A UK government cybersecurity watchdog has once again raised serious concerns about Huawei’s security practices, the Financial Times reports. The report comes from the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board, an organization set up by the UK’s National Cyber Security Centre to evaluate the security risks posed by using Huawei’s equipment in critical national infrastructure.
HCSEC’s report does not claim to have found any direct evidence of state-backed espionage. However, what it does do is criticize Huawei’s “basic engineering competence and cyber security hygiene,” which could be exploited in a future cybersecurity attack. In particular:
“HCSEC has continued to find serious vulnerabilities in the Huawei products examined. Several hundred vulnerabilities and issues were reported to UK operators to inform their risk management and remediation in 2018. Some vulnerabilities identified in previous versions of products continue to exist.”
The report notes that, “If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network” and even “access user traffic or reconfiguration of the network elements.” However, it also said that the security management of UK operators “makes exploitation of vulnerabilities harder.”
The report comes in the wake of intense scrutiny of Huawei’s security practices, which critics fear could be exploited to make networks more vulnerable to state-sponsored hacking attempts. The US is moving to ban the use of Huawei’s equipment in its forthcoming 5G networks, and is reportedly pressuring its allies to do the same. Australia and New Zealand have already banned or blocked the equipment from being used, and Canada is also expected to follow suit.
Earlier this year, officials from the US state department used last year’s HCSEC report to argue that Huawei’s equipment could not be trusted.
“Strongly worded commitments from Huawei in the past have not brought about any discernible improvements”
Recently, reports emerged that UK government officials believed the risks posed by using Huawei’s equipment could be mitigated, but HCSEC’s latest review has called this into question. The FT notes that a final decision on the use of Huawei’s equipment in future 5G networks is due to be made in the coming weeks.
As a result of these failings, the report notes that, “The Oversight Board continues to be able to provide only limited assurance that the long-term security risks can be managed in the Huawei equipment currently deployed in the UK.”
One example of the effects of these inadequate security processes emerged this morning in a report from The Register, which revealed a critical flaw in how Huawei responded to a security vulnerability in some of its routers. Rather than patch the vulnerability across all the devices that shared the same code, the Chinese company instead only patched the models that were specifically reported. Other models subsequently remained unpatched for three more years, during which time the vulnerability was exploited to use the routers in a 18,000-strong botnet.
In response to today’s report, Huawei said that it took its conclusions “very seriously,” but added that it could take between three to five years to address the problems. In December, the company pledged $2 billion to fix the security problems. However, HCSEC’s report notes that “strongly worded commitments from Huawei in the past have not brought about any discernible improvements.”
“The Oversight Board currently has not seen anything to give it confidence in Huawei’s ability to bring about change via its transformation programme and will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.”
The report comes as the UK’s four major mobile operators are ramping up to launch their 5G networks in the coming years. EE has already said it will not be using Huawei’s equipment in the core of its network due to a policy that its owner BT has had in place since 2006, and Vodafone has “paused” the use of its equipment. O2 and Three are both currently testing its equipment for future use.