Rapid Huawei rip-out could cause outages and security risks, warns UK telco

The chief executive of UK incumbent telco BT has warned any government move to require a rapid rip-out of Huawei kit from existing mobile infrastructure could cause network outages for mobile users and generate its own set of security risks.

Huawei has been the focus of concern for Western governments including the US and its allies because of the scale of its role in supplying international networks and next-gen 5G, and its close ties to the Chinese government — leading to fears that relying on its equipment could expose nations to cybersecurity threats and weaken national security.

The UK government is widely expected to announce a policy shift tomorrow, following reports earlier this year that it would reverse course on so called “high risk” vendors and mandate a phase out of use of such kit in 5G networks by 2023.

Speaking to BBC Radio 4’s Today program this morning, BT CEO Philip Jansen said he was not aware of the detail of any new government policy but warned too rapid a removal of Huawei equipment would carry its own risks.

“Security and safety in the short term could be put at risk. This is really critical — because if you’re not able to buy or transact with Huawei that would mean you wouldn’t be able to get software upgrades if you take it to that specificity,” he said.

“Over the next five years we’d expect 15-20 big software upgrades. If you don’t have those you’re running gaps in critical software that could have security implications far bigger than anything we’re talking about in terms of managing to a 35% cap in the access network of a mobile operator.”

“If we get a situation where things need to go very, very fast then you’re in a situation where potentially service for 24M BT Group mobile customers is put into question,” he added, warning that “outages would be possible”.

Back in January the government issued a much delayed policy announcement setting out an approach to what it dubbed “high risk” 5G vendors — detailing a package of restrictions it said were intended to mitigate any risk, including capping their involvement at 35% of the access network. Such vendors would also be entirely barred them from the sensitive “core” of 5G networks. However the UK has faced continued international and domestic opposition to the compromise policy, including from within its own political party.

Wider geopolitical developments — such as additional US sanctions on Huawei and China’s approach to Hong Kong, a former British colony — appear to have worked to shift the political weather in Number 10 Downing Street against allowing even a limited role for Huawei.

Asked about the feasibility of BT removing all Huawei kit, not just equipment used for 5G, Jansen suggested the company would need at least a decade to do so.

“It’s all about timing and balance,” he told the BBC. “If you wanted to have no Huawei in the whole telecoms infrastructure across the whole of the UK I think that’s impossible to do in under ten years.”

If the government policy is limited to only removing such kit from 5G networks Jansen said “ideally” BT would want seven years to carry out the work — though he conceded it “could probably do it in five”.

“The current policy announced in January was to cap the use of Huawei or any high risk vendor to 35% in the access network. We’re working towards that 35% cap by 2023 — which I think we can make although it has implications in terms of roll out costs,” he went on. “If the government makes a policy decision which effectively heralds a change from that announced in January then we just need to understand the potential implications and consequences of that.

“Again we always — at BT and in discussions with GCHQ — we always take the approach that security is absolutely paramount. It’s the number one priority. But we need to make sure that any change of direction doesn’t lead to more risk in the short term. That’s where the detail really matters.”

Jansen fired a further warning shot at Johnson’s government, which has made a major push to accelerate the roll out of fiber wired broadband across the country as part of a pledge to “upgrade” the UK, saying too tight a timeline to remove Huawei kit would jeopardize this “build out for the future”. Instead, he urged that “common sense” prevail.

“There is huge opportunity for the economy, for the country and for all of us from 5G and from full fiber to the home and if you accelerate the rip out obviously you’re not building either so we’ve got to understand all those implications and try and steer a course and find the right balance to managing this complicated issue.

“It’s really important that we very carefully weigh up all the different considerations and find the right way through this — depending on what the policy is and what’s driving the policy. BT will obviously and is talking directly with all parts of government, [the National] Cyber Security Center, GCHQ, to make sure that everybody understands all the information and a sensible decision is made. I’m confident that in the end common sense will prevail and we will head down the right direction.”

Asked whether it agrees there are security risks attached to an accelerated removal of Huawei kit, the UK’s National Cyber Security Centre declined to comment. But a spokesperson for the NCSC pointed us to an earlier statement in which it said: “The security and resilience of our networks is of paramount importance. Following the US announcement of additional sanctions against Huawei, the NCSC is looking carefully at any impact they could have to the U.K.’s networks.”

We’ve also reached out to DCMS for comment.

CBP says it’s “unrealistic” for Americans to avoid its license plate surveillance

U.S. Customs and Border Protection has admitted that there is no practical way for Americans to avoid having their movements tracked by its license plate readers, according to its latest privacy assessment.

