The U.S. has long been claiming Huawei threatened its digital security. Now a security company claims to have unearthed several potentially exploitable backdoors in quite a few of the software the Chinese company deployed. As the race to deploy 5G networking gains speed, such claims could further jeopardize the telecom and networking giant’s business prospects across the globe.
Researchers from IoT security firm Finite State have apparently revealed that over half the equipment from China’s telecoms giant, Huawei, has “at least one potential backdoor”. There’s substantial evidence that Huawei’s networking device firmware had flaws, which could have been deployed deliberately to make them vulnerable, claim the firm. While putting forth their research into Huawei’s software installed in its networking equipment, the company said, “There is substantial evidence that zero-day vulnerabilities based on memory corruptions are abundant in Huawei firmware. In summary, if you include known, remote-access vulnerabilities along with possible backdoors, Huawei devices appear to be at high risk of potential compromise.”
The conclusions drawn by the security researchers at Finite State seem to be quite similar to what Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), a unit of spy agency GCHQ had drawn earlier this month. Back then, Levy had just concluded evaluating Huawei equipment over persistent claims that the Chinese company’s 5G networking equipment could be used by China to conduct widespread state-sponsored espionage campaigns. Levy had outright claimed security measure deployed by Huawei in its equipment were “objectively worse and shoddy” as compared to all of its competitors in the wired and wireless networking business. “From a technical supply-chain security standpoint, Huawei devices are some of the worst we’ve ever analyzed,” claimed Levy.
The researchers noted in their report that despite Huawei’s public commitments to improve security, the analysis revealed Huawei’s “security posture” is actually “decreasing over time”. The researchers claimed they scrutinized about 558 Huawei enterprise networking products. They reportedly combed through 1.5 million files within about 10,000 firmware images.
Huawei Left More Than Hundred Security Flaws And Vulnerabilities?
The analysis apparently revealed that more than 55 percent of firmware images have at least one potential backdoor. Some of the noteworthy security loopholes and seemingly intentional vulnerabilities left inside the firmware files include hard-coded credentials that could be used as a backdoor, unsafe use of cryptographic keys. The company also claimed to have observed “indications of poor software development practices.” Overall, Finite State claims to have discovered about 102 known vulnerabilities on an average in each Huawei firmware image. There was reportedly evidence of numerous zero-day vulnerabilities as well.
“There is a systematic problem at Huawei and that is what we are able to show here.” Large-scale security probe of Huawei networking equipment finds Chinese firm’s gear poses high risk for users /via @globeandmail https://t.co/da3nnnAwdC
— Steven Chase (@stevenchase) June 26, 2019
One interesting aspect that surfaced during the analysis was Huawei’s use of open-source software components. Huawei regularly relied on OpenSSL. The open source platform is a commonly-used cryptographic library for protecting and encrypting digital communications. In simple words, OpenSSL is often used by websites to enable HTTPS. Huawei reportedly failed to update such open-source software, claimed the security researchers. “The average age of third-party open-source software components in Huawei firmware is 5.36 years.” Moreover, there are “thousands of instances of components that are more than 10 years old.” Apparently, some of the outdated and obsolete software left Huawei’s equipment vulnerable to the infamous Heartbleed, a highly notorious and wide-spread virus back in 2011.
Is Huawei The Only Company Using Open-Source Software?
It is important to note that companies similar to Huawei, often rely on open-source software to accelerate software development and deployment in hardware. Moreover, these companies often discover backdoors and vulnerabilities and rush to patch them. In essence, it is a very common practice. But what’s even important is that companies often update the software and try to use the latest or the most stable version that has several bug fixes.
Singapore keeps options open on Huawei and 5G networks https://t.co/kXLKx2TFVG
— Faisal S. (@whiz913) June 27, 2019
Currently, Huawei’s main competitors are Ericsson, Nokia, and Cisco. Incidentally, all these companies are designing their own iterations of high-speed, ultra-low latency 5G networking equipment. These organizations are still evaluating the most optimum combination of hardware to fulfill the many requirements of 5G, including reliable connection to the Internet of Things (IoT) devices, connected cars, and other electronic devices. Although 5G relies on established technologies and communication protocols, the platform has to use a lot of cutting-edge technology. Moreover, the new mobile communication standard has a far more reach as compared to all the previous standards. Hence it is critical to set up strong security and prevent a data breach or information leak.