How telecom systems can be compromised

Hardware and software provided by foreign suppliers, particularly those suppliers with strong government connections, have the potential to compromise the security of Canada's telecommunication systems and leave them vulnerable to attack, computer experts warn.

"If you buy equipment or software that's essentially produced by the government of another country, then you have no control over what that software or hardware might be doing that you can't see," said Prof. David Skillicorn at the school of computing at Queen's University in Kingston, Ont.

"It's the reason we don't buy fighter planes from the Russians. If you're running on hardware that somebody else built, and you don't trust the somebody else, then it's never going to do, securely, what you want it to do."

Other experts agree that sensitive buyers need to know exactly what it is they are purchasing.

"You can hide things in software. You can hide things in hardware," says Thomas Dean, a professor in the department of electrical and computer engineering at Queen's.

"Hardware components can do all sorts of things. They can record things. They can transmit things. They can also be a back door for disabling" parts of a system.

In recent days, concerns have been raised over the Harper government's decision to allow China's Huawei Technologies to participate in large Canadian telecommunication projects with companies like Bell, Telus and WIND Mobile.

The company has been blocked by the U.S. and Australia when it attempted to participate in similar projects in those countries. Some have accused Huawei of engaging in espionage on behalf of the Chinese government, an accusation Huawei has vehemently rejected.

Although experts are concerned about the potential for tampering with telecommunications technology, there is no evidence that Huawei has engaged in this type of activity. The company released a statement May 15 saying, "all our stakeholders, including governments, have a clear understanding of the tools we use to protect the integrity of our customers' networks to the highest standards. Over the past four years, we've worked openly and transparently in consultation with our customers and government to meet these requirements."

Infrastructure

Concerns about the security of telecommunications equipment are not new. Intelligence officials have long been worried that foreign-controlled technology companies could potentially hide digital "back doors" in telecommunication networks that might steal Canadian secrets or disrupt operations.

"It means that if you buy a switch from a company it [could] take a copy of everything that passes through it and send it off to some other place," Skillicorn said.

"It would have to be transmitted in a covert way, but that’s not all that difficult a problem if you control the whole ball game."

Skillicorn said the problem with hardware is that it's difficult to inspect the equipment that you're getting because so much of it is "working down at the very, very small scale.

"So you would have to tear the chips apart and look at them in incredible detail."

Skillicorn noted that when it comes to intelligence sharing between Canada and its allies, Ottawa would never consider using anyone else's equipment for the top, most secure levels of communication.

However, at the next level down, governments are starting to use encrypted communication over shared channels that are basically part of the public infrastructure.

"So now you have to rely on how strong you think your encryption is rather than concealing the traffic completely from people who might be your enemies."

"There’s always been rumours that there are encryption back doors that are known to government intelligence organizations that let them get into encrypted stuff relatively easy."

Skillicorn warned that even if the data can't be extracted, a hostile agent could use what's called a kill switch to disrupt systems entirely.

"I can cut off your network completely and utterly at every level whenever I feel like it," using such a switch, he said. "That of course would have a huge impact at every level including the military.

"They could have their switches turn themselves off on a particular date, for example. Once you have the potential, you can think up all sorts of ways to do very bad things."

When it comes to manipulating telecommuncations systems, Dean said there is also the potential risk of modification, meaning the way in which a hidden program might change or redirect a particular communication, like an email for example, as it passes through the network.

"It's not unthinkable to talk about something that could actually modify traffic. That's a little bit more remote of a threat, but it's certainly not unreasonable."