Are Huawei, ZTE Phones Actually Unsafe?
U.S. intelligence officials imply that Huawei, ZTE devices aren't safe for consumers, but don't explain why. So we asked some experts.
We first published this story on Feb. 15, 2018. More than a year later, Huawei has effectively been banned from the U.S. market, and U.S. companies will soon not be able to do business with Huawei. We're still waiting to see the evidence that Huawei is a security threat, either to its customers or to the U.S. as a nation.
The heads of six U.S. intelligence and law-enforcement agencies told the Senate Intelligence Committee this week that they could not recommend that U.S. residents buy Huawei or ZTE products. The implication of this very public warning is that the Chinese brands pose a risk to national security — and possibly to consumer security as well.
But are you really running a higher privacy or security risk if you use a Huawei or ZTE smartphone? Would they be riskier than any other Chinese-made phones? We put the question to some experts in the field.
"Pretty simply, no and no," said George Smith, a senior fellow at the GlobalSecurity.org think tank. "You can't avoid Chinese products, anyway, in the market, so one wonders why they would even get around to saying this."
"The short answer is that all computers, especially mobile devices, carry with them a certain level of risk to everyone's security and privacy," said Heather McKinnon, a spokeswoman for the mobile-security-software maker Lookout.
MORE: Best Smartphones
Sen. Tom Cotton, R-Arkansas, created a television-friendly note of drama two hours into Tuesday morning's session by asking the six agency chiefs a simple question.
Sign up now to get the best Black Friday deals!
Discover the hottest deals, best product picks and the latest tech news from our experts at Tom’s Guide.
"Would you please raise your hand if you would use products or services from Huawei or ZTE?" Cotton said.
None of the agency chiefs — Lt. Gen. Robert Ashley of the Defense Intelligence Agency, Robert T. Cardillo of the National Geospatial-Intelligence Agency, Director of National Intelligence Dan Coats, CIA Director Mike Pompeo, NSA Director Adm. Michael S. Rogers and FBI Director Christopher Wray — did so. None offered any explanation as to why.
"Raise your hands if you would recommend that private American citizens use Huawei or ZTE products or services," asked Cotton. "None of you again raising your hand. Thank you for that."
Cotton is the co-sponsor of a bill introduced last week that would ban the use of Huawei and ZTE products by government agencies or contractors. A similar bill was introduced in the House last month.
The agency chiefs were testifying in an open session as part of the Senate Intelligence Committee's national-security threats hearings, which occur around this time almost every year. A closed session, barred to all but those with security clearances, followed Tuesday afternoon.
Bashing Huawei and ZTE is nothing new
The shunning of Huawei and ZTE is reminiscent of the government's sudden crackdown last year on Kaspersky antivirus software, but it's actually been building for much longer.
In 2008 and 2010, the U.S. government blocked bids by Huawei to buy U.S. telecommunications companies. In 2012, a House Intelligence Committee investigation concluded that Huawei and ZTE posed a national-security threat and that the U.S. government and U.S. companies should avoid buying their products.
Both companies are trying to increase their shares of the U.S. smartphone market, but in January, AT&T abruptly canceled its launch of the Huawei Mate 10 Pro smartphone. Later that same month, Verizon reportedly decided that it wouldn't sell any Huawei phones.
Both companies do sell low-end ZTE phones. Unlocked high-end smartphones made by both Huawei and ZTE, including Huawei's Honor spinoff, can be found at many major U.S. retailers.
Unacceptable risk to governments...
Huawei and ZTE both have demonstrable links to the Chinese government. Huawei's founder and CEO held a high rank in the engineer corps of China's People's Liberation Army (PLA), and ZTE is partly owned by the Chinese government.
Other Chinese companies such as Lenovo, Xiaomi and BBK (owner of phone makers Oppo, Vivo and OnePlus) don't have such clear government ties and haven't drawn the same amount of scrutiny from Western politicians.
