Report: Huawei Failed to Remove Backdoors Vodafone Discovered in 2011, 2012

(Image credit: Shutterstock)

Europe’s largest wireless operator, Vodafone Group Plc, revealed to Bloomberg that in 2011 and 2012 it found backdoors in the network equipment its Italian division purchased from Huawei. The issues appear to be resolved now, but Huawei reportedly avoided fixing them initially. Plus, the risk remains that new backdoors could silently appear in new router software versions in the future.

Huawei Backdoor In Vodafone Network

Vodafone previously identified hidden backdoors that could have given Huawei or the Chinese government unauthorized access to Vodafone’s Italian fixed-line network, which provides internet access to millions of customers and businesses. The revelation comes from Vodafone documents from 2009-2011, which Bloomberg received access to, as well as other sources inside Vodafone that were reportedly involved.

In 2011, Vodafone reportedly asked Huawei to remove backdoors from its home internet routers. Huawei offered assurances to Vodafone that it would comply and that the issues were fixed, but when Vodafone further analyzed the software, it learned that the vulnerabilities remained, according to documents seen by Bloomberg.

Additionally, Vodafone learned about backdoors in the optical service nodes, which are responsible for transporting internet traffic over fiber cables. The operator also found hidden backdoors in the broadband network gateways, which handle subscriber authentication and access to the internet, according to people familiar with the matter.

Huawei Defended the Backdoors

Vodafone started buying routers from Huawei in 2008, and in 2009, the operator started suspecting that the hardware had backdoors after it found 26 open security vulnerabilities in the routers. In its 2009 report, Vodafone urged Huawei to remove the telnet service, which could be used to give Huawei access to the devices remotely.

By 2011, Vodafone started a deeper investigation of the routers, including via an independent security auditing firm, which also found the telnet service to be the biggest security threat to Vodafone’s customers. Vodafone noted that many router manufacturers use the telnet service to configure the devices remotely, but Vodafone didn’t allow this due to the security risk it presented.

Vodafone took two months to convince Huawei to disable the service. Huawei then assured Vodafone that the telnet service was disabled, but the operator later found that the service could still be launched. Huawei then said that it couldn’t fully remove the telnet service because it still needs it itself to access the routers for remote configuration. Huawei’s reluctance started worrying Vodafone executives even more because the Chinese company could pose a security threat for the operator’s customers.

Bryan Littlefair, the Chief Security Officer for Vodafone at the time, said in the company’s report from 2011:

“What is of most concern here is that actions of Huawei in agreeing to remove the code, then trying to hide it and now refusing to remove it as they need it to remain for ‘quality’ purposes.'”

Are European Operators Prioritizing Profit Over Security?

Despite all the recent accusations, findings and European operators having discovered themselves potential backdoors in Huawei’s network gear, they still defend the Chinese company to regulators.

Vodafone itself has recently said that it will limit purchases from Huawei for core network gear. But this just be a compromise the operator made to pacify European regulators thinking about banning Huawei from European networks altogether.

Otherwise, Vodafone and other European wireless operators have defended Huawei in the wake of established relationships and 5G technology purchases already made/ If they were to discard those investments now, they risk losing significant money. Plus, they would need to install and then train employees on new equipment from other companies, which could put them behind in the race to 5G.

Another way of seeing this is that the European operators are more willing to risk their customers’ data, both home users and businesses, which could be stolen via firmware or hardware-level backdoors, over them losing out on their network investments or access to cheap Chinese-made equipment.

Lucian Armasu
Lucian Armasu is a Contributing Writer for Tom's Hardware US. He covers software news and the issues surrounding privacy and security.
  • -Fran-
    I have my own router and I'd even have my own modem if Virgin would allow me to. In fact, I've asked about sourcing my own, but according to their policies, I can't. One of the few good things about the USA on this matter: you can get your own modems and use them.

    That doesn't alleviate the problem of their internal networks, but since it is now public, it will change.

    And, yes, all companies say "it's for our clients", but in reality is "we're reducing costs and getting crappier hardware/resources/people".

  • alan.campbell99
    Other than the supplied Nokia modem/routers at the time when it first started I've always used my own DSL modem here which I've been able to do thankfully. The ISP ones were generally shite and that was before I knew about Huawei's shenanigans. I'd only use one as a doorstop now for sure. I have my doubts about recent models and I'd like to get the parents away from theirs and onto a solid alternative once I research it.
  • ginthegit
    Problem is, no matter what you buy you have a back door. Some could say that Intel deliberately put the spectre problems in so that NSA could Hack. I remember that Apple flat down refused to put Backdoor in. Point is though that they all hack to gather information, and no matter whether it is claimed for security or other purposes, it is all illegal.

    Note that most Chinese tech is licensed products from other tech like they use the ARM license etc, so chances are that if they have Back-doors, other products do too. They probably cant find the issues to sort them so they don't.

    To punish a state for what they as a state does themselves... it is not only hypocritical, it is scandalous.