While many of us were enjoying some time off for Thanksgiving, the US government took drastic action against Huawei and four other Chinese companies. The hardest hit are Huawei and ZTE, as the ban prevents any new products from being approved for the US market. The other three companies are Dahua and Hikvision, which make video surveillance equipment, and Hytera, which makes radio systems. FCC Commissioner Brendan Carr noted the seriousness of the decision.

[As] a result of their order, no new Huawei or ZTE equipment can be approved. And no new Dahua, Hikvision, or Hytera gear can be approved unless they assure the FCC that their gear won’t be used for public safety, security of government facilities, & other national security purposes.

There is even the potential that previously approved equipment could have its authorization pulled. The raw FCC documents are available, if you really wish to wade through them. What’s notable is that two diametrically opposed US administrations have both pushed for this ban. It would surely be interesting to get a look at the classified reports detailing what was actually found. Maybe in another decade or two, they can make a Freedom of Information Act request and finally get the full story.

Fuzzing for Recollapse

[0xacb] has a fun new technique to share, that he calls REcollapse. It’s all about regular expressions that get used in user input validation and sanitation. Regex is hard to really get right, and is full of quirks in how different languages and libraries implement it. A simple example is an email address that contains “punycode” — non-ASCII Unicode characters. It’s perfectly legitimate for an address to contain Unicode, but many normalization schemes collapse unicode strings down into the nearest approximation of ASCII. Take exámple.com and example.com. If some part of a web service sees these as the same thing, and another backend service keeps sees them as unique, that mismatch could allow account takeover. Enter your email here to receive a password reset link.

The novel thing here is a structured approach to fuzzing for these problems. [0xacb] suggests identifying “regex pivot positions”, places in a string where there could be unexpected or inconsistent regex matching. A very different example of this is the end-of-string symbol, $. A developer might use this to specify that a given pattern should only be matched when it’s at the very end of a string. But what happens when there’s a newline embedded in the string? It depends on the language. Yikes!

REcollapse is now available as an Open Source tool, and works great to feed fuzzing inputs into an automated tool. Run it against a target, and watch for different responses. Find something good enough, and profit!

Phishing With Smart Watches

The team at Cybervelia have cooked up yet another way to spear-phish a target. Many of us have smart watches, and one of the most useful functions of those wrist-mounted marvels is to glance at a SMS or other message without fishing out a phone. Could an attacker, with a Bluetooth Low Energy antenna, spoof a text message to a nearby smart watch? After some reverse engineering work, absolutely. With the right message, like “need help, 2nd floor”, the target might just start moving without checking the phone and discovering the spoof.

Real-time Malware Hunting

This one’s fun, as the researchers at Phylum found yet another malicious PyPi package campaign back on the 15th. Their tooling alerted them to the activity very early in the campaign, as packages were being uploaded and the payload was still being fine-tuned. That payload was being developed on Github, so there was only one thing to do.

The union of memes and security research is a wondrous thing. The packages were reported, removed, and it looks like this particular malware campaign was eliminated before it really got started.

This does lead to a hilarious tangent from Phylum, about some of the laughably terrible attempts at malware they’ve discovered in other campaigns. There’s a certain poetic justice to be found in malware refusing to run, because the deobfuscation routine checks for the acknowledgement string and errors out when it’s tampered with.

Lastpass Breach Continued

Lastpass has updated their security incident report, noting that there seems to have been follow-on access of data. They noticed “unusual activity within a third-party cloud storage service”, which usually means Amazon’s AWS. The story here seems to be that a token to the storage service was snagged during the August compromise, and was just now used for more mischief. This does raise some uncomfortable questions about how well Lastpass understands what data was accessed in the earlier breach. That said, cleaning up after an incident is a complicated task, and missing a single AWS token in the action is all too easy.

Another “Legitimate” Commercial Spyware Vendor

In the just-what-we-needed category, the latest report from Google’s Threat Analysis Group names Variston as previously unknown player in the commercial malware game. Like NSO Group and others, Variston seems to have access to 0-day exploits in multiple devices and platforms.

A trio of bug reports were opened in the Chrome bug system, and each contained a mature framework and exploit code for a serious bug. Each of these were known and fixed bugs, but piecing together the clues would indicate that they were being used as 0-days by a vendor, probably Variston. It’s not uncommon for the “legitimate” spyware authors like the NGO Group, the NSA, and others, to properly report bugs once they’ve finished exploiting them, or assumably once a target has discovered the exploit.

