UK: Huawei has ‘made no progress’ on security issues
A British government report concludes that Huawei has made “no progress” in over a year in addressing previously reported security vulnerabilities. Techniques in British telecom networks, for example, have cryptographic shortcomings and default passwords.
As a result, the author of the report can only provide limited guarantees about the security risks associated with used devices. That drafter is the supervisory board of Hcsec, which is a body set up by the British government and Huawei itself. The report is purely about the equipment that is used in the telecom networks of the providers and therefore says nothing substantively about, for example, the telephones of the company.
One of the problems has to do with the underlying software of the products. For example, there are flaws in the development process of Huawei software. As a result, it is possible that the software that the Hcsec sees is different from the software that comes in the final devices. The regulator finds it difficult to indicate whether products are safe and do not contain major safety risks. This was one of the problems that were also reported last year and according to Hcsec nothing has changed in practice.
Furthermore, Hcsec writes that it has found several problems in Huawei products during 2018. In order to arrive at the causes of these problems, the agency had to replicate the products. During the reverse engineering, the body came to the conclusion that these products were the result of an ‘extremely complex and poorly controlled process’.
The problems found are not significantly different from problems found in previous years. This concerns, for example, unsecured stacks in publicly accessible protocols, cryptographic shortcomings, default passwords and ‘many other basic security risks’. “While Huawei has put in place secure development standards and says it has restructured risky code, little has changed in the security qualities of the software we received. under permanent control by the operators,” the Hcsec writes.
In conclusion, Hcsec indicates that there are serious and systematic errors in software development and security. The authority therefore questions Huawei’s competence when it comes to development and computer security. As a result, the HCsec can only provide a limited technical guarantee on the manageability of the security risks presented by the Huawei devices for the United Kingdom. The council writes that bad processes can lead to vulnerabilities in the software. The amount and seriousness of vulnerabilities discovered by the ‘relatively small team’ of the Hcsec are considered serious by the Council.
If a cyber attacker is aware of these vulnerabilities and has sufficient access to exploit them, this attacker can influence the functioning of the British telecom network. An attacker could also infiltrate user traffic or reconfigure network elements. Measures taken by UK network providers restrict access to these vulnerabilities. This makes it difficult to abuse them, according to Hcsec. According to the Council, it is therefore important that these measures are maintained in order to limit the risks of the Huawei software. The NCSC does not believe these vulnerabilities are a result of Chinese state interference.
Huawei writes in a response to take the concerns seriously and to get started. In addition, the message refers to a statement announced last year. Then the company’s executives said they would implement a company-wide “transformation program” to improve software development. This involves a budget of 1.8 billion euros.
Last month, two unnamed sources told the Financial Times that the risk posed by Huawei’s 5G equipment is “manageable” according to British intelligence agency NCSC. That was based on a report that had not yet been published at the time. It is possible that this is the same report, as the NCSC is the point of contact for the Hcsec from the British government. However, the new report is a bit more nuanced and talks about limited manageability. The report also states that Huawei has done nothing in practice with the comments from the earlier report.
Several countries worldwide have expressed concerns about Huawei. The United States, for example, suspect that China is spying through Huawei’s equipment. US government departments are therefore not allowed to buy devices from the Chinese company, something for which the company has sued the government. Huawei continues to deny that the Chinese state can eavesdrop on Huawei’s equipment.