Huawei Accused of Using ‘Backdoor’ to Spy on Pakistan

Chinese network manufacturer Huawei is being sued in California by a software company that says their intellectual property was infringed and used to create backdoor access to systems belonging to Pakistan’s law enforcement agencies, reports Reuters. Business Efficiency Solutions (BES) were the erstwhile partners of Huawei in a USD150mn project to modernize policing in Lahore. Huawei were lead contractors and BES the only subcontractors for the delivery of several systems that would facilitate the exchange of data between government agencies, automate the monitoring of social media, improve controls over entry to public buildings and manage drones used for aerial surveillance. The court filings from BES state:

Huawei also began to use one of BES’s software systems to establish a “backdoor” from China into Pakistan that allowed Huawei to collect and view data important to Pakistan’s national security and other private, personal data on Pakistani citizens.

Huawei was allegedly able to compromise Pakistan security by remotely accessing the Data Exchange System (DES) developed to facilitate the sharing of information between Pakistani agencies.

As discussed above, the DES acts as a data aggregator, in which sensitive data from different sources and government agencies can be collected as part of the Lahore Safe City project and analyzed in one place to facilitate law enforcement investigations. The data stored in the DES in connection with the Lahore Project includes data from Pakistan’s Criminal Record Management System, FIR & Police Station Record Management System, Criminal Record Management System, Stolen & Recovered Vehicle Management System, Foreigner Registration System, Crime Diary & Reporting System, NADRA Database, FBR Database, Customs (Import/Export) Database, Excise and Taxation Departments, Vehicle Fitness Certification Data, Stolen Vehicles Data, Stolen Property Data, and Punjab Forensics. This information comprises sensitive Pakistani national intelligence data.

At all relevant times, the agreement and understanding between the parties was that the location of the DES would be in the PPIC3 Center in Lahore, for direct use by the Punjab Police at PPIC3. In March of 2017, after BES installed the DES in Lahore, BES was informed that two high-ranking Huawei-China officials had traveled unannounced to Pakistan, specifically Vice President Edward Zhang based in Shenzhen, China, and Director Corrine Lin, based in Dubai, and demanded to meet with BES. The two Huawei-China officials, accompanied by Mr. Chenfeng of Huawei-Pakistan, demanded that BES set up a duplicate DES environment in Huawei’s laboratory in China, this time not merely for testing purposes but with full access to data at the Lahore Safe City project.

The complaint goes on to detail how Huawei bullied BES into creating the duplicate access in China without ever demonstrating this was approved by the Pakistani authorities.

…Huawei threatened to withhold payments owed to BES. BES demanded that the Managing Director of the Lahore Safe City Project get approval from the Pakistan government (PPIC3) to confirm that the government had no objection to the “transfer of this technology (DES) outside of PPIC3 for security reasons.” Huawei then indicated that approval from the Pakistani government was not necessary… Later, Huawei-China and Huawei-Pakistan indicated that they had received approval from the Pakistani government. Huawei threatened to terminate the agreements between the parties and withhold all payments owed to BES unless BES installed the duplicate DES system in China. In light of Huawei’s affirmative representations that they had the approval of the Pakistani government, the duplicate DES system was installed in China. On information and belief, Huawei-China uses the proprietary DES system as a backdoor from China into Lahore to gain access, manipulate, and extract sensitive data important to Pakistan’s national security.

BES seeks redress following the breakdown of a business relationship which saw Huawei gain copies of valuable technology designs created by BES before Huawei decided they could independently contract to supply suspiciously similar systems to other Pakistani cities. Lawyers sometimes increase the pressure to settle by making scandalous claims in court filings that will attract media attention even though they are not relevant to the law suit. That might be the situation here, but even Huawei’s most ardent supporters must by tired of pretending that the Chinese firm never steals secrets. Whether Huawei’s employees are accused of working around Polish cybersecurity monitoring, deliver code that forced UK telcos to take ‘extraordinary action’ to mitigate privacy risks, helped African governments to spy on their political opponents, or they simply take an advanced robotic arm from the research and development laboratory of a US telco, Huawei evidently have problems with their corporate culture that cannot be dismissed as limited malfeasance by a few rotten apples.

Eric Priezkalns
Eric Priezkalns
Eric is the Editor of Commsrisk. Look here for more about the history of Commsrisk and the role played by Eric.

Eric is also the Chief Executive of the Risk & Assurance Group (RAG), a global association of professionals working in risk management and business assurance for communications providers.

Previously Eric was Director of Risk Management for Qatar Telecom and he has worked with Cable & Wireless, T‑Mobile, Sky, Worldcom and other telcos. He was lead author of Revenue Assurance: Expert Opinions for Communications Providers, published by CRC Press. He is a qualified chartered accountant, with degrees in information systems, and in mathematics and philosophy.