov creating another conformity mark given that the standards conformity is assessed against are pretty much all ISO or EN standards. Any divergence from those standards ends up being a 'National' (ie. local) standard, which is of no interest to a purchaser anywhere else in the world. The government have finally realized this and dropped this stupidity

Now we have the ubiquitous fake "China Export" mark
Actually surprised it wasn't a Tory government that come up with that solely to appease their anti-European members and antagonize European governments

I do wonder quite why we decided to bin product safety inspections.
Did we? I thought it was still illegal to sell unsafe products. More likely 13 years of Tory government cuts that's gutted local product inspectors..
 
Sponsored Links
Did we? I thought it was still illegal to sell unsafe products. More likely 13 years of Tory government cuts that's gutted local product inspectors..

It is, but enforcement is so close to non-existent that the regulations may as well not exist. Councils fund Trading Standards and the last time I tried to get them to take action they were completely overloaded. They were honest enough to say that unless someone had been killed or seriously injured they would just put any complaint on file but not act on it.

Easy to understand how Trading Standards are viewed to be of lower priority than many other council funded activities. As things stand it's always going to be a post code lottery as to whether TS are any good in any particular area.
 
Because of Cisco router software being compromised by China based hacking groups or Huawei radio kit being removed from mobile phone networks?
Yep. Three (HK Hutchinson) should be viewed as another example of the same firm that does this sort of thing, its all controlled by the same entity, the CCP.
 
Sponsored Links
I don't think many people understand just how planned and calculated the moves by China to make every other country on earth dependent on them are. China doesn't have a free market economy. Everything that happens does so because it is part of a long term plan (a very long term plan - think decades, not years). China has never made a secret of this - they even publish their plans. Being a one-party dictatorship they have the luxury of being able to plan for decades ahead, plus they are very patient, as their government knows they will be in power for the foreseeable future.

Over the last 30 years or so China has pivoted away from trying to impose their ideology of communist one-party rule on the world. They realised that this wasn't the way to further their nationalistic aims first after the disaster of Mao Zedong's policies and then ultimately after the failure of Deng Xiaoping's policies in 1989.

Starting not long after Tiananmen Square and the downfall of Deng Xiaoping they shifted to exploit capitalism to its greatest extent in their aim to control the West, as well as clamping down on their own population, to suppress the putative separation of the CCP from the state that Deng Xiaoping was driving for.

Every exporting company in China is subsidised to some degree, to encourage them to export more goods. At the basic level this is by things like free finance from the state, state ownership of companies, tax breaks, provision of labour and almost free shipping from the state-controlled shipping and postal services.

The latter alone has had a tremendous impact on direct sales. No one can compete in online international market places with Chinese sellers. They offer below cost shipping charges, and those not only make their products more affordable outside of China, they also severely limit customer returns (it may cost more to return something than it's worth). A direct consequence of this is that it puts Western sellers and manufacturers out of business, which was, of course, the aim of the plan.

The result has been a massive boom in exports, that have done exactly as the CCP planned around 30 years ago, they've made much of the world dependent on China. We are now seeing the same with cars. Ten years ago there were virtually no Chinese cars on the market. Now China is one of the largest suppliers of cars here in the UK - my guess is that Chinese made cars will soon completely dominate our new car market. They are undercutting every other car manufacturer, something they can do thanks to the helping hand every Chinese manufacturer gets from their government.
 
There's a lot to unpack there so I'll just tackle the last paragraph

We are now seeing the same with cars. Ten years ago there were virtually no Chinese cars on the market. Now China is one of the largest suppliers of cars here in the UK - my guess is that Chinese made cars will soon completely dominate our new car market

No, no and thrice no. Not even close to being factually accurate.

Screenshot_20231002_110616.webp

And the first Chinese brand is here GM Ora with 68 cars.

Screenshot_20231002_110530.webp


VW alone sold two thousand times as many cars as the best selling Chinese vehicle

Source: SMMT UK.


In 2023 sales picked up a little:

BYD - 213 vehicles
GM Ora (Good Cat Ora) - 459 vehicles..
Other imports - 1141 vehicles
Out of a total of 1.18 million vehicles sold to date in the UK 2023

Source: SMMT UK.


So there are still virtually no Chinese cars on the road 10 years after you claim it started, because people still largely want to drive BMW, MB, Audi or Land Rover or another premium brand from Europe, not the US, not Japan and definitely not China.

(Can't find the emoji of me banging my head against a desk)
 
There's a lot to unpack there so I'll just tackle the last paragraph



No, no and thrice no. Not even close to being factually accurate.

View attachment 8644
And the first Chinese brand is here GM Ora with 68 cars.