CBP published its new assessment — three years after its first — to notify the public that it plans to tap into a commercial database, which aggregates license plate data from both private and public sources, as part of its border enforcement efforts.

The U.S. has a massive network of license plate readers, typically found on the roadside, to collect and record the license plates of vehicles passing by. License plate readers can capture thousands of license plates each minute. License plates are recorded and stored in massive databases, giving police and law enforcement agencies the ability to track millions of vehicles across the country.

The agency updated its privacy assessment in part because Americans “may not be aware” that the agency can collect their license plate data.

“CBP cannot provide timely notice of license plate reads obtained from various sources outside of its control,” the privacy assessment said. “Many areas of both public and private property have signage that alerts individuals that the area is under surveillance; however, this signage does not consistently include a description of how and with whom such data may be shared.”

But buried in the document, the agency admitted: “The only way to opt out of such surveillance is to avoid the impacted area, which may pose significant hardships and be generally unrealistic.”

CBP struck a similar tone in 2017 during a trial that scanned the faces of American travelers as they departed the U.S., a move that drew ire from civil liberties advocates at the time. CBP told Americans travelers who wanted to opt-out of the face scanning was to “refrain from traveling.”

The document added that the privacy risk to Americans is “enhanced” because the agency “may access [license plate data] captured anywhere in the United States,” including outside of the 100-mile border zone that the CBP typically operates within.

CBP said that it will reduce the risk by only accessing license plate data when there is “circumstantial or supporting evidence” to further an investigation, and will only let CBP agents access data within a five-year period from the date of the search.

A spokesperson for CBP did not respond to a request for comment on the latest assessment.

CBP doesn’t have the best track record with license plate data. Last year, CBP confirmed that a subcontractor, Perceptics, improperly copied license plate data on “fewer than 100,000” people over a period of a month-and-a-half at a U.S. port of entry on the southern border. The agency later suspended its contract with Perceptics.

Smartwatch hack could trick patients to ‘take pills’ with spoofed alerts

Security researchers say a smartwatch, popular with the elderly and dementia patients, could have been tricked into letting an attacker easily take control of the device.

These watches are designed to help patients to easily call their carers and for carers to track the location of their patients. They come with their own cellular connection, so that they work anywhere.

But researchers at U.K.-based security firm Pen Test Partners found that they could trick the smartwatch into sending fake “take pills” reminders to patients as often as they want, they said.

“A dementia sufferer is unlikely to remember that they had already taken their medication,” wrote Vangelis Stykas in a blog post. “An overdose could easily result.”

Researchers triggering the “take pill” alert on a vulnerable smartwatch. (Image: Pen Test Partners/supplied)

The vulnerabilities were found in the back-end cloud system, known as SETracker, which powers the smartwatch. The same cloud system also powers millions of other white-label smartwatches and vehicle trackers across Europe, all of which were vulnerable to basic attacks, the researchers said.

The researchers found a copy of the source code that powers the back-end cloud system, allowing the researchers to find security weaknesses in the code. One of the major flaws found was that the server was using a hardcoded key which, if used, an attacker could have sent any commands to remotely control any one of these devices.

With this key, an attacker could trigger the “take pills” alert, secretly make phone calls from the device, send text messages, or — in the case of vehicle trackers — cutting the engine altogether.

The code also had passwords and tokens to SETracker’s cloud storage, which the researchers believe — based on the code — stored data uploaded by these devices. But the researchers were unable to check as doing so would have broken U.K. computer hacking laws.

The researchers said that the vulnerabilities have now been fixed. It isn’t known if the flaws had been exploited by someone else.

This latest research comes just months after Pen Test Partners found similar vulnerabilities in another widely-used white-label child-tracking smartwatches.

Security, or a lack of, is a growing trend among smart device makers, often which build devices with little consideration for good cybersecurity practices. That prompted the U.K. government to propose new legislation that would help improve their security by mandating that smart devices must be sold with a baseline level of security, such as unique passwords.

Smartwatch hack could trick patients to ‘take pills’ with spoofed alerts

Security researchers say a smartwatch, popular with the elderly and dementia patients, could have been tricked into letting an attacker easily take control of the device.

These watches are designed to help patients to easily call their carers and for carers to track the location of their patients. They come with their own cellular connection, so that they work anywhere.

But researchers at U.K.-based security firm Pen Test Partners found that they could trick the smartwatch into sending fake “take pills” reminders to patients as often as they want, they said.

