While many of us were enjoying some time off for Thanksgiving, the US government took drastic action against Huawei and four other Chinese companies. The hardest hit are Huawei and ZTE, as the ban prevents any new products from being approved for the US market. The other three companies are Dahua and Hikvision, which make video surveillance equipment, and Hytera, which makes radio systems. FCC Commissioner Brendan Carr noted the seriousness of the decision.

[As] a result of our order, no new Huawei or ZTE equipment can be approved. And no new Dahua, Hikvision, or Hytera gear can be approved unless they assure the FCC that their gear won’t be used for public safety, security of government facilities, & other national security purposes.

There is even the potential that previously approved equipment could have its authorization pulled. The raw FCC documents are available, if you really wish to wade through them. What’s notable is that two diametrically opposed US administrations have both pushed for this ban. It would surely be interesting to get a look at the classified reports detailing what was actually found. Maybe in another decade or two, we can make a Freedom of Information Act request and finally get the full story.

Fuzzing for Recollapse

[0xacb] has a fun new technique to share, that he calls REcollapse. It’s all about regular expressions that get used in user input validation and sanitation. Regex is hard to really get right, and is full of quirks in how different languages and libraries implement it. A simple example is an email address that contains “punycode” — non-ASCII Unicode characters. It’s perfectly legitimate for an address to contain Unicode, but many normalization schemes collapse unicode strings down into the nearest approximation of ASCII. Take exámple.com and example.com. If some part of a web service sees these as the same thing, and another backend service keeps sees them as unique, that mismatch could allow account takeover. Enter your email here to receive a password reset link.

The novel thing here is a structured approach to fuzzing for these problems. [0xacb] suggests identifying “regex pivot positions”, places in a string where there could be unexpected or inconsistent regex matching. A very different example of this is the end-of-string symbol, $. A developer might use this to specify that a given pattern should only be matched when it’s at the very end of a string. But what happens when there’s a newline embedded in the string? It depends on the language. Yikes!

REcollapse is now available as an Open Source tool, and works great to feed fuzzing inputs into an automated tool. Run it against a target, and watch for different responses. Find something good enough, and profit!

Phishing With Smart Watches

The team at Cybervelia have cooked up yet another way to spear-phish a target. Many of us have smart watches, and one of the most useful functions of those wrist-mounted marvels is to glance at a SMS or other message without fishing out a phone. Could an attacker, with a Bluetooth Low Energy antenna, spoof a text message to a nearby smart watch? After some reverse engineering work, absolutely. With the right message, like “need help, 2nd floor”, the target might just start moving without checking the phone and discovering the spoof.

Real-time Malware Hunting

This one’s fun, as the researchers at Phylum found yet another malicious PyPi package campaign back on the 15th. Their tooling alerted them to the activity very early in the campaign, as packages were being uploaded and the payload was still being fine-tuned. That payload was being developed on Github, so there was only one thing to do.

The union of memes and security research is a wondrous thing. The packages were reported, removed, and it looks like this particular malware campaign was eliminated before it really got started.

This does lead to a hilarious tangent from Phylum, about some of the laughably terrible attempts at malware they’ve discovered in other campaigns. There’s a certain poetic justice to be found in malware refusing to run, because the deobfuscation routine checks for the acknowledgement string and errors out when it’s tampered with.

Lastpass Breach Continued

Lastpass has updated their security incident report, noting that there seems to have been follow-on access of data. They noticed “unusual activity within a third-party cloud storage service”, which usually means Amazon’s AWS. The story here seems to be that a token to the storage service was snagged during the August compromise, and was just now used for more mischief. This does raise some uncomfortable questions about how well Lastpass understands what data was accessed in the earlier breach. That said, cleaning up after an incident is a complicated task, and missing a single AWS token in the action is all too easy.

Another “Legitimate” Commercial Spyware Vendor

In the just-what-we-needed category, the latest report from Google’s Threat Analysis Group names Variston as previously unknown player in the commercial malware game. Like NSO Group and others, Variston seems to have access to 0-day exploits in multiple devices and platforms.

A trio of bug reports were opened in the Chrome bug system, and each contained a mature framework and exploit code for a serious bug. Each of these were known and fixed bugs, but piecing together the clues would indicate that they were being used as 0-days by a vendor, probably Variston. It’s not uncommon for the “legitimate” spyware authors like the NGO Group, the NSA, and others, to properly report bugs once they’ve finished exploiting them, or assumably once a target has discovered the exploit.

500 Years Later

There’s a concept in encryption, that pretty much any encryption scheme is theoretically breakable, given enough time and technological innovation. As an example, see the rate at which quantum computers are developing, and the predicted breakdown of some classical crypto. The philosophy that spills out of this reality is that crypto just needs to be strong enough, that the secrets being protected are entirely stale by the time technology and computing power catch up. Which finally brings us to the story, that Emperor Charles V got nearly 500 years out of his cipher. Probably strong enough.

It turns out that this cipher had some clever elements, like multiple symbols that didn’t mean anything at all, just to make it harder to figure out. The real breakthrough was finding a cipher text that had been loosely translated. It was enough to finally figure out the basic rules. So what was in the central letter that was finally deciphered? Political maneuvering, fears of assassination, and a conspiracy to spread fake news to downplay a setback. Some things never change.

Font Fingerprint

There was a Reddit post over the break that caught our attention, where a user wired money online from his bank in England to Kenya, to pay for a trip. It was a legitimate transaction, but triggered the fraud protection from his bank. In the conversation with the fraud department, one of the flags for possible fraud surprised the Redditor in question: You have TeamViewer installed on your computer.

Now wait. That’s a bit disconcerting, a website can see your list of installed programs? No, not directly. There is no web API to list applications, at least, not since ActiveX died. However, there is an API to list installed fonts. And since Teamviewer brings its own font, it’s pretty easy to detect when it’s installed. And let’s face it, a remote controlled desktop is a reasonable flag for malicious activity. So now you know, your fonts may just be fingerprinting you.

