Vodafone Document Showed Concern With Huawei Routers: Transcript

(Bloomberg) -- A story published by Bloomberg on April 30 showed that Vodafone Group Plc found security flaws several years ago with equipment supplied by Huawei Technologies Co. The piece was based on documents obtained by Bloomberg and conversations with people familiar with the situation.

Below are excerpts from one of the documents.

The document, from April 2011, was written after Europe’s largest phone company identified what it called a telnet backdoor in home internet routers provided by Shenzhen-based Huawei for the carrier’s Italian business.

Both companies now say the router issues were tied to a failure to remove maintenance and diagnostic functions after development and were resolved later that year.

In the document, Vodafone’s chief information security officer at the time, Bryan Littlefair, outlined how Vodafone discovered the telnet service, requested its removal by Huawei and received assurances from the supplier that the problem was fixed. After further testing, Vodafone found that the telnet service could still be launched in the routers, known as Vodafone Stations. The following is Littlefair’s evaluation of the situation:

Evaluation

It is still to be clarified whether Huawei have built the telnet capability in their own software or using the operating system from another company (VxWorks). One opinion mooted was that Huawei didn’t know how to change the configuration of VX Works which is plausible when taken in isolation. Given that Huawei were well aware of Vodafone concerns and then attempted to obscure the telnet backdoor further gives rise to further concern. They are well aware of Vodafone’s push for a stronger security posture. Huawei’s continued requests for us to give them a chance to prove their straight and honest approach takes a hit in this case when the demonstrated actions are nothing of the sort.

Below, Littlefair listed perceived risks tied to the backdoors:

Envisaged risks

The major risks introduced by these security vulnerabilities are:

*Remote access and control of the VF Station by exploiting the Buffer overflow mechanism.

*Full access with administrative privileges to VF Station router enabling possibilities of:

  • Getting access to the customer LAN (customer environment - PC and Local Network Equipment);

  • On the WAN side (VF network), getting non authorized access to network devices bypassing the standard remote access policies and procedures (firewall plus strong authentication with user/pwd and SecurId); up to now no vulnerability has been identified in this area, but still it opens a possible door;

  • Disclosing VoIP credentials which could be used for malicious activities;

  • Upload a modified (and potentially malicious) firmware through access to flash devices (via MTD devices) together with possibilities of spammers, zombies, botnet, etc.;

  • Disable TR069 client which will prevent configuration and firmware updates.

The document by Littlefair, who didn’t respond to Bloomberg requests for comment, highlighted concerns at the time that the flaws in home routers could have given unauthorized access to both devices in a consumer’s home as well as in the broader Vodafone network.

In a statement to Bloomberg, Vodafone said the vulnerabilities only affected the routers and had nothing to do with its access, transport or core networks. An attacker would have only been able to access data local to the device and not the data of any other users, Vodafone said.

Bloomberg’s reporting also showed that Vodafone found vulnerabilities in parts of the fixed-line Italian network supplied by Huawei called optical service nodes and broadband network gateways. Vodafone said the BNG issues were resolved in 2012 and the OSN issues were also resolved, without giving a time frame.

Both Vodafone and Huawei said equipment vulnerabilities are an industrywide issue. Huawei said: “There is absolutely no truth in the suggestion that Huawei conceals backdoors in its equipment.”

In his conclusion in the 2011 document, Littlefair expressed concern about how the telnet backdoor ended up in the routers and how the matter was handled by Huawei:

Conclusion

At this time we cannot state conclusively that the event means Huawei are malicious (on their own or someone else’s behalf), incompetent (can’t fix the problem) or naive (in trying to hide the fact they can’t fix it). However given the attention they have received from Vodafone in recent months it is very disappointing that they have not proven themselves in this case and come clean. Unfortunately for Huawei the political background means that this event will make life even more difficult for them in trying to prove themselves an honest vendor.

The fact that such issues arise in products is nothing new. What is of most concern here is that actions of Huawei in agreeing to remove the code, then trying to hide it, and now refusing to remove it as they need it to remain for “quality” purposes.

On the point of any state involvement, every good operation is plausibly deniable. Being able to blame a dumb programmer is always an useful excuse. This cannot be ruled in or out at this time but further analysis and testing will enable us to arrive at a better conclusion (results from Cyber Security Evaluation Centre testing are due April 22nd).

Huawei has since expanded its relationship with Vodafone and is now the carrier’s fourth-largest supplier behind Apple Inc., Nokia Oyj and Ericsson AB.

©2019 Bloomberg L.P.