British Spies Find Big Software Problems With Huawei

Uploaded on 2020-10-05 in INTELLIGENCE--International, FREE TO VIEW, BUSINESS-Services-IT & Telecoms

The British  spy agency GCHQ operate a secretive Huawei Cyber Security Evaluation Centre (HCSEC) known as The Cell located near Oxford. The Cell is operated by GCHQ with expert civilian personnel but in an unusual arrangement is actually funded by Huawei. Now, according to a recently published  Oversight Report, The Cell has found found severe problems with Huawei software, which it did not  first disclose to the Chines telecom giant.

Vulnerabilities are usually a result of software design failures which could allow hackers to conduct a cyber attack. Now, cyber security analysts at HCSEC who have investigated the Huawei equipment that is presently used  in the UK's telecommunications networks have discovered a "nationally significant" vulnerability.

There is current concern that Beijing could purposefully design some kind of deniable flaw in Huawei's equipment which it would know how to purposely use, but so far there is no proof that the Chinese Government were involved. The report says that the UK's National Cyber Security Centre (NCSC), a part of GCHQ, "does not believe that the defects identified are as a result of Chinese state interference", and adds that there is so far no evidence the vulnerabilities were exploited.

Instead, the agency reported that "poor software engineering and cyber security processes lead to security and quality issues, including vulnerabilities", and that "the increasing number and severity of vulnerabilities discovered" is of particular concern.

"If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of a UK network, in some cases causing it to cease operating correctly....Other impacts could include being able to access user traffic or reconfiguration of the network elements." the report says.

After the major vulnerability was first assessed by the UK's security services it was then reported to Huawei, in line with the HCSEC's normal vulnerability disclosure process. The Report says that the number of reported bugs and issues rose “significantly” over the past year, including the discovery of a vulnerability of “national significance” in 2019, although it’s not thought to have been exploited before being rectified.

While it is not being suggested that these issues were deliberately engineered by Huawei,  the HCSEC findings reflect negatively on its general competence in cybersecurity.

Code reviewers from the British National Cyber Security Centre (NCSC) found “evidence that Huawei continues to fail to follow its own internal secure coding guidelines. This is despite some minor improvements over previous years.” Additionally, the researchers said it had found more vulnerabilities during 2019 than it had in previous years.  The report adds that HCSEC "continues to reveal serious and systematic defects in Huawei's software engineering and cyber security competence", and warns that despite fixing specific issues when directed to do so, the agency has "no confidence that Huawei will effectively maintain components within its products".

Huawei said the report highlighted the company's "commitment to a process that guarantees openness and transparency, and demonstrates HCSEC has been an effective way to mitigate cyber security risks in the UK". 

Although similar vulnerabilities for rival companies which provide networking equipment, whether radio antennas or core switches and gateways, are often discovered, Huawei argues they do not get the same level of scrutiny.

US  restrictions on Huawei, that are said to be based on security grounds, although the company argued that it has been unfairly hit by the Trump administration's trade war, will prohibit US technology companies from providing components, such as computer chips, to the company.

As a result of these restrictions, the British government has ordered that all Huawei equipment must be stripped out of the UK's telecommunication networks by 2027, following NCSC's recommendation that it could no longer guarantee the security of Huawei's equipment if it was to adopt chips from less trusted manufacturers.

The revelation comes at a sensitive time for Huawei after the UK government decided to ban telecom operators from using its gear in their fifth-generation mobile networks. This was followed by the recent announcement  that British Telecom has dropped Huawei in favour of the Finnish company Nokia as its favoured supplier of 5G network infrastructure. 

The UK government is now understood to be reviewing Huawei’s role in supplying fixed-broadband infrastructure and the HCSEC Oversight Board said it “can only provide limited technical assurance in the security risk management of Huawei equipment in UK networks.”

NCSC:      Huawei:      Techround:        iPhoneInCanada:    Infosecurity Magazine:   Sky:      Huawei

You Might Also Read: 

France Begins Suspending Huawei:

 

« WEBINAR: Scale And Automate Your Edge Security
International Police Sting Operation Disrupts The Dark Web »

CyberSecurity Jobsite
Check Point
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Alvacomm

Alvacomm

Alvacomm offers holistic VIP cybersecurity services, providing comprehensive protection against cyber threats. Our solutions include risk assessment, threat detection, incident response.

ZenGRC

ZenGRC

ZenGRC (formerly Reciprocity) is a leader in the GRC SaaS landscape, offering robust and intuitive products designed to make compliance straightforward and efficient.

Directory of Cyber Security Suppliers

Directory of Cyber Security Suppliers

Our Supplier Directory lists 8,000+ specialist cyber security service providers in 128 countries worldwide. IS YOUR ORGANISATION LISTED?

RPC

RPC

RPC is a business law firm. Practice areas include technology and cyber risk.

StratoKey

StratoKey

StratoKey is an intelligent Cloud Access Security Broker (CASB) that secures your cloud and SaaS applications against data breaches, so you can do secure and compliant business in the cloud.

Wavestone

Wavestone

Wavestone is a strategy and technology consulting company with areas of expertise including digital transformation and cybersecurity.

Karlsruhe Institute of Technology (KIT)

Karlsruhe Institute of Technology (KIT)

KIT is a leading research and education institutions with strong capabilities in information systems and security.

The Security Awareness Company (SAC)

The Security Awareness Company (SAC)

The Security Awareness Company provides cyber security awareness training programs for companies of all sizes.

42Gears

42Gears

42Gears is a leading Unified Endpoint Management provider. Secure, monitor and manage tablets, phones, desktops and wearables.

spriteCloud

spriteCloud

spriteCloud is an independent software testing, test automation and cybersecurity services provider.

GitProtect.io

GitProtect.io

​GitProtect is a fully manageable, professional GitHub and Bitbucket backup and recovery software that protects repositories and metadata from any event of failure.

Graylog

Graylog

Graylog provides answers to your team’s security, application, and IT infrastructure questions by enabling you to combine, enrich, correlate, query, and visualize all your log data in one place.

Profian

Profian

Profian’s hardware-based solutions maintain your data's confidentiality and integrity in use, providing true confidential computing to meet regulatory and audit requirements.

Josef Ressel Centre for Intelligent & Secure Industrial Automation

Josef Ressel Centre for Intelligent & Secure Industrial Automation

The Josef Ressel Centre for Intelligent and Secure Industrial Automation investigates the fundamentals of digital assistants for industrial machines that enable intelligent and secure operation.

Sitehop

Sitehop

Sitehop is a cybersecurity technology company developing and supplying FPGA hardware-enforced cyber security solutions for networks.

Avalon Cyber

Avalon Cyber

Arm your organization in the fight against cyberattacks by partnering with the experts at Avalon Cyber.

Cura Technology

Cura Technology

Cura Technology offers a wide array of security solutions meticulously designed to address specific facets of your security requirements.

EmberOT

EmberOT

EmberOT is at the forefront of operational technology (OT) security, offering cutting-edge solutions designed to protect critical infrastructure within energy, utilities, and manufacturing sectors.

Sectricity

Sectricity

As independent ethical hackers, Sectricity go beyond traditional security, uncovering every vulnerability - testing both systems and employees to eliminate weak spots.