Connect with us

Cars

Huawei security: Half its kit has ‘at least one potential backdoor’

Published

on

Huawei ban: Winners, losers, and what’s at stake (a whole lot)
ZDNet’s Jason Cipriani and Jason Perlow talk with Karen Roby about how the security and trade brouhaha impacts everything from the future of regional carriers and the bottom lines of tech giants to 5G’s prospects and consumer’s pocketbooks. Read more: https://zd.net/2WzVRbq

On the heel of news that suspected Chinese state-sponsored hackers broke into telecom giants through IBM and HPE, researchers have revealed that over half the equipment from China’s telecoms giant, Huawei, has “at least one potential backdoor”. 

Researchers from IoT security firm Finite State have given a scathing assessment of the state of security in Huawei’s networking device firmware, arguing “there is substantial evidence that zero-day vulnerabilities based on memory corruptions are abundant in Huawei firmware”.

“In summary, if you include known, remote-access vulnerabilities along with possible backdoors, Huawei devices appear to be at high risk of potential compromise,” the firm wrote in a new report. 

The conclusions echo recent comments by the Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), a unit of spy agency GCHQ.

After assessing Huawei equipment over concerns its 5G gear could be used by China to spy on the country, Levy said Huawei security was “objectively worse” and “shoddy” compared with that of rivals, which include Ericsson, Nokia, and Cisco. 

The report on Huawei firmware security also follows one from Reuters on Wednesday revealing that hackers known as Cloud Hopper, who were allegedly working for China’s Ministry of State Security, hacked Ericsson, Fujitsu, Tata, NTT Data, Dimension Data, CSC, and HPE spin-off DXC Technology. The hackers broke into the companies via managed IT service providers HPE and IBM. 

Finite State said in its report that, despite Huawei’s public commitments to improve security, the analysis revealed Huawei’s “security posture” is actually “decreasing over time”.

“From a technical supply-chain security standpoint, Huawei devices are some of the worst we’ve ever analyzed,” the company wrote. 

It says it has analyzed 1.5 million files within about 10,000 firmware images that are used across 558 Huawei enterprise networking products. 

More than 55 percent of firmware images have at least one potential backdoor, according to Finite State. The flaws include hard-coded credentials that could be used as a backdoor, unsafe use of cryptographic keys, and indications of poor software development practices.

However, it should be remembered that even US tech firms, such as Cisco, regularly fix backdoor accounts in their equipment.    

Finite State nonetheless found that on average there are 102 known vulnerabilities in each Huawei firmware image, along with evidence of numerous zero-day vulnerabilities. 

One of the key problems Finite State found lies in Huawei’s use of and failure to update open-source software components, in particular OpenSSL, a widely-used cryptographic library for shielding communications on the web that’s used to enable HTTPS on websites. As with smartphones, customers using networking equipment rely on vendors to deliver security updates to those components. 

It found that the average age of third-party open-source software components in Huawei firmware is 5.36 years and says there are “thousands of instances of components that are more than 10 years old”. 

The oldest version of OpenSSL contained in Huawei firmware was released by the open-source project in 1999. The company said it found 389 binaries on Huawei firmware that were vulnerable to Heartbleed, the critical bug disclosed in 2014 that allows an attacker to steal email and other communications that would normally be protected by the Transport Layer Security protocol.     

Huawei was not available to respond to the report or dispute the security firm’s conclusions at the time of publishing. The story will be updated if Huawei responds.

More on Huawei and security

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

Cars

2022 Kia Carnival priced up as 3-row minivan bucks style trends

Published

on

Kia has revealed pricing for the 2022 Carnival, the three-row minivan which will replace the Sedona with something a little more stylish. Announced last month, the Carnival will kick off at $32,100 plus $1,175 destination for the entry-level LX trim when it arrives in US dealerships in Q2 2021.

On the outside, you can tell that the Carnival really, really wants to be an SUV. A bigger, bolder grille flanked with LED headlamps, along with bulging wheel arches and a contrast C-pillar set it aside from the Sedona, while at the rear there’s a trunk-spanning light bar and Kia’s new logo.

Still, the name of the game remains practicality. That means sliding rear doors for ease of access to the second and third rows, along with a choice of 7- or 8-seat configurations for the 168.2 cu-ft of passenger space. Drop or remove those two rows, meanwhile, and you’ll get up to 145.1 cu-ft of cargo room.

In the 7-seat models, there’s the option of heated and ventilated second-row VIP Lounge Seating captain’s chairs, with power adjustment, wing-out headrests, and leg extensions. The 8-seat Carnival has a “Slide-Flex” second row center seat, meanwhile, which can be shifted forward and back for easier third-row access, or converted into a table. Third row seats fold into the floor, while in all but the SX-Prestige trim the second-row seats can be physically removed.

