Are Huawei phones really a security risk?

Huawei has absorbed some severe blows in 2018. It all started with the introduction of the “Defending U.S. Government Communications Act” bill to the floor of Congress in February. During a session, co-sponsor Tom Cotton asked the heads of six of the major intelligence agencies if they would recommend that American citizens use Huawei products, and all of them declined.

The bill asserts that Huawei has a relationship with the Chinese government and that their products may serve as a conduit for espionage, and that the U.S. government should not purchase or lease equipment or services from the company.

Earlier in the year, AT&T had backed out of a deal to sell Huawei’s flagship Mate 10 phone. Reuters also reported that anonymous Congressional aides had indicated lawmakers also plan to pressure AT&T to end their 5G partnership with Huawei.

After AT&T ended their deal with Huawei, Verizon also dropped plans to carry their phones. And another major blow came when Best Buy opted to drop all Huawei products from their inventory in March.

What is going on with Huawei?

Given this sudden freeze-out from the U.S. market, one would expect that Huawei had been caught doing something awful with their products. However, if they did, intelligence agencies aren’t giving the public a shred of information about it.

At this point, there is no evidence at all available to the public that Huawei has spyware in any of its hardware or software. Unless the intelligence community is sitting on some bombshell evidence that it is keeping in reserve, the concerns about Huawei’s products seem to be based entirely on circumstantial evidence and speculation.

Huawei has had at least one prior incident with spyware embedded on phones, but the circumstances of that case don’t point to Chinese government espionage. In 2016, thousands of their BLU R1 HD phones sold through Amazon were found to contain spyware that was covertly sending contact lists and text messages to a server in China. It is unclear if this had anything to do with Chinese intelligence, or was merely a rogue private company harvesting information for marketing purposes. The phones had been unlocked and had custom firmware installed by a company called Shanghai Adups Technology. The company claimed that it never intended the phones containing this spyware for sale in America.

Huawei is the world’s third-largest phone manufacturer (behind only Apple and Samsung). If they had other models covertly transmitting information to some remote server, it is highly likely a security professional (or some ambitious amateur) would discover it. Huawei may have been pushed out of the United States market, but they still do business in about 170 other countries, and the discovery of manufacturer-installed spyware on their phones would mean the end of all of that business.

A February statement to the Senate by FBI director Christopher Wray made it seem that the U.S. intelligence community is more concerned about the potential for infiltration of communications networks by a company with a close relationship to a significant U.S. geopolitical rival than any specific current threat. The late-2017 revelation that security software from Russia-based Kaspersky Labs may have “phoned home” to Russian intelligence when an NSA staffer moved work files to their home computer may have spurred this sentiment.

All of that may represent a potential future threat to governments and businesses that incorporate Huawei products into their IT infrastructure, but what about the common end user who just happens to like Huawei’s phones?

Are Huawei phones spying on you?

Given the scrutiny such an enormous company faces and the potential risks to their business, it’s doubtful that Huawei would attempt mass surveillance of their customers. That doesn’t mean there is no risk whatsoever to using their products, as they do have strong ties to the Chinese government and have benefited from intellectual property theft in the past.

However, it makes little sense for them to attempt to install spyware that transmits information back to remote servers on any regular basis, as it would almost inevitably be detected. A “sleeper” hardware backdoor that can be used to decrypt the phone is somewhat more plausible (and much harder to detect), but would not be a threat to the average person except in some extreme scenario. Intelligence agencies like the FBI have in the past expressed the desire for developers to build backdoors of this nature into American phones, so it is possible that their objections are centered more on the inability to ever get such a thing into Huawei phones than any actual threat that currently exists.

Until some specific hardware or software exploit is uncovered, it appears to be safe for the average consumer to use Huawei phones.