U.K. Found ‘Critical’ Weakness in Huawei Equipment
(Bloomberg) -- British intelligence forced Huawei Technologies Co. to fix flaws in its products that could have put the security of the country’s networks at risk, a government agency said.
“Critical, user-facing vulnerabilities” were found in the Chinese supplier’s fixed-broadband products caused by poor code quality and an old operating system, the Huawei Cyber Security Evaluation Centre Oversight Board said in a report. “U.K. operators needed to take extraordinary action to mitigate the risk.”
The center, near Oxford in England, was set up between the Shenzhen-based technology giant and the British government in an arrangement to let the U.K.’s National Cyber Security Centre examine its hardware and software.
In the annual report published Thursday, the HCSEC Oversight Board said Huawei repaired the security issue. No exploitation of it was detected. However, the fix then created a new, different “major issue.” The incident was “further evidence that deficiencies in Huawei’s engineering processes remain,” it concluded.
The event had “national significance” and marked a rare occasion where a full description of the problem was temporarily held back from Huawei while the U.K. assessed its impact. The NCSC doesn’t believe the defects identified were due to Chinese state interference, the report said.
The revelation comes at a sensitive time for Huawei after the U.K. government decided to ban telecom operators from using its gear in their fifth-generation mobile networks. The government is now reviewing Huawei’s role in supplying fixed-broadband infrastructure.
The HCSEC Oversight Board said it “can only provide limited technical assurance in the security risk management of Huawei equipment in U.K. networks,” reiterating a finding of last year’s report.
“This is a poor state of affairs, especially as Huawei kit will remain in U.K. networks and may even be added to it, despite the ban,” said lawmaker Bob Seely, a member of the ruling Conservative party who has campaigned for tighter restrictions on Huawei.
Asked about the report’s findings, a spokesman for Huawei said the supplier is the only one that faces such a tough level of scrutiny.
“Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone,” the spokesman said.
Britain had previously decided it could manage the risks of keeping some Huawei in 5G networks. It reversed course in July after U.S. sanctions cut off Huawei’s access to American microprocessor technology. U.K. security services said this meant the security of Huawei supplies could not be assured.
The HCSEC oversight board’s report covered the situation in 2019. However, it noted that Huawei had already begun to swap out American components for replacements from elsewhere toward the end of 2019 to comply with the U.S. blacklist rules. This may “limit the number of products that can be analyzed by HCSEC, and hence the number of products that can be used within the U.K,” it said.
The U.S. “entity list” made it harder for the HCSEC to do its job for a further reason, the report pointed out: The facility is owned by Huawei, so it’s more difficult to obtain security monitoring products that use U.S. intellectual property. Officials are looking at how to solve the issue.
©2020 Bloomberg L.P.