Bits and Bytes

The Google Play store has ejected a pair of mildly popular apps, that were spying on users’ SMS messages. The data collection was incidental, and the real point was to enable fake accounts on various web services, using the victim’s cell phone numbers. Need a hundred Twitter accounts? Rent access to a hundred compromised phones, to use those numbers for the activation flow.

Need to get something past a plagiarism checker? Just rot13 and change the font! It’s a silly demonstration, but it does indeed work. Make your own font to change the letter mapping, and then apply the reverse mapping to the underlying text. To the human eye, it’s the same, but to an automated tool it’s garbage. Save as PDF, and off you go. While circumventing a plagiarism filter is a bad idea, this could have other, more positive uses, like censorship circumvention.

Black Hat 2022 videos are available, only three months later. There are some fun presentations in here, like the Starlink hack, analysis of real-world malware campaigns, and lots of software getting compromised. Enjoy!

China has reacted angrily to reports that the United States has stopped approving licences for American companies to export most items to China’s hi-tech company Huawei, accusing the US of deliberately targeting Chinese companies under the pretext of national security.

US officials are creating a new formal policy of denial for shipping items to Huawei that would include items below the 5G level, including 4G items, wifi 6 and 7, artificial intelligence, and high-performance computing and cloud items, according to a Reuters report that quoted unnamed sources.

Another source told Reuters the move was expected to reflect the Biden administration’s tightening of policy on Huawei over the past year. Licences for 4G chips that could not be used for 5G, which might have been approved earlier, were being denied, the person said.

In November, the Biden administration banned approvals of new telecommunications equipment from Huawei and ZTE because they pose an “unacceptable risk” to US national security.

At a regular press conference in Beijing on Tuesday, the Chinese foreign ministry spokeswoman, Mao Ning, accused the United States of deliberately using an overly broad notion of national security to suppress Chinese firms.

“China strongly opposes the US’s unscrupulous and unjustified suppression of Chinese companies by stretching the concept of national security and abusing state power,” Mao said.

“Such moves violate the principle of market economy and international trade rules, dampen international confidence in the US business environment,” she told reporters.

A US commerce department spokesperson said officials “continually assess our policies and regulations” but did not comment on talks with specific companies.

Huawei and Qualcomm declined to comment. Bloomberg and the Financial Times earlier reported the move.

American officials placed Huawei on a trade blacklist in 2019 restricting most US suppliers from shipping goods and technology to the company unless they were granted licences. Officials continued to tighten the controls to cut off Huawei’s ability to buy or design the semiconductor chips that power most of its products, although licences were granted that allowed Huawei to receive some products. For example, suppliers to Huawei got licences worth $61bn to sell to the telecoms equipment giant from April through November 2021.

Huawei has faced US export restrictions around items for 5G and other technologies for several years, but the US Department of Commerce has granted licences for some American firms to sell certain goods and technologies to the company. Qualcomm in 2020 received permission to sell 4G smartphone chips to Huawei.

In December, Huawei said its overall revenue was about $91.53bn, down only slightly from 2021 when US sanctions caused its sales to fall by nearly a third.

MUNICH, Germany — As the world’s security elite gathers in Munich this week, they’ll be connecting their mobile phones to Chinese telecoms equipment surrounding the venue.

Heads of state, security chiefs, spooks and intelligence officials head to Germany on Friday for their blue-riband annual gathering, the Munich Security Conference. On the event’s VIP list are U.S. Vice President Kamala Harris, German Chancellor Olaf Scholz, French President Emmanuel Macron and hundreds more heads of state and government, ministers and foreign dignitaries.

The gathering takes place at the five-star Hotel Bayerischer Hof. From its ice-themed Polar Bar on the hotel’s rooftop, you can overlook the city's skyline, spotting multiple telecommunications antennas poking between church steeples. Some of these antennas, within 300 meters of the hotel, are equipped with hardware supplied by controversial Chinese telecoms giant Huawei, POLITICO has learnt through visual confirmation, talks with several equipment experts and information from industry insiders with knowledge of the area’s networks. 

One mast, on top of the Hotel Bayerischer Hof building itself, is also potentially equipped with Huawei gear, talks with two industry insiders suggested.

The question of whether to allow Chinese 5G suppliers into Western countries in past years became a bone of contention between Berlin on the one hand and Washington and like-minded partners on the other. This week’s gathering also comes as the U.S. continues to call out Germany’s economic reliance on Beijing, with a new report showing the German trade deficit with China exploded in 2022, and amid sky-high tensions between Washington and Beijing over surveillance balloons hovering over the U.S., Canada and elsewhere.

“The dependence on Huawei components in our 5G network continues to pose an incalculable security risk,” said Maximilian Funke-Kaiser, liberal member of the German Bundestag and digital policy speaker for the government party Free Democratic Party (FDP). 

“The use of Huawei technology in the mobile network here runs counter to Germany's security policy goals,” Funke-Kaiser said, calling the vendor’s involvement in German 4G and 5G “a mistake in view of the Chinese company's closeness to the state.”

Huawei has consistently denied posing a security risk to European countries. 

Delving into data

Despite extensive reporting, POLITICO was unable to gather on-the-record confirmation of which vendor’s telecoms equipment was used for which masts. Operators and vendors refused to disclose the information, citing contractual obligations, and local authorities said they didn’t have the information available.

The security risks associated with Huawei equipment also vary, and differ even among close allies in the West. Some capitals argue the real risk of Chinese telecoms equipment is the overreliance on a Chinese firm in an unstable geopolitical situation — much like Europe relied on Russian gas for its energy needs.

But others argue that the risk runs deeper and that China could use Huawei’s access to equipment and data in European mobile networks — especially in areas of critical importance and high sensitivity — to put the West’s security at risk. Huawei has been implicated in a number of high-profile espionage cases, including at the African Union Headquarters.

