Huawei, ZTE and COTS

As you've by now read, Congress issued a report the other day condemning Huawei and ZTE for potential security concerns in the telecom hardware they manufacture.  Others have, not inaccurately, suggested that the report was strong on reporting about the potential for vulnerabilities, but short on details about actual intrusions that have been observed.  For myself, I think that the absence of evidence is not necessarily evidence of absence, but also recognize that proof that there really are hardware vulnerabilities in Commercial Off-The-Shelf (COTS) technology is hard to come by. That's why I found this report in today's Washington Post so interesting.  Buried in a story (which otherwise gave us the unremarkable information that China objects to the House Intelligence Committee's report) was one of the few public reports of a hardware COTS hack that I've ever seen in the public domain.  It seemed, therefore, worth noting for Lawfare readers.  According to the Post:

A team of security analysts studying Android phones several months back found a back door in a device made by ZTE. If the analysts typed in “ZTEX1609523,” they gained complete control over the phone, allowing them to monitor text messages, listen to calls or install malicious programs. “It certainly was something that was put in there intentionally,” said Dmitri Alperovitch of CrowdStrike, one of the security analysts who discovered the back door, which he called “very unusual.” “You could remain stealth on that device and do whatever you want.” The company quickly issued a fix after the discovery became public, but Alperovitch said he advises his clients not to buy either ZTE or Huawei products.

Caveat emptor.