“A dementia sufferer is unlikely to remember that they had already taken their medication,” wrote Vangelis Stykas in a blog post. “An overdose could easily result.”

Researchers triggering the “take pill” alert on a vulnerable smartwatch. (Image: Pen Test Partners/supplied)

The vulnerabilities were found in the back-end cloud system, known as SETracker, which powers the smartwatch. The same cloud system also powers millions of other white-label smartwatches and vehicle trackers across Europe, all of which were vulnerable to basic attacks, the researchers said.

The researchers found a copy of the source code that powers the back-end cloud system, allowing the researchers to find security weaknesses in the code. One of the major flaws found was that the server was using a hardcoded key which, if used, an attacker could have sent any commands to remotely control any one of these devices.

With this key, an attacker could trigger the “take pills” alert, secretly make phone calls from the device, send text messages, or — in the case of vehicle trackers — cutting the engine altogether.

The code also had passwords and tokens to SETracker’s cloud storage, which the researchers believe — based on the code — stored data uploaded by these devices. But the researchers were unable to check as doing so would have broken U.K. computer hacking laws.

The researchers said that the vulnerabilities have now been fixed. It isn’t known if the flaws had been exploited by someone else.

This latest research comes just months after Pen Test Partners found similar vulnerabilities in another widely-used white-label child-tracking smartwatches.

Security, or a lack of, is a growing trend among smart device makers, often which build devices with little consideration for good cybersecurity practices. That prompted the U.K. government to propose new legislation that would help improve their security by mandating that smart devices must be sold with a baseline level of security, such as unique passwords.

Data brokers track everywhere you go, but their days may be numbered

Everywhere you go, you are being followed. Not by some creep in a raincoat, but by the advertisers wanting to sell you things.

The more advertisers know about you — where you go, which shops you visit, and what purchases you make — the more they can profile you, understand your tastes, your hobbies and interests, and use that information to target you with ads. You can thank the phone in your pocket — the apps on it, to be more accurate — that invisibly spits out gobs of data about you as you go about your day.

Your location, chief among the data, is by far the most revealing.

Apps, just like websites, are filled with trackers that send your real-time location to data brokers. In return, these data brokers sell on that data to advertisers, while the app maker gets a cut of the money. If you let your weather app know your location to serve you the forecast, you’re also giving your location to data brokers.

Don’t be too surprised. It’s all explained in the privacy policy that you didn’t read.

By collecting your location data, these data brokers have access to intensely personal aspects of your life and can easily build a map of everywhere you go. This data isn’t just for advertising. Immigration authorities have bought access to users’ location data to help catch the undocumented. In one case, a marketing firm used location data harvested from phones to predict the race, age, and gender of Black Lives Matter protesters. It’s an enormous industry, said to be worth at least $200 billion.

It’s only been in recent years that it was possible to learn what these data brokers know about us. But the law is slowly catching up. Anyone in Europe can request access to obtain or delete their data  under the GDPR rules. California’s new consumer privacy law grants California residents access to their data.

But because so many data brokers collect and resell that data, the data marketplace is a fragmented mess, making it impossible to know which companies have your data. That can make requesting it a nightmare.

Jordan Wright, a senior security architect at Duo Security, requested his data from some of the biggest data brokers in the industry, citing California’s new consumer privacy law. Not all went to plan. As an out-of-state resident, only one of the 14 data brokers approved his request and sent him his data.

What came back was a year’s worth of location data.

Wright works in cybersecurity and knows better than most how much data spills out of his phone. But he takes precautions, and is careful about the apps he puts on his phone. Yet the data he got back knew where he lives, where he works, and where he took his family on holiday before the pandemic hit.

“It’s frustrating not fully knowing what data has been collected or shared and by whom,” he wrote in a blog post. “The reality is that dozens of companies are monitoring the location of hundreds of millions of unsuspecting people every single day.”

Avoiding this invasive tracking is nearly impossible. Just like with web ad tracking, you have little choice but to accept the app’s terms. Allow the tracking, or don’t use the app.

But the winds are changing and there is an increasing appetite to rein in the data brokers and advertising giants by kneecapping their data collection efforts. As privacy became a more prominent selling point for phone consumers, the two largest smartphone makers, Apple and Google, in recent years began to curb the growing power of data brokers.

Both iPhones and Android devices now let you opt-out of ad tracking, a move that doesn’t reduce the ads that appear but prevents advertisers from tracking you across the web or between apps.