When asked about Huawei’s presence in Munich, Mike Gallagher, a Republican and Chairman of the U.S. House select committee on China, said POLITICO’s findings were “troubling” and “should concern every individual attending the conference.” 

The chair of the U.S. Senate intelligence committee, Mark Warner, a Democrat who’s attending the conference, said it was “a timely reminder that we must continue to work with like-minded allies to promote secure and competitively priced alternatives to Huawei equipment.”

U.S. Senate intelligence committee Vice Chair Marco Rubio (Republican, Florida) said U.S. diplomats “should be aware of the risks and take necessary precautions.”

Munich networking

From a 2007 speech by Russia’s Vladimir Putin to U.S. President Joe Biden’s virtual address at the start of his mandate in February 2021, the conference strives to set the global diplomatic and international relations agenda. Its organizers see it as an open space for debating geopolitics and world affairs, with attendees ranging from across the world and an advisory board where Chinese state officials sit alongside Western diplomats and titans of industry.

The conference’s guest list reveals something else too: The gathering is seen as critical by U.S. government officials. This year, the U.S. is sending its largest delegation yet, with Harris flanked by dozens of government officials, security chiefs and congresspeople, including Democrat leader Chuck Schumer, Republican leader Mitch McConnell and others.

For these U.S. attendees — and the Western partners that see eye to eye with the U.S. position on China’s telecoms giant Huawei — the networks around the premises prove troublesome.

An online map on the website of Germany’s telecoms agency, the Bundesnetzagentur, shows 13 locations for masts and antennas surrounding the Hotel Bayerischer Hof. The agency also provides information about which of the country’s three main operators — Deutsche Telekom, Vodafone and Telefónica — use which locations. 

POLITICO shared photos of seven masts near the hotel with four experts specialized in telecoms radio access network (RAN) equipment. These experts established that at least two were equipped with gear of Chinese telecoms giant Huawei.

If a network operator has one mast equipped with Huawei in Munich, it likely equips all masts in the area with the same vendor, two industry insiders said. Operators usually use one provider for larger areas. This means at least one other location is also likely equipped with Huawei gear, the insiders said. Three other locations, including the mast on the roof of the conference venue, are used by an operator using Huawei equipment but those locations are part of infrastructure that is shared by several operators, meaning there's a chance these are equipped with Huawei gear but it's unconfirmed. 

The findings are in line with accurate reports on Germany’s telecoms infrastructure.

Europe’s largest economy is a stronghold for Huawei in the West. A report by boutique telecoms intelligence firm Strand Consult estimated that Germany relies on Chinese technology for 59 percent of its ongoing 5G network deployment. The country already had a massive reliance on Chinese equipment in its 4G network, where Strand estimated Huawei accounts for 57 percent. 

“If you look at the percentage of Chinese equipment in Germany, you could say it is the most unsafe country in Europe,” said John Strand, founder of Strand Consult. “Welcome to the Munich Security Conference: We can’t certain your security,” he quipped.

Black hole of telecoms intelligence

Establishing with certainty just how many of the 13 masts are equipped with Chinese telecoms gear is extremely difficult. Both German operators and their vendors have a policy to not communicate what equipment they’re using in which locations, citing contractual obligations on confidentiality. 

Deutsche Telekom and Vodafone confirmed that they use Huawei in their German antenna networks. Telefónica said they use “a mix of European and international network suppliers” in Germany. Yet, all declined to comment on whether they use Huawei in Munich. 

Ericsson, Nokia and Huawei all declined to comment on whether they were providing gear in the greater Munich area, referring questions to the local operators.

Government regulators, too, divulge no details of which suppliers provide gear for certain locations. The Federal Network Agency and the Federal Office for Information Security admitted they don’t know which equipment is fitted to which mast; both referred to the interior ministry for answers. The interior ministry said it “does not usually know which critical components are installed on which radio mast in detail.”

The Hotel Bayerischer Hof forwarded questions about mobile infrastructure on its roof to the security conference’s organizers.

The Munich Security Conference itself said in a statement: “As a matter of principle, we do not comment on the exact details of the infrastructure used for the main conference in Munich. We are in close contact with all relevant authorities in order to secure the conference venue, the participants and the digital space accordingly.” 

The Federal Office for Information Security (BSI) does provide its own security networks for official events, but the Munich Security Conference is “outside the responsibility of the BSI,” the BSI said in an email.

Germany's telecoms ambiguity

Through its 5G equipment it is feasible for Huawei to spy on users of a network or to disrupt communications as the very design of 5G makes it harder to monitor security, the head of the U.K.'s intelligence service MI6, Alex Younger, said to an audience in his second public speech.

But John Lee, director of the consultancy East-West Futures and an expert on Chinese digital policy, said it’s “not a clear cut technical case” as to whether Huawei equipment in current telecoms networks represents a material security risk.

“Some non-Western countries are proceeding to upgrade their telecoms infrastructure with Huawei as a key partner,” Lee said. “This is still mainly a political issue of how much suspicion is placed on the ambitions of the Chinese state and its relationship with Chinese companies.”

In an effort to coordinate a common approach to vendors, the EU developed “5G security toolbox” guidelines in 2019 and 2020 to mitigate security risks in networks. Some major European countries, including France, have imposed hard restrictions for their operators, including by limiting the use of “high-risk vendors” — a term widely understood across Europe to be Chinese vendors Huawei and ZTE — in certain strategic geographic areas.

In Germany, however, policymakers took years to agree on their framework for 5G security. In April 2021 — more than a year after the EU’s joint plan came out — it passed measures that allowed the government to intervene on operators’ contracts with Chinese vendors. 

But those interventions haven’t barred the use of Huawei in certain geographical areas yet. 

And the interior ministry — which has veto power to ban or recall certain components if they see them as an “impairment of public order or safety” — hasn’t intervened much either, a ministry spokesperson said via email. 

Up till now, the spokesperson said, specific orders to cut Huawei from German networks “have not been issued.” 

