The place is peaceful, very close to a pretty square. It is a street with practically only offices and whose main advantage is the proximity to the building of the European Commission, which is less than 10 minutes away on foot. Which is rather practical when you have economic interests to defend.
Welcome to Brussels, at 9 rue Guimard, to one of the four “Huawei Cyber Security Transparency Centres” that the Chinese manufacturer has set up on the European continent.
These infrastructures were not created for pleasure, but out of necessity. In recent years, the company has been increasingly perceived as a Trojan horse of the Middle Kingdom, a risk to national security, in Europe as well as in the United States. Political leaders are afraid that its mobile network equipment, although among the innovators on the market, could turn into vectors of attack in the service of the Chinese Communist Party.
In France, this general mistrust resulted in Law No. 2019-810 of August 1, 2019, also called the “anti-Huawei law”. It obliges mobile operators to request prior authorization from ANSSI for the installation of 5G equipment.
Huawei is not explicitly cited in this law, but is clearly targeted. Because the risk we are talking about is that of acts of interference by a State that is not a member of the European Union. However, Huawei is the only non-European mobile telecom equipment supplier present on the French market. The others are Nokia and Ericsson, of Finnish and Swedish origin respectively.
The first 5G authorizations issued then showed the logic behind this law. The Chinese manufacturer is in fact excluded from dense areas. Its base stations can only be deployed on the outskirts of towns or in the countryside. And even. Obviously, faced with this technological banishment, Huawei could not stand idly by, hence the existence of this transparency center in Brussels.
Huawei wants to be irreproachable
That day, we were greeted with a smile by Yoann Klein, cybersecurity advisor at Huawei, who gave us a tour of the owner. At first glance, the center looks like nothing but a showroom, with a series of large screens on which presentations attempt to demonstrate to visitors that Huawei’s technologies are beyond reproach.
You can learn the details of the “Huawei Privacy Protection Framework”, that is to say how the equipment manufacturer protects personal data. Or discover the “Huawei’s 5G End-to-End Security Architecture”, in other words the end-to-end security architecture of 5G functions.
Obviously, it is not with PowerPoint presentations that the Chinese company will really be able to score points. This is why the center also provides access to the Holy of Holies: Huawei’s cybersecurity testing platform which is hosted in China.
It is managed by the Independent Cyber Security Lab (ICSL) division, which has more than 200 security researchers. Their mission is to test the security of products and assign a level of risk to any faults found.
“If the researchers come across a serious and blocking problem, it’s back to square one. The development team will be forced to review their work and modify it accordingly »underlines Yoann Klein, whose presentation is then supplemented by a real demonstration, carried out by Nathan Wang, a member of ICSL.
The Chinese expert turns on his laptop and, using a VPN, connects to Huawei’s test platform. Pages written in English and Chinese then appear, interspersed with lists and diagrams. Using this platform, researchers can break down each product into its various modules and sub-modules.
“For each module, all you have to do is answer a series of questions to automatically assess its level of functional risk”explains Nathan Wang.
Depending on this risk, each module is subjected to a series of tests. The platform references more than 660 test scenarios, 180 of which are penetration tests.
“There you see, for example, that the MyHuawei App mobile application has not obtained its validation, because the microphone cannot be deactivated by the user”shows us Nathan Wang, navigating through his countless lists of tests.
Access to source code on servers in China
But that’s not all. Visitors can also perform their own static and dynamic tests on genuine Huawei product source codes.
To do this, you have to leave the comfortable armchairs of the showroom and go to the first floor, in the Verification Center. Here, it’s no joke. Before entering this area of the building, visitors must deposit their electronic equipment in the lockers provided for this purpose. In addition, the entrance door to the verification center is equipped with a metal detection gate, which makes it possible to call to order the dizzy who has inadvertently forgotten a USB key in one of his pockets.
Once past this security gate, you are confronted with a series of rooms, each of which has a color code. When the visitor wants to discuss technical details with an engineer in China, he can go to one of the communication rooms circled in yellow (medium risk), where he can start a videoconference session.
If he wants to analyze the source code, he goes to one of the consultation rooms circled in red (high risk), where thin clients without any connection port are installed.
“These terminals are connected via VPN with the ICSL platform where the code analysis tools are run. What the visitor sees is only a video stream sent from China”emphasizes Yoann Klein.
The analysis tools can also be those of the visitor. It will be enough that he provides them beforehand to Huawei so that they are directly available from the platform.
“We systematically generate a cryptographic fingerprint of the tools we receive. This allows visitors to later verify that the tool has not been modified along the way”says Yoann Klein.
Also see video:
OK, but even if we check the source code from top to bottom, how can we be sure that the binary installed in the equipment is indeed the same?
“Indeed, given the size and complexity of our source codes – sometimes hundreds of millions of lines of code – we cannot guarantee that we will always have exactly the same binary on arrival, if only only for timestamping reasons. But the differences are small and we achieve a so-called binary equivalence level which is high enough to meet the requirements of the NCSC, the UK cybersecurity agency”continues Yoann Klein.
According to the expert, visitors – generally operators or companies commissioned by them – are delighted with the possibilities offered by Huawei.
“More than 2,500 visitors have passed through the center since it opened in 2019. They are generally teams of five or six people who come for several weeks. And the feedback is very positive. They tell us they have never seen such a level of transparency. It is unique in the telecom ecosystem”assures Yoann Klein.
And yet, despite all this effort and all this goodwill, it is unlikely that Huawei’s transparency centers can really turn the tide and clear the equipment manufacturer of all suspicion. Because, in the end, faced with political decisions, technical responses will always be insufficient.