Apple threw down the gauntlet last month when it said its next software update, iOS 14, would let users opt-out of app tracking altogether, serving a severe blow to data brokers and advertisers by reducing the amount of data that these ad giants collect on millions without their explicit and direct consent. That prompted an angry letter from the Interactive Advertising Bureau, an industry trade group that represents online advertisers, expressed its “strong concerns” and effectively asked it to back down from the plans.

Google also plans to roll out new app controls for location data in its next Android release.

It’s not the only effort taking on data brokers but it’s been the most effective — so far. Lawmakers are scrambling to find bipartisan support for a proposed federal data protection agency before the end of the year, when Congress resets and enters a legislative session.

Shy of an unlikely fix by Washington, it’s up to the tech giants to keep pushing back.

TikTok saw a rise in government demands for user data

Earlier this year, TikTok’s parent company ByteDance joined the raft of American tech giants that publish the number of government demands for user data and takedown requests by releasing its own numbers. The move was met with heavy skepticism, amid concerns about the app maker’s links to China, and accusations that it poses a threat to U.S. national security, a claim it has repeatedly denied.

In its second and most recent transparency report, published today, TikTok said it received 500 total legal demands, including emergency requests, from governments in the first half of the year, up 67% on the previous half. Most of the demands came from the United States.

TikTok also received 45 government demands to remove contents. India, which submitted the most takedown requests, earlier this month banned TikTok from the country, citing security concerns.

But noticeably absent from the report is China, where TikTok is not available but where its parent, ByteDance, is headquartered. That’s not an uncommon occurrence: Facebook or Twitter, neither of which are available in China, have not received or complied with a demand from the Chinese government. Instead, ByteDance has a separate video app, Douyin, for users in mainland China.

TikTok spokesperson Hilary McQuaide told TechCrunch: “We have never provided user data to the Chinese government, nor would we do so if asked.”

“We do not and have not removed any content at the request of the Chinese government, and would not do so if asked,” the spokesperson said.

But the company’s efforts to fall in line with the rest of the U.S. tech scene’s transparency efforts is not likely to quell long-held fears held by the company’s critics, including lawmakers, which last year called on U.S. intelligence to investigate the firm.

TikTok continues to contend that it’s not a threat and that it’s firmly rooted in the United States.

Earlier this week, the company said it was withdrawing from Hong Kong in response to the new Beijing-imposed national security law.

TikTok saw a rise in government demands for user data

Earlier this year, TikTok’s parent company ByteDance joined the raft of American tech giants that publish the number of government demands for user data and takedown requests by releasing its own numbers. The move was met with heavy skepticism, amid concerns about the app maker’s links to China, and accusations that it poses a threat to U.S. national security, a claim it has repeatedly denied.

In its second and most recent transparency report, published today, TikTok said it received 500 total legal demands, including emergency requests, from governments in the first half of the year, up 67% on the previous half. Most of the demands came from the United States.

TikTok also received 45 government demands to remove contents. India, which submitted the most takedown requests, earlier this month banned TikTok from the country, citing security concerns.

But noticeably absent from the report is China, where TikTok is not available but where its parent, ByteDance, is headquartered. That’s not an uncommon occurrence: Facebook or Twitter, neither of which are available in China, have not received or complied with a demand from the Chinese government. Instead, ByteDance has a separate video app, Douyin, for users in mainland China.

TikTok spokesperson Hilary McQuaide told TechCrunch: “We have never provided user data to the Chinese government, nor would we do so if asked.”

“We do not and have not removed any content at the request of the Chinese government, and would not do so if asked,” the spokesperson said.

But the company’s efforts to fall in line with the rest of the U.S. tech scene’s transparency efforts is not likely to quell long-held fears held by the company’s critics, including lawmakers, which last year called on U.S. intelligence to investigate the firm.

TikTok continues to contend that it’s not a threat and that it’s firmly rooted in the United States.

Earlier this week, the company said it was withdrawing from Hong Kong in response to the new Beijing-imposed national security law.

Google reportedly cancelled a cloud project meant for countries including China

After reportedly spending a year and a half working on a cloud service meant for China and other countries, Google cancelled the project, called “Isolated Region,” in May due partly to geopolitical and pandemic-related concerns. Bloomberg reports that Isolated Region, shut down in May, would have enabled it to offer cloud services in countries that want to keep and control data within their borders.