Alex Ward, Maggie Miller and Tristan Fiedler contributed reporting.

Introduction

One of the world’s leading providers of fifth-generation (5G) mobile technology, Huawei is a Chinese telecommunications giant that has stoked fears of espionage and intellectual property theft in the United States and many other countries. In response, Washington and its allies have imposed sweeping restrictions on Huawei as part of a larger crackdown on Chinese technology companies. 

Some experts warn that tensions between Washington and Beijing over technology could lead to a “digital iron curtain,” which would compel foreign governments to decide between doing business with the United States or China.

What is Huawei?

It is the world’s largest provider of 5G networks and a leader in sales of telecommunications equipment. Based in Shenzhen, China, Huawei sells its products domestically and internationally. In the United States, it has helped provide connectivity in rural areas of Alabama, Colorado, Oklahoma, and other states.

Ren Zhengfei, the company’s billionaire CEO, founded Huawei in 1987. With more than 190,000 employees, according to its website, Huawei claims to be a private company fully owned by its employees, though its precise ownership structure is unknown.

Why is it so controversial?

In accurate years, the United States and several other countries have asserted that the company threatens their national security, saying it has violated international sanctions and stolen intellectual property, and that it could commit cyber espionage. Many U.S. policymakers view Huawei as a commercial extension of the Chinese Communist Party (CCP).

Cyber espionage. The main concern, according to U.S. intelligence agencies, is that the Chinese government could use Huawei to spy. Officials, primarily in the United States but also in Australia and several other countries, point to intentionally vague Chinese intelligence laws that could be used to force Huawei to hand over data to the Chinese government. (The United States has not publicly provided evidence that this has happened.) There are also concerns that Huawei’s 5G infrastructure could contain backdoors that allow the Chinese government to collect and centralize massive quantities of data and deliver Beijing the necessary access to attack communications networks and public utilities. In 2022, an FBI investigation found that Huawei equipment can be used to disrupt U.S. military communications, including those about the U.S. nuclear arsenal.

Congress began receiving warnings about Huawei as early as 2012, when a U.S. House Permanent Select Committee on Intelligence report [PDF] concluded that using equipment made by Huawei and ZTE, another Chinese telecommunications company, could “undermine core U.S. national security interests.” In 2018, six U.S. intelligence chiefs, including the directors of the CIA and FBI, cautioned Americans against using Huawei products, warning that the company could conduct “undetected espionage.”

At the heart of Washington’s concerns is 5G, the latest technology standard for cellular networks, which provides faster get speeds for smartphones, connects devices in smart cities, and supports autonomous vehicles and robots. “5G is a different type of risk versus 4G or 3G. It’s much harder to separate the core from the periphery,” says CFR’s Adam Segal. “Once you have those risks, you have to trust the company much more. But it is difficult to trust Huawei, given the relationship between companies and the Communist Party.”

Intellectual property theft. U.S. companies and global telecom firms have for years accused Huawei of stealing trade secrets, starting with Cisco’s 2003 lawsuit alleging that its source code appeared in Huawei products. (The suit was later settled.) In 2017, a U.S. jury found Huawei guilty of stealing intellectual property from T-Mobile, and in 2020, the U.S. Justice Department charged Huawei with racketeering conspiracy and conspiracy to steal trade secrets. According to the indictment, these violations allowed Huawei to “drastically cut its research and development costs and associated delays, giving the company a significant and unfair competitive advantage.” 

Trade violations. The United States claims that Huawei has violated sanctions on Iran and North Korea. A federal indictment unsealed in January 2019 against Meng Wanzhou, Huawei’s chief financial officer and Ren’s daughter, said that Huawei defrauded banks in order to do business with Iran and obstructed justice in the process by destroying evidence. Meng was detained in Canada in 2018 at the request of the United States, which was seeking her extradition. In 2021, she reached a deferred prosecution agreement with the U.S. Justice Department, which later dropped the charges against her.

How much sway does Beijing have over tech companies?

The government has considerable sway over Chinese private companies through heavy regulation, including the requirement that they establish CCP branches within them, and state-backed investment. Executives of many of the biggest companies are party members, including Alibaba cofounder Jack Ma and Huawei founder Ren, who served as an engineer in the People’s Liberation Army during the Cultural Revolution.

Under President Xi Jinping, the lines between public and private have become even more blurred. Experts have observed that the CCP is working to boost its influence over private industry, especially tech companies. In accurate years, state-run companies and local governments have invested more in private firms. Foreign news organizations have also reported that the government could start pressuring tech companies to offer the party direct ownership stakes and deliver party members even greater roles in management. While there is no evidence that this has happened at Huawei, Beijing has taken a stake in an entity owned by ByteDance, the parent of video-sharing monolith TikTok.

Some experts and U.S. officials also point to vague Chinese laws that could be used to force Huawei to help the government with intelligence gathering. For example, the National Security Law [PDF], enacted in 2015, states that citizens and enterprises have the “responsibility and obligation to maintain national security.” The 2017 National Intelligence Law [PDF] declared that Chinese companies must “support, assist, and cooperate with” China’s intelligence-gathering authorities. These laws have prompted additional U.S. concerns that TikTok could share user data with the Chinese government. 

Huawei has distanced itself from the CCP, repeatedly asserting that its equipment has never been used, and will never be used, to spy. In January 2019, Ren said he “would never harm the interest of my customers” and that Huawei would not answer government requests for intelligence. In May 2018, Huawei commissioned a report [PDF] from a Chinese law firm supporting its argument that it cannot be forced to spy, but other lawyers in China and around the world said the law has never been tested. The Chinese government has also gone to bat for Huawei, saying it would “take all necessary measures to safeguard” Chinese companies.

How did Huawei become so dominant?

Huawei became the world’s largest telecommunications company over three decades, reporting $138 billion in revenue in 2020, a 12 percent jump from the previous year. This success has helped drive suspicion that the Chinese government has played a more significant role in the company in accurate years than its leaders have let on.