500 Years Later

There’s a concept in encryption, that pretty much any encryption scheme is theoretically breakable, given enough time and technological innovation. As an example, see the rate at which quantum computers are developing, and the predicted breakdown of some classical crypto. The philosophy that spills out of this reality is that crypto just needs to be strong enough, that the secrets being protected are entirely stale by the time technology and computing power catch up. Which finally brings us to the story, that Emperor Charles V got nearly 500 years out of his cipher. Probably strong enough.

It turns out that this cipher had some clever elements, like multiple symbols that didn’t mean anything at all, just to make it harder to figure out. The real breakthrough was finding a cipher text that had been loosely translated. It was enough to finally figure out the basic rules. So what was in the central letter that was finally deciphered? Political maneuvering, fears of assassination, and a conspiracy to spread fake news to downplay a setback. Some things never change.

Font Fingerprint

There was a Reddit post over the break that caught their attention, where a user wired money online from his bank in England to Kenya, to pay for a trip. It was a legitimate transaction, but triggered the fraud protection from his bank. In the conversation with the fraud department, one of the flags for possible fraud surprised the Redditor in question: You have TeamViewer installed on your computer.

Now wait. That’s a bit disconcerting, a website can see your list of installed programs? No, not directly. There is no web API to list applications, at least, not since ActiveX died. However, there is an API to list installed fonts. And since Teamviewer brings its own font, it’s pretty easy to detect when it’s installed. And let’s face it, a remote controlled desktop is a reasonable flag for malicious activity. So now you know, your fonts may just be fingerprinting you.

Bits and Bytes

The Google Play store has ejected a pair of mildly popular apps, that were spying on users’ SMS messages. The data collection was incidental, and the real point was to enable fake accounts on various web services, using the victim’s cell phone numbers. Need a hundred Twitter accounts? Rent access to a hundred compromised phones, to use those numbers for the activation flow.

Need to get something past a plagiarism checker? Just rot13 and change the font! It’s a silly demonstration, but it does indeed work. Make your own font to change the letter mapping, and then apply the reverse mapping to the underlying text. To the human eye, it’s the same, but to an automated tool it’s garbage. Save as PDF, and off you go. While circumventing a plagiarism filter is a bad idea, this could have other, more positive uses, like censorship circumvention.

Black Hat 2022 videos are available, only three months later. There are some fun presentations in here, like the Starlink hack, analysis of real-world malware campaigns, and lots of software getting compromised. Enjoy!

A hot potato: Huawei has been ousted from some of the world's largest smartphone markets due to US sanctions, but the company is far from dead. Significant investments in Europe have been planned for years, and Huawei has now confirmed that a major overseas expansion will begin next year.

Huawei will start building its first overseas manufacturing plant in France in 2024, an anonymous source familiar with the matter recently said. Reuters reports that the new building will be used to make mobile phone and network equipment, and is expected to open for business in 2025, according to an additional source within the French government.

Plans for the new factory were outlined in 2020, with an initial investment of €200 million ($215 million), before the COVID-19 pandemic halted everything. The project can now proceed as expected, the unnamed source said, and the new plant will be built in the city of Brumath, near Strasbourg and the official seat of the European Parliament.

No further details or precise timeline are provided, but the Chinese Communist Party's official digital newspaper, China Daily, provides some additional details about the deal. Zhang Minggang, deputy general manager of Huawei France, confirmed the new plant, stating that it will create 500 local jobs. The Brumath site will be used to produce a billion euros' worth of mobile network technology solutions, Huawei said, which will then be sold to European consumers.

Beijing's official propaganda machine remarked how Huawei has been facing "increasing pressure" from the US and "some" of its allies in Europe, because of so-called national security concerns. The new French factory is seemingly showing the company's openness and commitment to serving the European market despite Washington sanctions, China Daily states.

Huawei has been present in France since 2003, and the Brumath plant is part of a broader plan to increase investments in the European nation. In 2020, the Paris government tried to oust the company by telling telecom operators to avoid buying Huawei 5G equipment. After Economy Minister Bruno Le Maire met with the company in Beijing, the French government ultimately decided to extend 5G licenses in some cities.

According to China Daily's reporting, Huawei founder Ren Zhengfei sees Europe as a "second home" for its company. The new manufacturing plant will be "highly automatic" and intelligent, and it will also have a demo center to showcase some of its production equipment. Further investments already planned by Huawei in France include a research center in Paris to support digital transformation in the country.

Following is a guest entry by IT security analyst Jeffrey Carr on the ongoing attempts of Chinese technology firm Huawei to crack the US telecoms market.

