Vodafone Italy discovered “hidden backdoors” in Huawei equipment that would have allowed the Chinese company to access users’ home networks as well as Vodafone’s Italian fixed-line network, reports Bloomberg. The vulnerabilities were discovered between 2009 and 2011 in Huawei’s home internet routers, as well as its equipment used in parts of Vodafone’s network infrastructure. There was no evidence of data being compromised.
Bloomberg reports that both the router and network vulnerabilities continued to exist beyond 2012, and also existed in the company’s networks in the UK, Germany, Spain, and Portugal. Sources say that Vodafone continued to use the equipment because it was cheaper than the competition and the cost to remove it was prohibitive.
In a statement given to Bloomberg, Vodafone acknowledged the vulnerabilities but contested the timeline, saying they were resolved in 2011 and 2012. Huawei says it was informed of the vulnerabilities in 2011 and 2012, and that they were fixed at the time.
“The vulnerabilities described in the Vodafone reports from 2009 and 2011 have all the characteristics of backdoors.”
The revelations come as Huawei’s role in future 5G networks is under intense scrutiny worldwide over fears that its equipment could be exploited to aid in China’s intelligence efforts. Multiple countries are currently scrutinising Huawei’s security practices, as governments decide which parts of their 5G networks to allocate to the Chinese giant. The US is moving to ban the use of Huawei equipment, and is lobbying its allies to do the same. Meanwhile, the UK has reportedly made a preliminary decision to allow the use of Huawei’s equipment in non-core parts of its networks, but is under pressure from US officials to ban it completely.
Along with issues affecting its networking equipment, Vodafone Italy also identified issues with Huawei’s home internet routers, which Vodafone believed would give Huawei backdoor access to both local machines and wide-area networks. Huawei was reportedly reluctant to disable the Telnet feature that was creating the vulnerability, claiming it relied on it to configure the devices remotely.
Huawei characterized the vulnerabilities as “mistakes” rather than deliberate inclusions in the equipment. “These were technical mistakes in our equipment, which were identified and corrected,” the company told ZDNet, “The accepted definition of ‘backdoors’ is deliberately built-in vulnerabilities that can be exploited — these were not such. They were mistakes which were put right.”
A computer security professor quoted in the report, Stefano Zanero, said that there’s no obvious way to know if a vulnerability is an accidental bug or an intentional backdoor. However, he added that “the vulnerabilities described in the Vodafone reports from 2009 and 2011 have all the characteristics of backdoors: deniability, access and a tendency to be placed again in subsequent versions of the code.”
In an official statement, Huawei went on to call Bloomberg’s report “misleading” and said that the story “refers to a maintenance and diagnostic function, common across the industry, as well as vulnerabilities, which were corrected over seven years ago.” It added that “there is absolutely no truth in the suggestion that Huawei conceals backdoors in its equipment.”
In January this year, Vodafone paused the use of Huawei’s equipment in its core infrastructure across Europe, citing the ongoing debates around the security of the equipment. More recently, Vodafone has warned that a total ban could impact the rollout of its 5G networks, and argued that there was no evidence that Huawei’s equipment posed a security risk. The revelations about these historical vulnerabilities, and Huawei’s approach to patching them, continues to raise questions about how safe its equipment is to use.
Last month, a UK cybersecurity watchdog raised concerns over the Chinese company’s “basic engineering competence and cyber security hygiene.” The same day, The Register reported lapses with how Huawei had patched a vulnerability in its routers in 2013 which later allowed them to be used as part of a botnet.
Update April 30th, 10:50AM ET: Added official statement from Huawei.