In 1996, both the government and military began treating Huawei as an official “national champion,” a status reserved for firms that bolster China’s strategic aims. The move highlighted a shift in official policy. From then on, Beijing explicitly supported domestic telecom companies—and Huawei even more than others [PDF]—to prevent foreign domination of the industry. The Chinese government ensured Huawei had easy access to financing and high levels of government subsidies—up to $75 billion in state support since the company was founded. 

These underpinnings have allowed Huawei to price its network equipment below foreign competitors’ rates; a European Commission investigation found that Huawei has underbid its competitors by up to 70 percent. Experts said that Huawei’s prices would not have even covered the cost of producing their parts without subsidies. Chinese state banks also provide countries with low-interest loans to use Huawei’s equipment.

Huawei says its low prices are the result of technological expertise—a claim with some merit, according to industry experts. Huawei’s annual research and development (R&D) budget is among the world’s largest, and Ren says his firm spends more on it than most publicly listed firms can. At over $22 billion in 2021, Huawei’s R&D expenditures rank alongside those of Alphabet (Google’s parent company) and Amazon; when R&D is measured as a percentage of sales, Huawei’s expenditures are proportionally double.

U.S. actions against Huawei continued to build throughout the Trump presidency: in 2019, Trump signed an executive order prohibiting U.S. companies from doing business with Huawei, and the Commerce Department added the company to its “entity list,” restricting it from buying U.S. goods. Shortly after, Google said it would restrict Huawei’s access to its products, including its Android operating system; a new Huawei phone unveiled later in the year didn’t come with Android apps.

The department cracked down further in May 2020, issuing new rules to block foreign semiconductor manufacturers that use U.S. machines and software from shipping products to Huawei without a license. Prior to the bans, Huawei said it relied on U.S. software, microchips, specialty lasers, and other products for one-third of its supply chain, amounting to $11 billion. More than one hundred Huawei affiliates have been added to the commerce department’s entity list since then, crippling the company’s ability to obtain critical U.S. goods. 

Other government agencies have followed suit. In November 2019, the Federal Communications Commission (FCC) voted to designate Huawei and ZTE as national security threats, which prevents U.S. internet providers from using federal funds to purchase the tech companies’ equipment. Huawei filed a legal challenge, but the FCC’s decision went into effect in June 2020. That same year, Congress provided $1.9 billion to the FCC for the agency to remove Huawei equipment from existing U.S. networks. The Trump administration also imposed visa restrictions on Huawei employees it says contribute to human rights abuses committed by the Chinese government, including against Uyghurs in China’s Xinjiang region

President Joe Biden has upheld restrictions against Huawei and introduced new bans that have further hamstrung the company. In November 2021, Biden signed a bill aimed at preventing Huawei and ZTE from receiving equipment-making licenses from U.S. regulators, including the FCC. A year later, in November 2022, the FCC adopted new rules that prohibited the sale of some communications equipment made by Huawei or ZTE in the United States, citing “unacceptable” national security risk. And in January 2023, the Biden administration stopped providing licenses for U.S. companies to export goods to Huawei. Biden has also taken such measures beyond Huawei, signing legislation that precludes any Chinese manufacturer from obtaining chips or chipmaking equipment made with U.S. parts anywhere in the world.

Despite the restrictions, the Commerce Department has allowed some business activities that it says do not pose significant risks to U.S. national security. Since 2017, the Trump and Biden administrations have allowed over $60 billion [PDF] in transactions between Huawei and U.S. firms. 

Some critics say that while the restrictions have handicapped Huawei, they would be even more effective if combined with a U.S.-led alternative. “A principal reason that the United States has not had more success in persuading countries not to use Huawei equipment is that it cannot offer an alternative,” CFR’s David Sacks writes. “The United States does not and will not have a company that is competitive in the full stack of 5G equipment.”

 To get more countries to wean off Huawei, Sacks argues that the United States should finance European competitors’ 5G networks and develop open radio access networks, a system that would allow multiple companies to provide different components of a singular 5G network. Meanwhile, it should fund research and development to better compete in sixth-generation (6G) technology, which is expected to replace 5G within fifteen years.

How has Huawei responded to the bans?

It’s not just the United States that has banned Huawei. Washington has pressured its allies to follow suit, even threatening to stop sharing intelligence with countries that use Huawei. The countries of the so-called Five Eyes intelligence alliance—The United States, Australia, Canada, New Zealand, and the United Kingdom—have banned or are rolling out bans of Huawei. Other U.S. partners, such as Belgium, Denmark, Estonia, France, Lithuania, Poland, Romania, and Sweden have restricted the use of Huawei equipment in the construction of their 5G networks. 

Experts say that the bans have caused Huawei to reprioritize its domestic market due to a shortage of international business. In 2020, Taiwan Semiconductor Manufacturing Company (TSMC), the world’s largest chip supplier, halted business with Huawei, citing U.S. export controls. TSMC had supplied over 90 percent of Huawei’s smartphone chips. Because of the semiconductor restrictions, Huawei has had “to exit whole lines of business, because [they] don’t have access to advanced semiconductors because of these export controls,” CFR’s Sacks says. While Huawei accumulated a limited number of semiconductors before the bans took effect, it reportedly ran out in late 2022. The shortage has hurt Huawei’s bottom line: in 2021, the company reported $95 billion in revenue—a 23 percent drop from 2019 levels.

Why are some countries resisting the bans?

Other countries, especially those participating in China’s Belt and Road Initiative, are already using or have agreed to use Huawei’s equipment to build 5G networks.

Many have been attracted by the company’s ability to provide high-quality networks for low prices. Huawei is helping Malaysia and Russia build their 5G networks, and it has signed contracts to build 5G networks for a number of countries in Latin America.

Authorities in potential markets that have not ruled out using Huawei, including several European countries, argue that security risks are inherent in all 5G networks, regardless of the supplier. They acknowledge, however, that the risks are higher for Huawei. Officials in these countries say they prefer to keep their auctions for 5G construction open to all firms and will tighten security measures to minimize any risks. 

