I attended a security talk some years back, wherein someone had done code level analysis of Huawei equipment. The presenter explained up front that he went in looking for Chinese back doors.
At some point in time he gave up, because he had found so many code flaws, and vulnerabilities, he concluded that the Chinese government didnâ(TM)t NEED to pay the company to install black doors, and if they had, it would be impossible to distingish them from the crappy coding that had been done.
Please note, this is not actually a slam at Huawei or Chinese companies in general. No company is immune from the pressures of needing to hit a ship date, and the iron triangle isnâ(TM)t a new thing to any of us. When you canâ(TM)t adjust time, or the size of the shipping product (You didnâ(TM)t ACTUALLY need packet routing in the minimal viable product of our router, did you?) quality is your remaining variable.
This is why state actors will pay a hundreds of thousands of dollars for the right vulnerabilities, itâ(TM)s more deniable then paying someone to insert a back door. Not to say that no one has ever decided to code themselves a retirement package, just that the state actor that paid for the retirement has plausible deniability.
Min