Huawei recently published on its website an open letter to the US government regarding its attempt to acquire 3Leaf and the ruling of CFIUS (Committee on Foreign Investment in the United States) that opposed it. The letter's authors have attempted to allay fears in the Unted States that Huawei has deep ties with China's People's Liberation Army and the State Council, and that its hardware may be utilized by the Chinese government to conduct offensive cyber operations such as sabotage or espionage.

Huawei's letter isn't remarkable for what it says, but for what it doesn't say. According to Huawei's annual financial report (2009), it's 'the largest network equipment provider for China Unicom's WCDMA networks and China Telecom's CDMA2000 EV-DO networks; and it provides over 30 percent TD-SCDMA network equipment used by China Mobile.'

An early look at Huawei's 2010 annual report (by China Technology News) confirms Huawei's continuing support of China's three carriers. Since the supervision and monitoring of 'all wireless frequencies, satellite orbits, telecommunications network numbering, Internet protocol addresses and Internet domains used to realize telecommunications functions' is mandated by Chinese law, and since Huawei provides the majority of the hardware for China Telecom and its sister companies, isn't it reasonable for Western governments to be suspicious that the same Huawei technology that supports the Chinese government's monitoring requirements may also be used in like manner outside of China?

If Huawei wants to convince Western governments that its hardware doesn't contain backdoors or other hidden malicious code, my suggestion as someone who regularly speaks and writes on this Topic for US and foreign governments is to provide details on how your equipment is being used as part of Beijing's information acquisition and processing program within China. That level of full disclosure would probably go a long way in establishing trust in a world where there currently is none.

This is an edited version of an entry that also appears on Carr's blog. Carr is also the author of 'Inside Cyber Warfare: Mapping the Cyber Underworld' (O'Reilly Media, 2009).

A Huawei employee rests under his cubicle during his lunch break in Shenzhen, China. This is a common practice at many workplaces in China, photographer Kevin Frayer said.

The Chinese company Huawei is one of the giants of the tech industry. It’s the world's largest provider of telecommunications equipment, a leader in next-generation 5G technology, and last year it passed Apple to become the second-biggest smartphone seller in the world.

But to many, especially in the West, there’s still an air of mystery around it.

And in the United States, suspicion.

A thermal engineer performs a heat test in the research-and-development area of a Huawei facility in Shenzhen.

Huawei employees leave work at the end of a week in late April.

For years, Washington has been concerned that the Chinese government could use Huawei equipment to spy on other nations. The US government says Huawei could pose a threat to national security because it’s unable to say no to the Chinese government.

Huawei has pushed back against those allegations, saying it would refuse any Chinese government requests to gain access to the technology it sells to telecom operators. But last week, the Trump administration blacklisted the company, placing it on a list of foreign firms barred from receiving components from US exporters without a license.

Huawei employees work on a production line in Dongguan, China.

A Huawei engineer displays parts in a research-and-development area.

A display for facial recognition and artificial intelligence is seen on monitors at Huawei's Bantian campus in Shenzhen.

In an effort to dispel some of the mystery surrounding it, Huawei has recently opened up its facilities to international media.

Kevin Frayer, a Getty Images photographer based in Beijing, traveled to southern China in April to visit three of Huawei’s campuses.

“My goal was to take people a step beyond the breaking news and Huawei headlines, to deliver them a sense of what the company looks like and to see who works there,” he said.

A worker in Huawei's cybersecurity lab works on his computer in Dongguan.

A Huawei engineer opens the door of a server unit during a tour of the cybersecurity lab in Dongguan.

Huawei has 180,000 employees worldwide. More than a third of them work at the campuses Frayer visited in Dongguan and nearby Shenzhen, which is considered China’s Silicon Valley.

The employees he encountered work in a variety of roles: production, research and development, and finance, just to name a few.

“Jobs at Huawei are coveted,” Frayer said. “It’s among the highest-paying companies in China for highly skilled workers, and many of its employees have been educated overseas and at the country’s top schools. Some of the brightest minds are hired away from other companies, and Huawei has also been luring foreign experts to join.”

Huawei employees play pool after work, at a recreation area in staff housing.

Huawei employees use treadmills in a company gym after work.

Frayer marveled at the size of the campuses he visited, especially Huawei’s headquarters in Shenzhen and the European-style research-and-development campus in Dongguan.

“When you first arrive, it is a bit overwhelming how spread out everything is,” he said. “There are restaurants and cafes, sports facilities and its own transportation system. They have villas and fancy dining rooms for high-level clients and low-cost housing for employees.