Analysts say U.S. policymakers have not come up with a better option for low-income countries, especially as 5G networks are dominated by just three firms: Huawei, the Finnish firm Nokia, and the Swedish firm Ericsson. Even after U.S. restrictions went into place, many low-income countries still chose Huawei, which is frequently the cheapest option, to build their 5G networks.

 “We still haven't really addressed the larger issue, which is that developing countries and other countries have connectivity demands and Chinese tech is cheap and reliable,” says CFR’s Segal.

A Huawei employee rests under his cubicle during his lunch break in Shenzhen, China. This is a common practice at many workplaces in China, photographer Kevin Frayer said.

The Chinese company Huawei is one of the giants of the tech industry. It’s the world's largest provider of telecommunications equipment, a leader in next-generation 5G technology, and last year it passed Apple to become the second-biggest smartphone seller in the world.

But to many, especially in the West, there’s still an air of mystery around it.

And in the United States, suspicion.

A thermal engineer performs a heat test in the research-and-development area of a Huawei facility in Shenzhen.

Huawei employees leave work at the end of a week in late April.

For years, Washington has been concerned that the Chinese government could use Huawei equipment to spy on other nations. The US government says Huawei could pose a threat to national security because it’s unable to say no to the Chinese government.

Huawei has pushed back against those allegations, saying it would refuse any Chinese government requests to gain access to the technology it sells to telecom operators. But last week, the Trump administration blacklisted the company, placing it on a list of foreign firms barred from receiving components from US exporters without a license.

Huawei employees work on a production line in Dongguan, China.

A Huawei engineer displays parts in a research-and-development area.

A display for facial recognition and artificial intelligence is seen on monitors at Huawei's Bantian campus in Shenzhen.

In an effort to dispel some of the mystery surrounding it, Huawei has recently opened up its facilities to international media.

Kevin Frayer, a Getty Images photographer based in Beijing, traveled to southern China in April to visit three of Huawei’s campuses.

“My goal was to take people a step beyond the breaking news and Huawei headlines, to deliver them a sense of what the company looks like and to see who works there,” he said.

A worker in Huawei's cybersecurity lab works on his computer in Dongguan.

A Huawei engineer opens the door of a server unit during a tour of the cybersecurity lab in Dongguan.

Huawei has 180,000 employees worldwide. More than a third of them work at the campuses Frayer visited in Dongguan and nearby Shenzhen, which is considered China’s Silicon Valley.

The employees he encountered work in a variety of roles: production, research and development, and finance, just to name a few.

“Jobs at Huawei are coveted,” Frayer said. “It’s among the highest-paying companies in China for highly skilled workers, and many of its employees have been educated overseas and at the country’s top schools. Some of the brightest minds are hired away from other companies, and Huawei has also been luring foreign experts to join.”

Huawei employees play pool after work, at a recreation area in staff housing.

Huawei employees use treadmills in a company gym after work.

Frayer marveled at the size of the campuses he visited, especially Huawei’s headquarters in Shenzhen and the European-style research-and-development campus in Dongguan.

“When you first arrive, it is a bit overwhelming how spread out everything is,” he said. “There are restaurants and cafes, sports facilities and its own transportation system. They have villas and fancy dining rooms for high-level clients and low-cost housing for employees.

“At the new European-style campus, the buildings are designed to reflect the company founder’s training as an architect. And every day after lunch, the lights are dimmed in most offices so workers can nap, which is common at companies in China.”

An aerial view of Huawei’s European-style research-and-development campus in Dongguan.

Huawei workers look at their smartphones as they line up for lunch at the Dongguan campus.

An employee sleeps at her cubicle during her lunch break.

Frayer said the campuses feel like university campuses: quiet and relaxed, unlike much of the country.

“The only reminders that you’re in China were the crowds at lunch hour and the end of the work day,” he said.

Frayer was able to talk to some employees, and many of them expressed concern about what they see as misconceptions about the company.

“They were very aware of the political challenges and the American view, and they went to lengths to explain that Huawei is a tech company trying to innovate like any other tech company — as one engineer put it, to make things that make life easier.”

Huawei employees leave at the end of a workday in Dongguan.

A Huawei worker moves boxes on a train used by employees, clients and visitors at the campus in Dongguan.

Some of the research-and-development areas were off-limits in the interest of protecting intellectual property, and Frayer was asked at times not to photograph some clients. But overall, he said, Huawei was very open in what they allowed.

He called the company a “juggernaut” and a source of national pride in China.

“It’s hard to really know what it’s like to work there, but people generally looked happy and interested in what they are doing,” Frayer said. “You could feel that it’s big and important and it’s growing.”

An employee looks at her smartphone as a woman serves tea at a cafe on the company’s Bantian campus in Shenzhen.

A member of Huawei's reception staff arranges chairs in a private dining room that’s used for high-profile customers.

CNN’s Sherisse Pham and Julia Horowitz contributed to this report.

Kevin Frayer is a Getty Images photographer based in Beijing. Follow him on Facebook, Instagram and Twitter.

Photo editor: Brett Roegiers

© Andy Wong/AP In this Jan. 29, 2019, file photo, logos of Huawei are displayed at its retail shop window with the reflection of the Ministry of Foreign Affairs office in Beijing. A committee of lawmakers on Thursday Oct. 8, 2020, is urging the British government to consider banning Chinese technology giant Huawei from the country's next-generation mobile phone networks two years earlier than planned. - Andy Wong/AP

A national security report on the Chinese company Huawei has been delayed for months as ministers drag their feet over signing it off.

The report - a crucial part of efforts to ensure that the state-backed tech business is not giving spies a backdoor into British telecom infrastructure - had been released every summer for the past seven years, but did not come out in 2022.

China hawks in the Conservative Party are concerned that Whitehall is neglecting the issue following two changes of prime minister this year.