The 2022 Carnival LX with Seating Package will start at $31,100 (plus destination), while the EX will be from $37,600. The Carnival SX will be from $41,100, while the flagship Carnival SX-Prestige will be from $46,100.

Regardless of trim, the same 3.5-liter V6 engine will be under the hood. That packs 290 horsepower and 262 lb-ft of torque, and comes with an 8-speed automatic transmission as standard. Kia says it’ll tow up to 3,500 pounds.

What you can’t get is an all-wheel drive Carnival – only front-wheel drive – or a hybrid version, at least for the moment.

Standard across the board Forward Collision-Avoidance Assist, Blind-Spot Avoidance Assist, and Lane Keeping Assist. Options include Blind-Spot View Monitor, Forward Collision-Avoidance Assist-Cyclist, and a 360-degree camera, along with Kia’s Highway Driving Assist and navigation-based Smart Cruise Control-Curve. There’s also Parking Collision Avoidance Assist to help prevent low-speed dings.

Continue Reading

Cars

I drove Chevrolet’s new Bolt EUV crossover and now I have an EV headache

Published

on

The 2022 Chevrolet Bolt EUV has a problem and, embarrassingly for the new electric crossover, the headache is a family affair. Having spent time behind the wheel of the new EV last week, I can tell you it’s perky, affordable, and practical in its own way, as well as that it offers tech you’d previously have needed to splash out on a Cadillac to enjoy.

I can also tell you that the very elements that allow Chevrolet to make the Bolt EUV so attainable are at the root of its biggest issues. For all the new sheet metal – unique from the 2022 Bolt EV hatchback that launches alongside the crossover – there’s only so much that can be altered without pulling out the cards from the very bottom of the pyramid.

For Chevrolet, one of the primary charms of the Bolt platform today is just how familiar it is. The original car was launched in 2017; four years on, the supply base has matured, economies of scale have improved, and generally it’s become cheaper to manufacture. Now, it can reuse that platform for both the 2022 Bolt EV and Bolt EUV.

You can see the Bolt EUV’s recycling as either clever or cynical. While there may be some cannibalization of sales – would-be Bolt EV buyers opting for the 6-inch longer Bolt EUV – Chevrolet seems confident that there’ll be a net-gain overall. It’s also prepared to be flexible: there are enough common components that shifting the production mix between EV and EUV depending on how demand ends up breaking down shouldn’t be too much of a hassle.

That leaves the decision with the buyer, and there it’s harder to make a recommendation one way or the other than I expected. For all the 2022 Bolt EUV promises, its advantages over its cheaper hatchback sibling all seem to come with small print attached.

Picking the crossover would be a whole lot easier, for example, were the Bolt EUV available with all-wheel drive. Sadly, like the regular Bolt EV, it’s front-wheel drive only, despite how Chevrolet brands the body style. That’s a limitation of the underlying platform and, though the engineers probably could revamp it to fit in a rear electric motor if they had sufficient time and cash to spare, right now that’s not on the roadmap and it’s hard to imagine the situation ever changing.

GM’s focus is on Ultium, its new platform for all-electric vehicles. There’ll be Ultium-based models across all of the company’s nameplates eventually, though they’ll kick off with the GMC Hummer EV and the Cadillac Lyriq SUV. Both are, conspicuously, high-price luxury models: a Hummer EV Edition 1 is three times what a Bolt EUV would cost you.

Eventually, assuming everything goes to plan, GM expects Ultium to be cost-effective for more affordable electric cars too. For the next couple of years at least, though, it’ll be the playground of the high end.

As I said in my Bolt EUV first drive, I suspect the absence of AWD as an option will hurt Chevy in some markets. Rivals in the segment, like the VW ID.4 and Tesla Model 3, offer AWD after all. Though a front-wheel drive EV on decent winter tires can be much better than an internal-combustion FWD car with the same rubber, there’s no escaping that for some drivers AWD is non-negotiable.

The Super Cruise situation is similarly complicated. Certainly, for the Bolt EUV to offer GM’s hands-free driver assistance technology – and to be the first outside of Cadillac to do so – is a feather in Chevy’s cap. All the same, it’s the old version of Super Cruise, not the new, “Enhanced” version which launched to great fanfare recently on the 2021 Escalade.