“At the new European-style campus, the buildings are designed to reflect the company founder’s training as an architect. And every day after lunch, the lights are dimmed in most offices so workers can nap, which is common at companies in China.”

An aerial view of Huawei’s European-style research-and-development campus in Dongguan.

Huawei workers look at their smartphones as they line up for lunch at the Dongguan campus.

An employee sleeps at her cubicle during her lunch break.

Frayer said the campuses feel like university campuses: quiet and relaxed, unlike much of the country.

“The only reminders that you’re in China were the crowds at lunch hour and the end of the work day,” he said.

Frayer was able to talk to some employees, and many of them expressed concern about what they see as misconceptions about the company.

“They were very aware of the political challenges and the American view, and they went to lengths to explain that Huawei is a tech company trying to innovate like any other tech company — as one engineer put it, to make things that make life easier.”

Huawei employees leave at the end of a workday in Dongguan.

A Huawei worker moves boxes on a train used by employees, clients and visitors at the campus in Dongguan.

Some of the research-and-development areas were off-limits in the interest of protecting intellectual property, and Frayer was asked at times not to photograph some clients. But overall, he said, Huawei was very open in what they allowed.

He called the company a “juggernaut” and a source of national pride in China.

“It’s hard to really know what it’s like to work there, but people generally looked happy and interested in what they are doing,” Frayer said. “You could feel that it’s big and important and it’s growing.”

An employee looks at her smartphone as a woman serves tea at a cafe on the company’s Bantian campus in Shenzhen.

A member of Huawei's reception staff arranges chairs in a private dining room that’s used for high-profile customers.

CNN’s Sherisse Pham and Julia Horowitz contributed to this report.

Kevin Frayer is a Getty Images photographer based in Beijing. Follow him on Facebook, Instagram and Twitter.

Photo editor: Brett Roegiers

SHANGHAI/HONG KONG :China's Huawei Technologies has asked Mercedes Benz and Volkswagen's Audi if they are interested in buying small stakes in its smart car software and components firm, according to three people with knowledge of the discussions.

The move is aimed at expanding its partnerships beyond Chinese brands, they said. Huawei, the target of U.S. sanctions since 2019, also hopes the presence of foreign investors would help defend the business from potential further geopolitical tensions, according to one of the sources who was briefed on the matter.

The Chinese technology giant said last month it will spin off its four-year Intelligent Automotive Solution (IAS) business unit which is seeking to become the dominant supplier of software and components for smart electric vehicles (EVs).

Sources have previously said the unit will be valued at somewhere between $28 billion and $35 billion.

Huawei held preliminary talks with Mercedes in recent weeks, according to two sources. One source said the German auto brand was offered a 3 per cent to 5 per cent stake with the valuation to be negotiated.

But Mercedes was not that interested as it wants to remain in charge of its software to sustain its premium brand positioning rather than outsource it to a supplier, the source added.

Audi's level of interest in Huawei's offer could not be immediately determined.

However, two of the sources said Audi and Huawei are planning a partnership to develop autonomous driving technologies for Audi. Those technologies would be used in vehicles for the Chinese market from 2025 and which would be built by the German automaker's venture with FAW Group.

The sources declined to be identified as the discussions were confidential.

Mercedes declined to comment on what it called speculation. Audi declined to comment. Huawei did not respond to a request for comment. The move by Huawei comes as global automakers in China increasingly seek to partner with Chinese companies, which have pulled ahead in developing high-end features for tech-savvy Chinese consumers. Volkswagen has been working with EV automaker Xpeng and autonomous driving chip designer Horizon Robotics to develop China-specific intelligent and connected electric cars.

Audi has also partnered with SAIC Motor to develop EVs in a segment for the Chinese market it did not previously have a presence in.

Richard Yu, who oversees Huawei's smart car business, told a forum in April that it had been difficult for European, U.S. and Japanese companies to choose Huawei as their main supplier of intelligent solutions due to U.S. sanctions. "Therefore it's a huge challenge because they have invested tremendously," Yu said at the time.

While many of China's most high-profile EV manufacturers like Nio and BYD rely on their own software, Huawei has formed partnerships with smaller electric car makers like Seres Group and some big older automakers like Chongqing Changan Automobile.

Changan Auto has said it will be an investor in Huawei's smart car business once it is spun off, owning as much as 40 per cent along with relevant parties.

Yu said in November that Huawei had invited Seres, Chery Automobile, Jianghuai Automobile Group and BAIC Motor to invest in the smart car firm and hoped FAW Group could join as well.

Dongfeng Motor is another potential investor in the firm, sources have said.

($1 = 7.1865 Chinese yuan)