Iain Duncan Smith, the senior backbench MP, said: “Government must publish the Huawei report without further delay.

“Ministers must not drag their heels any longer while this Chinese company remains part of our country’s phone networks.”

The annual report is written by the GCHQ-supported Huawei Cyber Security Evaluation Centre (HCSEC), an organisation set up in 2010 to sift through Huawei’s software and protect sensitive British communications.

Huawei equipment is used in the “core” of some British mobile phone networks, their all-important heart and lungs that handle calls, text messages and internet browsing traffic.

It is feared that illicit access could allow a spy to eavesdrop on sensitive calls or messages, or even trace the live locations of targeted people.

In previous years HCSEC reports have savaged Huawei for poor quality software coding work, with officials warning that sloppy output by developers could pose a national security risk.

The report for 2020 found that Huawei had made “no overall improvement” on previous UK demands to Strengthen its software engineering and cyber security standards.

Two sources familiar with the HCSEC report said they did not understand why it had not yet been published.

They told The Telegraph that the report has been written but is awaiting final sign-off from senior civil servants and ministers.

A government spokesman insisted the HCSEC report will be published in the near future and said: "We have had thorough oversight of Huawei’s presence in the UK for more than a decade and this will continue but we are reviewing the best mechanism to report on HCSEC's work."

HCSEC is jointly staffed by personnel from Huawei and from GCHQ offshoot the National Cyber Security Centre, and was founded to reduce “any perceived risks to UK national security arising from the involvement of Huawei in parts of the UK’s critical national infrastructure”.

Michelle Donelan, the culture secretary, has extended a deadline for Huawei equipment to be ripped out of Britain’s mobile phone networks until 2027.

British telecoms companies had warned ministers that dismantling Huawei-made mobile phone masts and other network equipment could lead to coverage blackouts.

Alternative Western suppliers such as Nokia and Ericsson face heavy demand as other nations follow suit in swapping Huawei-made 5G mobile equipment for Western gear.

Huawei did not respond to a request for comment.

Auditors KPMG have warned there is a "material uncertainty" about the ability of Huawei's UK operations to stay in business for another 12 months.

The warning came as recently-filed accounts showed that British national security orders have severely hit the company’s UK operations, causing its sales, profits and even staff headcount to halve between 2020 and 2021.

Directors said the business remains a going concern.

Trade sanctions imposed by the US combined with a UK national security order caused business to dwindle at Huawei UK, with the number of employees dropping to 486 from 787.

Sign up to the Front Page newsletter for free: Your essential guide to the day's agenda from The Telegraph - direct to your inbox seven days a week.

China says it is “deeply concerned” over reports that the United States is moving to further restrict sales of American technology to Huawei, a tech company that U.S. officials have long singled out as a threat to national security for its alleged support of Beijing’s espionage efforts.

As first reported by the Financial Times, the U.S. Department of Commerce has informed American firms that it will no longer issue licenses for technology exports to Huawei, thereby isolating the Shenzen-based company from supplies it needs to make its products.

The White House and Commerce Department have not responded to VOA’s request for confirmation of the reports. But observers say the move may be the latest tactic in the Biden administration’s geoeconomics strategy as it comes under increasing Republican pressure to outcompete China.

The crackdown on Chinese companies began under the Trump administration, which in 2019 added Huawei to an export blacklist but made exceptions for some American firms, including Qualcomm and Intel, to provide non-5G technology licenses.

Since taking office in 2021, President Joe Biden has taken an even more aggressive stance than his predecessor, Donald Trump. Now the Biden administration appears to be heading toward a total ban on all tech exports to Huawei, said Sam Howell, who researches quantum information science at the Center for a New American Security’s Technology and National Security program.

“These new restrictions from what we understand so far would include items below the 5G level,” she told VOA. “So 4G items, Wi-Fi 6 and [Wi-Fi] 7, artificial intelligence, high performance computing and cloud capabilities as well.”

Should the Commerce Department follow through with the ban, there will likely be pushback from U.S. companies whose revenues will be directly affected, Howell said. Currently Intel and Qualcomm still sell chips used in laptops and phones manufactured by Huawei.

Undercutting the revenue of these technology companies, which reduces R&D budgets and can lead to layoffs, must be carefully balanced by clear national security gains, said Paul Triolo, senior vice president for China and technology policy lead at the business advisory firm Albright Stonebridge Group.

“In the current climate of U.S.-China relations, that balancing act is being abandoned in favor of viewing technology transactions between the U.S. and China as largely zero sum,” he told VOA.

Huawei and Beijing have denied that they are a threat to other countries’ national security. Foreign ministry spokesperson Mao Ning accused Washington of “overstretching the concept of national security and abusing state power” to suppress Chinese competitors.

“Such practices are contrary to the principles of market economy” and are “blatant technological hegemony,” Mao said.

China has in the past held back on trade retaliations on U.S. actions targeting Huawei, Triolo noted.

“Any actions China would take now targeting the foreign business community would not align with moves towards opening up after zero-COVID policies were dropped, and portraying China as now more open for business,” he said.

Outcompeting Chinese tech

The latest U.S. move on Huawei is part of a U.S. effort to outcompete China in the cutting-edge technology sector.

In October, Biden imposed sweeping restrictions on providing advanced semiconductors and chipmaking equipment to Chinese companies, seeking to maintain dominance particularly on the most advanced chips. His administration is rallying allies behind the effort, including the Netherlands, Japan, South Korea and Taiwan – home to leading companies that play key roles in the industry’s supply chain.

U.S. officials say export restrictions on chips are necessary because China can use semiconductors to advance their military systems, including weapons of mass destruction, and commit human rights abuses.

The October restrictions follow the CHIPS and Science Act of 2022, which Biden signed into law in August and that restricts companies receiving U.S. subsidies from investing in and expanding cutting-edge chipmaking facilities in China. It also provides $52 billion to strengthen the domestic semiconductor industry.