View attachment 8645

VW alone sold two thousand times as many cars as the best selling Chinese vehicle

Source: SMMT UK.


In 2023 sales picked up a little:

BYD - 213 vehicles
GM Ora (Good Cat Ora) - 459 vehicles..
Other imports - 1141 vehicles
Out of a total of 1.18 million vehicles sold to date in the UK 2023

Source: SMMT UK.


So there are still virtually no Chinese cars on the road 10 years after you claim it started, because people still largely want to drive BMW, MB, Audi or Land Rover or another premium brand from Europe, not the US, not Japan and definitely not China.

(Can't find the emoji of me banging my head against a desk)


We are going to all be driving EVs within a few years. My wife and I have been driving an EV for years. Take a look at what China is doing with EVs. They are currently outselling many other brands, in particular MG (which has nothing to do with the old British company of the same name) have been doing very well, undercutting most other brands of EV. Other Chinese owned manufacturers are also doing well, like Volvo/Polestar, not to mention that all Tesla Model 3s sold here come from China.

Trying to find an EV that's not made in China is going to become increasingly difficult. It may well be that legacy car makers are still doing OK, but they are being very slow to adapt and China is way ahead of the game when it comes to EVs. They planned this more than 15 years ago, and they will dominate the UK market before long. Have a read of this if you want to see what the future holds: https://www.driving.co.uk/news/busi...for-an-influx-of-chinese-electric-car-brands/

Or how about this article: https://www.telegraph.co.uk/business/2023/08/06/china-electric-cars-invasion-britain-security-risks/

In the past year, China has leapfrogged Germany and Japan to become the world’s biggest exporter of cars, shipping 1.07 million abroad in the first quarter of 2023.

The boom is being driven by the country’s emergence as a powerhouse in battery-electric vehicles (BEVs), the culmination of years of planning and massive state subsidies.

Already, more than one in four cars being exported by China are BEVs, with the total expected to hit 1.3 million this year alone.
 
We are going to all be driving EVs within a few years
Because of government legislation not because people prefer to buy them. Judging by the sales figures people are not buying them (Yes I know VW have BEV's in their model range, as do MB,BMW and the all others)
My wife and I have been driving an EV for years.
ex-Tesla owner here, I sold it (before they dropped their prices luckily) because it was an unreliable & badly made PoS and Tesla service was appalling.

Back to a Euro made VW group diesel
Take a look at what China is doing with EVs. They are currently outselling many other brands,
That's not what the sales figures above show.
Other Chinese owned manufacturers are also doing well, like Volvo/Polestar
You've just moved the goalposts. You first claimed Chinese made, now you're qualifying your point by manufacturers being Chinese owned...

Trying to find an EV that's not made in China is going to become increasingly difficult
That's one opinion, it may or may not end up being true. Who knows, but on sales figures so far it's going to take a decade or more to find that out if that's true, despite what The Sunset Times writes.

They planned this more than 15 years ago, and they will dominate the UK market before long.
Your tin foil hat needs relining, those 5G nano-o-wave particles are scrambling your noggin! (Tesla would also like a word as well)
 
Top
Cheap BIG ISPs for 100Mbps+
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Vodafone UK ISP Logo
Vodafone £24.00 - 26.00
150Mbps
Gift: None
NOW UK ISP Logo
NOW £24.00
100Mbps
Gift: None
Plusnet UK ISP Logo
Plusnet £25.99
145Mbps
Gift: £50 Reward Card
Large Availability | View All
Cheapest ISPs for 100Mbps+
Gigaclear UK ISP Logo
Gigaclear £17.00
200Mbps
Gift: None
Community Fibre UK ISP Logo
150Mbps
Gift: None
Virgin Media UK ISP Logo
Virgin Media £22.99
132Mbps
Gift: None
Hey! Broadband UK ISP Logo
150Mbps
Gift: None
Youfibre UK ISP Logo
Youfibre £23.99
150Mbps
Gift: None
Large Availability | View All
Sponsored Links
The Top 15 Category Tags
  1. FTTP (6027)
  2. BT (3639)
  3. Politics (2721)
  4. Business (2440)
  5. Openreach (2405)
  6. Building Digital UK (2330)
  7. Mobile Broadband (2146)
  8. FTTC (2083)
  9. Statistics (1901)
  10. 4G (1816)
  11. Virgin Media (1764)
  12. Ofcom Regulation (1582)
  13. Fibre Optic (1467)
  14. Wireless Internet (1462)
  15. 5G (1407)
Sponsored

Copyright © 1999 to Present - ISPreview.co.uk - All Rights Reserved - Terms  ,  Privacy and Cookie Policy  ,  Links  ,  Website Rules