China isn’t being honest with its vulnerabilities database

Researchers from Recorded Future say the Chinese government has altered its database to hide what cybersecurity flaws they could be using.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
2 min read
Enlarge Image

Security vulnerabilities are supposed to be disclosed quickly. China has been lying about when they announce it, according to researchers.

James Martin/CNET

Informing the world know about vulnerabilities as soon as possible is an important element of cybersecurity. The sooner you get the word out, the faster companies and people can get patches to fix these security flaws to limit the impact.

But the Chinese government has been selectively slow on revealing certain vulnerabilities and then lying about what dates it announced them, according to researchers from Recorded Future.

The cybersecurity company studied China's National Vulnerability Database in the past, pointing out that it disclosed security flaws twice as fast as the US's National Vulnerability Database, except for the exploits that it was likely using to hack others.

In new research presented at the Kaspersky Security Analyst Summit in Cancun, Mexico, on Friday, Recorded Future's CEO Christopher Ahlberg said they've found that the Chinese government was lying about when it published these vulnerabilities.

"They're hoping to gain a window where they can make people not patch and keep vulnerabilities open," Ahlberg said in an interview before the presentation.

In one vulnerability, they found that the Chinese government originally disclosed vulnerabilities with BLU phones and its Adups firmware in September 2017, even though it was discovered in November 2016.

Recorded Futures researchers looked back at the disclosure in February, and found the date changed to say China disclosed the vulnerability in January 2017, more than eight months earlier than the original post.

"They were able to keep the firmware vulnerable for a time window, and they used that hole as a way to attack locals in Hong Kong," Ahlberg said.

They dug through China's database and found it had changed the publication date on 267 out of 268 late disclosures, Ahlberg said. The altered records shows the Chinese government can take vulnerabilities, use them without ever disclosing it to the public and then quietly lie that it announced it much earlier, the CEO said.

It becomes a greater issue when you consider that companies that do business in China -- tech giants including Apple, Facebook and Samsung -- are under the watchful eye of the nation's cybersecurity law, including its vulnerabilities, he said.

"They had a methodology for siphoning off high value vulnerabilities, and they wanted to cover up that methodology and be able to keep doing that," Ahlberg said. "But by trying to cover it up, they put their process out there." 

Tech Enabled: CNET chronicles tech's role in providing new kinds of accessibility.

Logging Out: Welcome to the crossroads of online life and the afterlife.