Beijing has invested heavily in its own semiconductor sector, with plans to invest $1.4 trillion in advanced technologies in a bid to achieve 70% self-sufficiency in semiconductors by 2025.

TikTok a target

TikTok, a social media application owned by the Chinese company ByteDance that has built a massive following especially among American youth, is also under U.S. lawmakers’ scrutiny due to suspicion that it could be used as a tool of Chinese foreign espionage or influence.

CEO Shou Zi Chew is scheduled to appear before the House Energy and Commerce Committee on March 23 to testify about TikTok’s “consumer privacy and data security practices, the platforms’ impact on kids, and their relationship with the Chinese Communist Party.”

Lawmakers are divided on whether to ban or allow the popular app, which has been downloaded onto about 100 million U.S. smartphones, or force its sale to an American buyer.

Earlier in January, Congress set up the House Select Committee on China, tasked with dealing with legislation to combat the dangers of a rising China.

U.S. Secretary of State Antony Blinken is meeting his Chinese counterparts next week in Beijing, the first visit by an American Secretary of State since 2018, to maintain open lines of communication amid rising U.S.-China tensions.

In this article:

This winter season, protect more than just yourself from nasty infections. Your computer is just as susceptible as you are to pesky viruses, which is why it's essential to invest in solid antivirus software. These programs can help protect not only your devices but your information as well, which hackers, scammers and other internet bandits would love to get their hands on. Fortunately, there are tons of great antivirus software programs available in 2023, so you've got plenty of options to keep your computer safe. We've put some of the most popular programs out there to the test to bring you the best antivirus software options. 

Windows devices make up three out of every four laptop or desktop operating systems, according to the latest data from Statcounter. Windows-targeted malware has a larger base of devices to infect, giving it more potential in the eyes of cybercriminals, so all our antivirus picks work on Windows. 

Note: The pricing structure for antivirus services can be complicated, since providers often offer low introductory prices to entice you to sign up for their services. After the first billing period -- typically a year or two, depending on the plan you purchase -- the amount you pay for the service may increase substantially. The regular rate for the services may be double the introductory rate or sometimes more. Be sure to check the terms of the subscription plan before you buy so you won't get an unwelcome surprise when your subscription renews. 

We're here to help you find the antivirus software that best fits your needs. These picks of the best antivirus programs are a combination of recommendations from independent third-party labs AV-Test, AV-Comparatives and SE Labs, as well as CNET's own anecdotal hands-on testing. 

Note that antivirus software is only one piece of the cybersecurity puzzle. Cybercriminals are becoming more sophisticated, and the more steps you take to lock down your online security, the safer you'll be. A secure virtual private network can help protect your internet privacy, and a password manager will help you create and keep track of more secure login credentials. These tools are all essential in protecting your personal information. 

Test after test, Avast Antivirus for Windows performs well for malware detection with options ranging from Avast free antivirus software to Avast Premium Security. And we've included its antivirus in our list of recommended security app options before. But Avast was in the news for several months for its non-antivirus business, so we looked at the company, specifically reports at the end of 2019 that Avast allegedly collected user data with its browser plug-ins and antivirus software and then sold data it collected through its Jumpshot subsidiary in early 2020.

In response to the reports that his company gathered and sold the details of its customers' online activities, Avast CEO Ondrej Vlcek said in a statement that he understood that his company's actions raised questions of trust in his company. To address that, Avast terminated Jumpshot data collection in January 2020 and closed its operations because the data collection business wasn't in line with Avast's privacy priorities.

Those reports followed another in 2019 from Avast that its internal network was breached, possibly to insert malware into its CCleaner software, similar to an earlier CCleaner hack that occurred prior to Avast's acquiring the Windows utility.

Avast started saying the right things about taking its customers' privacy seriously, but it only came to that point after reacting to investigative reporting that revealed the Jumpshot practices. (The CCleaner revelations, while concerning, were self-disclosed, which is important to building user trust.) We hope Avast's more privacy-friendly policies mean that there will be no further Jumpshot-style activities and that it returns to glory as one of the best antivirus software options. In the meantime, we'd recommend using one of the many other solid choices in this realm (listed above).

Because the company has been in the news the past few years, let's talk about Kaspersky Lab -- specifically about the federal ban that blocks US government agencies from using Kaspersky Antivirus products.

Based in Moscow, Kaspersky Lab has for years produced some of the best antivirus software for business antivirus needs and home customers. But in 2017 the US government prohibited Kaspersky security cloud software on federal government computers because of alleged ties between Kaspersky and the Russian government.

Notably, the ban does not apply to its consumer products such as Kaspersky Total Security and Kaspersky Anti-Virus. But as with China-based Huawei, the question remains: If the federal government doesn't think the products are safe enough for its own devices, should consumers avoid them as well?

In a statement sent to CNET, the company said, "Kaspersky Lab has no ties to any government, and the company has never, nor will ever, engage in cyber offensive activities. Kaspersky Lab maintains that no public evidence of any wrongdoing has been presented by the US government, and that the US government's actions against Kaspersky Lab were unconstitutional."

In Kaspersky's favor, it continues to earn top scores and awards for virus and malware detection and endpoint protection from independent testing labs. And it's reasonably priced.

In the end, even though no one has ever publicly produced a "smoking gun" linking the company to Russian intrigue, we think any of the options listed above is a safer bet. And if you are a US government employee or work with the federal government, you'll want to steer clear of Kaspersky internet security products -- and perhaps use one of the antivirus software products mentioned here instead.

Protection for other platforms: Microsoft is by far the biggest target for viruses and malware. But Android is second, with just under 1% of apps installed on Android devices with Google Play Protect in the potentially harmful app, or PHA, category.

The threat to MacOS and especially iOS is low, in part because of the tight control Apple has over its app stores. While the Mac does come under attack via side-loaded apps, it's rare, and if you get apps only from the Mac and iOS app stores and keep your guard up when clicking links and get files, you should be OK without an antivirus app on Apple devices.

More computer security advice