Huawei removed wi-fi transmitting cards from a Pakistan-based surveillance system's CCTV cabinets after they were discovered by the project's staff. Punjab Safe City Authority (PSCA) told BBC Panorama it had told the firm to remove the modules in 2017 "due to [a] potential of misuse".
The authority said that the Chinese firm had previously made mention of the cards in its bidding documents.
But a source involved in the project suggested the reference was obscure.
A spokesman for Huawei said there had been a "misunderstanding". He added that the cards had been installed to provide diagnostic information, but said he was unable to discuss the matter further.
The PSCA confirmed that the explanation it had been given was that wi-fi connectivity could have made it easier for engineers to troubleshoot problems when they stood close to the cabinets, without having to open them up.
Two people involved in Lahore's project helped bring the matter to the BBC's attention and have asked to remain anonymous. One said that Huawei had never provided an app to make use of the wi-fi link, and added that the cabinets could already be managed remotely via the surveillance system's main network.
A UK-based cyber-security expert said that it was not uncommon for equipment sellers to install extra gear to let them offer additional services at a later date.
But he added that the affair highlighted the benefit of oversight because if the authority had remained unaware of the cards' existence, it could not have taken steps to manage any potential risk they posed.
"As soon as you give someone another method of remote connectivity you give them a method to attack it," commented Alan Woodward.
"If you put a wi-fi card in then you're potentially giving someone some other form of remote access to it. You might say it's done for one purpose, but as soon as you do that it's got the potential to be misused."
There is no evidence that the cards created a vulnerability, and one of the sources involved confirmed that there had not been an opportunity to test if they could be exploited before the kit was removed.
No comments:
Post a Comment