According to two Google employees who spoke to Bloomberg, the project was part of a larger initiative called “Sharded Google” to create data and processing infrastructure that is completely separate from the rest of the company’s network. Isolated Region began in early 2018 in response to Chinese regulations that mean foreign tech companies that want to enter the country need to form a joint venture with a local company that would hold control over user data. Isolated Region was meant to help meet requirements like this in China and other countries, while also addressing U.S. national security concerns.

Bloomberg’s sources said the project was paused in China in January 2019, and focus was redirected to Europe, the Middle East and Africa instead, before Isolated Region was ultimately cancelled in May, though Google has since considered offering a smaller version of Google Cloud Platform in China.

After the story was first published, a Google representative told Bloomberg that Isolated Region wasn’t shut down because of geopolitical issues or the pandemic, and that the company “does not offer and has not offered cloud platform services inside China.”

Instead, she said Isolated Region was cancelled because “other approaches we were actively pursuing offered better outcomes. We have a comprehensive approach to addressing these requirements that covers the governance of data, operational practices and survivability of software. Isolated Region was just one of the paths we explored to address these requirements.”

Alphabet, Google’s parent company, broke out Google Cloud as its own line item for the first time in its fourth-quarter and full-year earnings report, released in February. It revealed that its run rate grew 53.6% during the last year to just over $10 billion in 2019, making it a more formidable rival to competitors Amazon and Microsoft.

Garry Kasparov on AI: ‘People always called me an optimist’

Garry Kasparov is a political activist who’s written books and articles on artificial intelligence, cybersecurity and online privacy, but he’s best known for being the former World Chess Champion who took on the IBM computer known as Big Blue in the mid-1990s.

I spoke to Kasparov before a speaking engagement at the Collision Conference last month where he was participating in his role as Avast Security Ambassador. Our discussion covered a lot of ground, from his role as security ambassador to the role of AI.

TechCrunch: How did you become a security ambassador for Avast?

Garry Kasparov: It started almost by accident. I was invited by one of my friends, who knew the previous Avast CEO (Vince Steckler) to be the guest speaker at the opening of their new headquarters in Prague. I met the team and very quickly we recognized that we could work together very effectively since Avast wanted an ambassador.

I thought that it would be a great combination because it’s about cybersecurity, and it’s also about customers, about individual rights, which is related to human rights, and it also had a little bit of a political element of course. But most importantly, it’s a combination of privacy and security and I felt that with my record of working for human rights, and also writing about individuals and privacy and also having some experience with computers, that it would be a good match.

Now it’s my fourth year and it seems that many of the things we have been discussing at conferences when I have spoken about the role of AI in our lives, and many of the discussions that we thought were theoretical, have become more practical.

What were those discussions like?

One of the favorite topics that was always raised at these conferences is whether AI will be a helping hand or threat. And my view has been that it’s neither because I have always said that AI was neither a magic wand nor a Terminator. It’s a tool. And it’s up to us to find the best way of using it and applying its enormous power to our good.

What India’s TikTok ban means for China

For more than a decade, China has limited how foreign tech firms that operate inside its borders do business. The world’s largest internet market has used its Great Firewall to block Facebook, Twitter, Google and other services in the name of preserving its cyber sovereignty.

The walled-garden approach has helped homegrown giants like Tencent and Alibaba Group win the local market, while giving the Chinese government a better hold on what gets communicated on these platforms. China has even suggested that other nations deploy similar measures.

Be careful what you ask for: Last week, dozens of Chinese firms got a front-seat view to the challenges their global counterparts face in their territory. With a press release, India declared that the world’s second-largest internet market was shutting the door to dozens of Chinese firms for an indefinite period.

India said it would ban 59 apps and services, including ByteDance’s TikTok, Alibaba Group’s UC Browser and UC News, and Tencent’s WeChat over cybersecurity concerns.

New Delhi is open to meeting these firms and hear their defenses, but for now, local telecom operators and other internet service providers have been ordered to block access to these services. Google and Apple have already complied with India’s order and delisted the apps from their app stores.

India’s order is already shifting the market in favor of local firms, several of which have rushed to cash in on the app ban. A crop of recently launched short-form video sharing services have amassed tens of millions of users just this week.

But depending on how long the ban remains in place, the move could also derail a big funding source for thousands of Indian startups. The vast majority of India’s unicorns count Chinese VCs as some of their biggest and longest-term backers. New Delhi’s order could also change how American giants, many of which are already bullish on India, review the market moving forward.

Today, we will explore various ways India and China’s situation could play out and impact various stakeholders. But first, some background on how tension escalated between the two nuclear-armed nations.