British Report Highlights Security Issues in Huawei Networking Gear

Posted on March 28, 2019 by Paul Thurrott in Cloud with 10 Comments

While the country still doesn’t recommend a ban, Britain this week publicly complained about the security risk of Huawei’s networking gear, citing years-long quality problems and Huawei’s inability to fix them.

“These findings are about basic engineering competence and cyber security hygiene that give rise to vulnerabilities that are capable of being exploited by a range of actors,” a National Cyber Security Centre (NCSC) report notes, adding that Huawei will need to dramatically improve its response to issues. “The evidence of sustained change is especially important as strongly-worded commitments from Huawei in the past have not brought about any discernible improvements.”

The report describes “significant” flaws in Huawei’s existing networking hardware, which has been present in the UK’s infrastructure for over 15 years. This report is notable because the United States is calling, mostly unsuccessfully, for its allies to ban Huawei as they build out next-generation 5G networks. It has never provided any evidence that backs up its fears of the company and other Chinese-based technology giants.

The NCSC previously reported that Huawei hardware is not used in any governmental or otherwise sensitive networks. As it does with all governmental technology providers, Huawei is subject to strict and ongoing security reviews in the country, and none have ever led to any suspicions.

On that note, the UK-based security agency’s report stopped short of recommending a ban, noting that past problems with Huawei networking gear were just design flaws, not backdoors for the Chinese government. The problem, put simply, is a lack of quality and follow-through when problems are identified.

“NCSC does not believe that the defects identified are a result of state interference,” the report explains.

Huawei has already pledged to spend $2 billion over the next five years to improve the quality of its software and security processes. And it says it will address the NCSC complaints.

“The report details some concerns about Huawei’s software engineering capabilities,” a corporate statement reads. “We understand these concerns and take them very seriously.”

Tagged with

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (10)

10 responses to “British Report Highlights Security Issues in Huawei Networking Gear”

  1. Avatar

    wright_is

    You see, NSA, this is the way you do it. You know, point at something concrete and say there is a problem.

    Not act like some pouty jilted lover saying, "I don't like them and if you shack up with them, I won't talk to you again, so nah!"

    As noted, it is a cause for concern and they need to improve their focus on security, if they want to continue selling their kit, but no sign of any backdoors or spying software.

  2. Avatar

    waethorn

    This! THIS is why you can't have Chinese 5G.


    Oh, and then there's this: arstechnica.com/gadgets/2019/03/how-microsoft-found-a-huawei-driver-that-opened-systems-up-to-attack/

    • Avatar

      wright_is

      In reply to Waethorn:

      A driver with a local user escalation problem, that had been fixed by the time of the article. You need to be logged on as a legitimate user on the system, before you could exploit this. Not good, but hardly something to really panic over. It just shows that Huawei have a long way to go in tightening up their coding quality.

      You could just as well say, that is why we can't use Windows, or macOS, or Android or iOS or Linux...

  3. Avatar

    waethorn

    "NCSC does not believe that the defects identified are a result of state interference,”


    What next? Your personal data is safe on Facebook?

  4. Avatar

    Daekar

    Seems like the kind of thing that will work via the market to keep Huawei from dominating the 5G landscape - bugs are not backdoors even though they can be functionally identical in the end, and have the same cost. Some countries and companies will care, some won't. Regardless, this doesn't really have more than tangential bearing on the other security concerns that have been bandied about regarding Huawei, and this won't sway either side to change their opinions.

    • Avatar

      wright_is

      In reply to Daekar:

      Just look at Cisco, they have removed dozens of backdoors into their systems over the last 12 - 18 months. It seems like nearly every month has come up with another backdoor removed from something or another.

      Some of them were from acquisitions, but even so, it is not a good look for Cisco.

      • Avatar

        Daekar

        In reply to wright_is:

        Yes, I remember hearing Steve Gibson talk about those vulnerabilities. Scary to hear about that kind of thing from such a trusted and established player.

        Honestly, I think almost every system we use is full of holes, and we just don't know it. I am also perfectly willing to believe that almost every system we use is somehow compromised by nation-state actors regardless of the country of origin. Looking at history and human behavior, that is absolutely a no brainer to do. As much as I hate to say it, any government that DOESN'T is run by idealistic fools that will eventually be trampled by those who don't share their scruples.

  5. Avatar

    skane2600

    Dear UK, your check is in the mail. Sincerely US.

Leave a Reply