UK Report: Huawei Telecom Software Could Be Backdoored Without Notice

(Image credit: Shutterstock)

The UK government has released a security report around Huawei’s equipment for telecommunications networks and it’s mostly negative. The report found that Huawei is suffering “serious and systematic defects” in its software engineering and cyber security competence.

Who Wrote the Report?

The Huawei Cyber Security Evaluation Centre (HCSEC) was set up in 2010 as a way to assure the national security agencies in the UK that the Chinese company’s equipment can be trusted for use in the telecommunications infrastructure in the UK. Through HCSEC’s Oversight Board, which was established in 2014, the UK government is informed about Huawei’s product strategies and roadmap, and it also allows the government to evaluate the security of Huawei’s hardware.

The HCSEC Oversight Board is chaired by Ciaran Martin, the CEO of UK’s National Cyber Security Centre, and an executive member of GCHQ’s Board, who is responsible for cybersecurity. Huawei is also represented on the board by a deputy chair. Other senior executives representing the UK government and the telecommunications industry are included as well. The board operates completely independently from Huawei, according to the UK government.

Significant Issues in Huawei Engineering Processes

In its report, the HCSEC Oversight Board said it found “significant technical issues” in Huawei’s engineering processes, which can lead to new risks for UK’s national telecommunications infrastructure.

The main issue seems to be that the Oversight Board can’t properly verify whether or not the software source code provided by the Huawei for review by the UK government is the same one being used by actual Huawei equipment. Unless this is fixed, Huawei could potentially provide a “clean” version of its software for review and a backdoored one for use in telecommunications equipment.

The report also noted that currently the same Huawei hardware may use different software builds in different parts of a network, which means that the builds may operate on different levels of security. For instance, some builds may be patched for bugs, while others may not be.

The HCSEC Oversight Board warned that Huawei continues to use insecure third-party software components and that its LTE software is only getting worse, from a code quality point of view. The Board believes that Huawei’s engineers lack sufficient technical competence.

No Confidence in Huawei for Remediation

Last year, after initially trying to downplay the security concerns from various governments, Huawei committed to investing $2 billion to address long-time concerns that the HCSEC Oversight Board had about Huawei telecommunications hardware. However, according to the latest report, the UK government has no confidence in Huawei’s capacity to fulfill its commitment to address those security concerns. The report also noted that since last year Huawei has made virtually no progress in fixing the issues at stake.

Even though some officials from the UK government have said that the government can mitigate the risk that Chinese state interference in Huawei’s equipment poses, the new report mostly contradicts that assessment.

The HCSEC Oversight Board said it “can only provide limited assurance that all risks to UK national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.” In other words, if the Chinese state does interfere in Huawei’s hardware, the Oversight Board will likely not be able to prevent it.

When UK’s HCSEC Oversight Board has been auditing Huawei for five years and still doesn't believe Huawei is providing basic security assurances that its hardware and software is not backdoored, it’s difficult to see how smaller countries could hold Huawei to the same or higher standard and ensure that their networks aren’t compromised by Chinese espionage operations.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.