Tech by VICE

Trump’s Sanctions on China Are Making Huawei Phones Less Secure

Google is shutting down its business relationship with Huawei. What does this mean for the security of your Huawei devices?

by Lorenzo Franceschi-Bicchierai
May 20 2019, 5:27pm

Image: FRED DUFOUR/AFP/Getty Images

After the US government cracked down on Chinese tech giant Huawei last week, Google became the first American company to follow the ban.

On Sunday, after Reuters first reported the news, Google admitted it is complying with the US government order and will shut down its business relationship with the Chinese company. Huawei is the world’s third largest smartphone maker after Samsung and Apple, and the company uses Google's Android OS on its phones. According to the company, half a billion people use Huawei cellphones around the world. So this ban has huge ramifications, especially in Europe, where Huawei has a 17 percent market share.

So what does this ban mean in practice for consumers who have a Huawei phone?

Google did not immediately respond to a series of questions about this ban. The company only sent a statement: “We are complying with the order and reviewing the implications. For users of our services, Google Play and the security protections from Google Play Protect will continue to function on existing Huawei devices.”

Huawei said that it “will continue to provide security updates and after sales services to all existing Huawei and Honor smartphone and tablet products covering those have been sold or still in stock globally.”

“We will continue to build a safe and sustainable software ecosystem, in order to provide the best experience for all users globally,” the statement concluded.

Have a tip about Huawei? You can contact this reporter securely on Signal at +1 917 257 1382, OTR chat at lorenzofb@jabber.ccc.de, or email lorenzo@motherboard.tv

As the BBC explained in a thorough article, Google’s decision will not impact people who already have a Huawei device, or those who buy the new company's flagship device, set to be unveiled today. But future phones will not get the Play Store, any Google apps, and other tools provided by Google that are not strictly part of Android’s open source codebase.

That also means that Google will stop giving Huawei code for its security fixes one month before they get released. This means Huawei will get the code only when it goes live, potentially making Huawei users less secure, because those handsets will likely take longer to get critical security patches.

That’s because hackers could be faster at reverse engineering the Google patches and developing exploits before Huawei’s own engineers develop fixes and customize it for Huawei devices. This is what people in the industry call “Ndays,” a play on zero-days. These kind of exploits are not zero-days because they are known to the vendor, but they still work because the bugs they rely on are not patched.

"I think it's going to make it more of an attractive target, we constantly say make sure your device is updated and if this is not the case and that put users at risk," Daniel Cuthbert, the global head of security research at Santander, said in an online chat.

In other words, from now on, the security of Huawei’s devices is even more in the hands of Huawei, which is probably bad news because the company doesn’t really have a good track record in terms of security. But how bad it will really be for Huawei users is too early to tell.

“Is that worse than others? Not really,” Stefan Edwards, a security researcher at Trail of Bits said in an online chat “Like Samsung has to port things often because they do so much dumb shit to their Android installs.”

According to Jon Sawyer, a security researcher who has studied Android phones for years, Huawei phones have had really bad bugs, especially years ago.

“They had a lot of security issues. A lot of ‘that might be a backdoor’ thing,” Sawyer said in an online chat, explaining that, however, a lot of Android phones have had these problems.

That’s why in Motherboard’s Guide To Not Getting Hacked, we recommend going with the Pixel or other phones that get vanilla Android. These are the only phones that are guaranteed to get early security updates, making exploitation a bit harder.

This story has been updated to include Cuthbert's comment.

Listen to CYBER, Motherboard’s new weekly podcast about hacking and cybersecurity.