Corporate espionage or fearmongering? The facts about hardware-level backdoors

Spying accusations against Chinese companies like Huawei have resulted in bans by US, UK, and Australian government agencies. Is there any technical merit to these charges?

Over the last few years, accusations of unlawful spying have been made against some of China's largest technology firms. Among the people making the allegations are former NSA and CIA head Michael Hayden, as well as in a 2012 House Intelligence Committee report. Accordingly, various government agencies in the United States, Canada, Australia, the United Kingdom, India, and New Zealand have banned the use of equipment made by various Chinese manufacturers under fears that hardware-level backdoors could exist in these products.

But, how feasible could creating such a backdoor be? In the age of the Web, and with organizations like iFixIt tearing each new gadget they can get their hands on apart, typically within a day of launch, how could such a backdoor be deployed without anyone noticing? A closer look into the claims being made and their technical feasibility is vital to understand if the accusations have merit, or are just fear mongering.  


Out of the companies targeted, Lenovo Is the most visible to consumers and IT professionals. Lenovo largely became a household name across the world after buying up IBM's PC business in 2005. Lenovo is partially owned by the PRC, through some abstraction: the state organization "Chinese Academy of Sciences" (CAS) owns 38% of Legend Holdings, which is Lenovo's largest shareholder at 34%.

Lenovo hardware is reportedly banned from the US CIA, as well as the UK's MI5 and MI6, as well as the Australian Security Intelligence Organization (ASIO) and Secret Intelligence Service (ASIS). As of the time of writing, no evidence of any wrongdoing on the part of Lenovo has been presented by any of governments who have banned their hardware from use in intelligence services.

On devices as open as computers, and especially with Lenovo's ThinkPad product line, which has been long venerated for being foremost among laptops designed with modularity in mind—featuring detailed disassembly manuals and readily available replacement parts—it is difficult to imagine that many opportunities exist to hide a hardware backdoor in a relatively open product. Combined with the fact that the vital components (processor, RAM, etc.) aren't made by Lenovo, there are few opportunities for Lenovo to introduce a hardware-level backdoor in a way that wouldn't be glaringly obvious to any engineer armed with a screwdriver.

Of note, it is important to remember that the BIOS/UEFI which ships on computers is controlled by either Phoenix Technologies, a California company, or American Megatrends, Inc., a Georgia company. The chances of a BIOS-level exploit are low, but it remains a technical possibility. For software-level exploits, best practice is always to wipe the drive of a new system and include a fresh installation of the operating system of your choice. This approach also does away with unhelpful crapware one typically finds on a new computer.


The recent criticism of Huawei has come primarily from ex-CIA and NSA head Gen. Michael Hayden, where, in an interview, he stated that Huawei has engaged in espionage on behalf of China. It is vital here to note that Hayden currently serves as a Director of Motorola Solutions, a competitor to Huawei. It is similarly important to note that Huawei and Motorola Solutions have been in a lengthy Intellectual Property dispute, which was settled in 2011 with Motorola paying an undisclosed sum to Huawei.

Huawei's statement on the comments made by Hayden called it "tired nonsense we've been hearing for years" and "politically-inspired and racist corporate defamation".

The technical merit behind the argument of Huawei spying on users is given life from the frequently opaque and closed nature of telecommunications equipment. Mobile phones are as closed off to the user as is possible to prevent tampering or unauthorized modification to the software or firmware to prevent users from accessing things that carriers typically charge more money for, such as tethering to a laptop. In turn, networking equipment is as closed off to the user as is possible to prevent particularly enterprising individuals from modifying their modems to do any number of undesirable things to the detriment of other network users. In short, there isn't a level of mutual trust between vendor and user, which has breathed life into claims of espionage.

Cognizant of those concerns, Huawei offered to disclose the source code to its products to be considered for a bid to build the Australian National Broadband Network (NBN), a process which it has been formally excluded from. This gesture has not dissuaded the NBN authority from barring Huawei the opportunity to submit a bid for building the network.


The case against ZTE is quite a bit stronger than it is against Lenovo and Huawei; actual evidence has been produced of a backdoor existing in a ZTE product. Last May, a backdoor was identified in the ZTE Score M, a budget-minded smartphone for US prepaid mobile carriers MetroPCS and Cricket. ZTE released a patch for the phone shortly thereafter, calling the exploit a "technical defect" that exposes units to "potential third-party exploitation".

In this instance, it might be more prudent to rely on Hanlon's razor: Never attribute to malice that which is adequately explained by stupidity. However, carelessness on the part of ZTE is all that a hacker—state-sponsored or not—requires to obtain sensitive information. If there is a reason to avoid ZTE products, it would be because of their lacking quality, or at least quality assurance procedures, not because of their complicity in spying. To their credit, the issue was patched quickly after it was discovered.

Final thoughts

The players in this debate appear all too willing to point fingers without providing hard evidence to support their claims. Surveillance activity has been a recurring topic in the news over the past several weeks, bringing worries of potential security threats to the forefront. The firms having accusations made against them are easy targets for their geographic location and business operations. However, hardware-level exploits are much more difficult to deploy without detection, and are more obvious than software exploits, which will likely continue to be the primary attack threat for the foreseeable future.


James Sanders is a Java programmer specializing in software as a service and thin client design, and virtualizing legacy programs for modern hardware. James is currently a student at Wichita State University in Kansas.

Editor's Picks