That means it can’t do automatic lane-changes, just keep you centered in the same line and maintain pace with the traffic ahead, without demanding you keep your hands on the wheel at the time. GM’s camera based driver-attention monitoring and Super Cruise’s stability are great, and it would be my assistance-system-of-choice were I planning a highway road trip any time soon, but the limitation is another reminder of how Chevrolet has revamped older technology for another release.

The reality is that the gap between the 2022 Bolt EV and the 2022 Bolt EUV is small. Very small. That extra space in the rear is literally just for legroom: the hatchback actually has a tiny bit more head, shoulder, and hip space, and even a slightly larger trunk than the crossover. Chevrolet’s usability improvements, like the latching one-pedal driving mode button, are for the most part present on both versions.

You can’t get Super Cruise on the 2022 Bolt EV, and it doesn’t come with the fancy dual-voltage charger the crossover includes, but it also starts at just $31,995. That’s $2k less than a base Bolt EUV, though if you want to add the $2.2k Super Cruise option you’ll need the crossover in Premier trim, which is from $38,495 (and throws in leather seats and a 360-degree camera, among other extras).

I’ve always had a soft spot for the Bolt EV, and like a lot of people who cover cars it’s an electric vehicle I often recommend as a solid budget option. Charming as the new Bolt EUV is, and as much as I enjoy Super Cruise, I’m not sure that’s all enough to sway the recommendation from its regular hatchback sibling. If low price without a range compromise are your primary motivators in buying a new electric car, I suspect the 2022 Bolt EV should still be your first port of call.

Continue Reading

Cars

VW ID.3 Convertible teased as Volkswagen tries new electric strategy

Published

on

Volkswagen is teasing a new all-electric convertible, apparently considering a more playful use of its EV drivetrain as the ID.4 crossover arrives in the US. The potential VW ID.3 convertible would be an open-top version of the ID.3 hatchback which went on sale in Europe last year, the first production example of the automaker’s MEB electric vehicle architecture.

MEB has been VW’s focus for the last few years, a modular car platform designed to underpin electric models from across its brands. Although multiple concepts using the system have been shown, the ID.3 hatchback was the first to reach production; in the US, the first taste of MEB is the new 2021 ID.4 electric crossover.

Now, though, VW is testing the waters for something more unusual. The VW ID.4 e-convertible would be, as the name suggests, an electric cabriolet based on the ID.3. It would have two doors and seating for up to five, at least based on the concept sketch that the automaker has released today.

“An ID.3 convertible? Sounds quite appealing: enjoying nature with the top down, with the instant, but silent electric punch,” Ralf Brandstätter, CEO of Volkswagen Passenger Cars says of the idea. “This could provide an entirely new, extraordinary feeling of freedom. I admit: a very tempting idea. We are still pondering how to turn this attractive concept into reality.”

It’s not the first time we’ve seen VW flirt with more unusual applications for the MEB platform. Back in early 2019 the company showed off the ID. BUGGY concept, an all-electric dune buggy with beefy wheels, no roof, and a wash-down-friendly interior. There were even plans to put it into production, with VW intending to provide the drivetrain while another company would focus on the rest.

That ended up hitting a wall, however, and though we had a chance to drive the ID. BUGGY prototype, the idea of a production version was shelved. The automaker remains open to the potential for licensing out MEB so that other automakers can bypass the R&D, regulatory, and testing requirements of making a new EV platform of their own, but we’re yet to see anything as playful as the electric dune buggy.

This convertible concept is certainly more mainstream than the ID. BUGGY would’ve been, though Brandstätter says that these sketches are still simply “some initial ideas.” As such, there’s no guarantee that it’s going to reach production stage.

What’s interesting is VW’s approach to testing the appeal of such an idea. The automaker has traditionally been fairly tight-lipped around its design process, preferring the regular cadence of concept cars unveiled at auto shows, and then the big, surprise debut of a production model to follow. This time around, however, VW execs are being more vocal about the possibilities: as well as Brandstätter’s speculative post, VW group CEO Herbert Diess mused on the potential for an electric convertible on Twitter.

It’s a conversational-style approach we’ve seen used to good effect by Tesla, with Elon Musk single-handedly acting as cheerleader for new features, a sounding board for fresh ideas, and a point of contact for those frustrated with their EVs. While Musk’s strategy hasn’t been entirely smooth-sailing – and has seen him clash heads with the US Securities and Exchange Commission before now – it certainly hasn’t hurt enthusiasm among Tesla’s loyal following.

That’s the sort of enthusiasm VW has seen among owners in the past, among iconic models like the Microbus and the Golf GTI. It’s been comparatively absent in more recent years, however. As MEB begins to arrive in dealerships, that motivational homework appears to be something Volkswagen leadership are taking more seriously.

Continue Reading

Trending