U.S. authorities fear that networking devices made by Huawei and ZTE could be used to spy on American companies, governments and citizens, and perhaps even be used to sabotage U.S. networks and infrastructure in the event of war with China. Australian and British authorities have similar concerns.
"Could you explain what the risk is we face from ZTE and Huawei being used in the United States?" Cotton asked FBI Director Wray on Tuesday.
"We're deeply concerned about the risks of allowing any company or entity that is beholden to foreign governments that don't share our values to gain positions of power inside our telecommunications networks that provides the capacity to exert pressure or control over our telecommunications infrastructure," Wray replied. "It provides the capacity to maliciously modify or steal information, and it provides capacity to conduct undetected espionage."
To put it simply, using Huawei and ZTE gear creates an unacceptable amount of risk for U.S. military and government agencies, and for the private companies that supply those agencies. The same could be said for Kaspersky antivirus software.
...But maybe not to you
Nevertheless, there's no public evidence as of yet that Huawei or ZTE smartphones or other products will endanger the privacy or digital security of the ordinary U.S. resident. (Huawei also sells home Wi-Fi routers, laptops and smartwatches to American consumers.)
"This is not specific to ZTE and Huawei, but is something that spans the industry," said Andrew Blaich, a security researcher with Lookout. "The level of risk varies from device to device and manufacturer to manufacturer."
The truth is that every smartphone spies on you to some extent, and most Android smartphones have security flaws related to the platform's relatively open software model. And, well, other Chinese-made phones have been caught sending a suspicious amount of data back to servers in China, if only for commercial reasons.
"We have certainly seen a rash of issues in the last two years that have appeared to be suspicious," Blaich told us, "from the software vendor Adups that is popular on BLU phones (uncovered by Kryptowire), to the social media organized mobile hacking services of the Elliot Alderson (@fs0c131y) persona that continues to find a number of issues in OnePlus phones (and others) regarding egregious data collection in certain geolocations."
It may be that Huawei and ZTE phones do spy on their users, but so far, Western security experts haven't been able to find much evidence. And it may be that more detailed information was disclosed by the agency chiefs in the closed Senate hearing, but if so, they're not making it public.
Huawei was pretty notorious in recent years for industrial espionage, however. Since 2003, the company has been accused of stealing trade secrets from Cisco, Motorola and T-Mobile, resulting in a flurry of lawsuits and settlements. Huawei and ZTE have even accused each other of stealing secrets.
Rob Graham, chief technology officer of Errata Security in Atlanta, told us that he doesn't know whether Huawei or ZTE phones would be risky for American consumers to use. But he suggested an American alternative, albeit one manufactured in China.
"China cares more about trade secrets than national security secrets, so even average users may have concerns about whether their phones can be hacked by the vendor," Graham said. "In any case, the iPhone is far more secure than any Android phone."
UPDATE: ZTE reached out to us and provided this statement:
"ZTE is proud of the innovation and security of our products in the U.S. market. As a publicly traded company, we are committed to adhering to all applicable laws and regulations of the United States, work with carriers to pass strict testing protocols, and adhere to the highest business standards. Our mobile phones and other devices incorporate U.S.-made chipsets, U.S.-made operating systems and other components. ZTE takes cybersecurity and privacy seriously and remains a trusted partner to our U.S. suppliers, U.S. customers and the people who use our high quality and affordable products for their communications needs."
Paul Wagenseil is a senior editor at Tom's Guide focused on security and privacy. He has also been a dishwasher, fry cook, long-haul driver, code monkey and video editor. He's been rooting around in the information-security space for more than 15 years at FoxNews.com, SecurityNewsDaily, TechNewsDaily and Tom's Guide, has presented talks at the ShmooCon, DerbyCon and BSides Las Vegas hacker conferences, shown up in random TV news spots and even moderated a panel discussion at the CEDIA home-technology conference. You can follow his rants on Twitter at @snd_wagenseil.