Huawei’s telecommunications equipment software is riddled with severe security flaws, according to a report from the company’s oversight board in the U.K.
On the plus side, the British spies in charge of the oversight say they don’t “believe that the defects identified are a result of Chinese state interference.” However, the bugs are serious enough to cause telecoms networks to stop functioning if they are exploited. And given the amount of pressure the Chinese manufacturer currently finds itself subjected to—particularly from the U.S.—the report’s timing could not be worse for Huawei.
Suspicion over Huawei’s ties to the Chinese state is nothing new, but it’s the world’s top telecoms equipment vendor and its products are widely used. Facing concerns in the U.K., the company agreed in 2010 to set up a lab there called the Huawei Cyber Security Evaluation Centre (HCSEC,) where Huawei employees would help representatives of GCHQ—the U.K. equivalent of the U.S.’s National Security Agency (NSA)—examine the equipment and its software very closely. Huawei has recently set up other cybersecurity labs in Germany and Belgium, but those only give access to network operators, not intelligence agencies.
Each year, the HCSEC board issues a report on how that scrutiny is going, and the latest report came out Thursday. It was pretty damning.
One major problem is that Huawei can’t prove that the code it submitted for review is exactly the same code running in its equipment. According to the report, Huawei’s software development process is so complex and antiquated that it makes it hard for the British spies to analyze the bugs. All this has been raised with Huawei before, but the company’s plan for dealing with it was “unacceptable” to the spies and U.K. network operators, the report stated, adding that the GCHQ representatives were “not confident that Huawei is able to remediate the significant problems it faces.”
It gets worse: “Given both the shortfalls in good software engineering and cyber security practice and the currently unknown trajectory of Huawei’s R&D processes… it is highly likely that security risk management of products that are new to the U.K. or new major releases of software for products currently in the U.K. will be more difficult [and] that there would be new software engineering and cyber security issues in products HCSEC has not yet examined.”
In other words, the oversight board isn’t brimming with confidence about the new-fangled 5G equipment that Huawei is trying to sell into the U.K.
According to the report, Huawei’s shoddy security practices mean attackers with knowledge of the flaws could “affect the operation of the network,” or even cause the network to crash. They might also be able to access people’s data as it passes through the network—though the network operators’ security controls should limit opportunities for such attacks. Again, the HCSEC board does not believe this is the work of Chinese spies.
“We understand these concerns and take them very seriously,” Huawei said in response to the report, adding that the identified issues “provide vital input for the ongoing transformation of our software engineering capabilities.”
But what does the report mean in effect?
The issue here is one of perception. As Johns Hopkins cryptography guru Matthew Green noted in a Twitter thread: “Many people are saying that other manufacturers probably have the same defects as Huawei. I bet they’re right. This isn’t really the point, though.”
Yes, Huawei is subject to a unique level of scrutiny, which has exposed a level of software vulnerability that might also be found in competing products. But, as Green said, those other equipment vendors “aren’t trying to achieve the unique feat that the U.K.-Huawei partnership is: namely make a not-fully-trusted partner into a trusted one.”
While this is potentially true of other vendors, particularly those that are just spinning up and have immature codebases, those vendors aren’t trying to achieve the unique feat that the UK-Huawei partnership is: namely make a not-fully-trusted partner into a trusted one. 8/
— Matthew Green (@matthew_d_green) March 28, 2019
It’s worth noting that, while some countries such as Australia have banned Huawei’s equipment due to potential Chinese intelligence ties, others have blocked it due to concerns about security flaws that might be fixable. New Zealand’s GCSB spy agency, for example, effectively blocked Huawei’s 5G equipment from the country by telling telecoms operator Spark that it couldn’t use it, but the country’s government subsequently said the door was still open if the concerns could be mitigated.
The fact that New Zealand has shunned Huawei, even if temporarily, while the U.K. continues to allow the company’s products to be rolled out, suggests that such decisions are at least partly political. With that in mind, it is perhaps not surprising that the European Union—at odds with the Trump administration over trade and defense—has decided to ignore the U.S.’s demands that all its allies avoid Huawei’s equipment like the plague.
The EU is instead going more the U.K. route, calling for increased product testing and certification, and Huawei has praised this approach as being more proportionate than the American stance. It had better repay the favor by fixing its software soon, because reports such as that issued this week just give the U.S. more ammunition.
