This site may earn affiliate commissions from the links on this page. Terms of utilize.

UK officials tasked with evaluating Huawei'due south network security and overall suitability to be a leading 5G partner in its upcoming deployments have released a report on their findings. The United kingdom of great britain and northern ireland and Huawei have an agreement in which Huawei's compliance with security standards is monitored past the Huawei Cyber Security Evaluation Heart (HCSEC). This system is overseen by the HCSEC Oversight Board, who authored this most recent study. Their conclusions are quite negative — but they may too finally shed some light on why Huawei has been such a divisive topic over the by few years.

Warnings about Huawei's security practices began during the Obama administration just ramped up afterwards President Trump took role. What's been missing from those reports, withal, was any business firm technical sense of why Huawei'southward equipment and software were to be avoided. Did the equipment comprise backdoors or other forms of spyware? One of the regular topics effectually the ExtremeTech water libation has been the degree to which the government's consistent-but-vague warnings reflected actual security concerns. In the interests of disclosure: I've tended to think the authorities probably did accept reasons information technology wasn't willing to publicly disclose. If the Britain report reflects the U.s. feel, in that location are definitely problems to be solved.

In its study, the HCSEC OB states that "Farther significant technical bug have been identified in Huawei'south engineering processes, leading to new risks in the United kingdom telecommunication networks" (emphasis original). It besides states that Huawei has made no progress towards resolving any of the critical security issues identified in the previous year. As a result, the Oversight Board writes that it would exist "inappropriate to change the level of assurance from terminal twelvemonth or to brand whatever comment on potential time to come levels of assurance."

A Verizon 5G small cell antenna. Huawei is being evaluated as a supplier of 5G network equipment.

The written report goes on to land that the OB has seen nothing that would requite it confidence that Huawei tin address these issues. While the company has proposed a program for doing so, the UK doesn't take confidence in its ability to execute said plan. As a effect:

the Oversight Board can only provide limited assurance that all risks to UK national security from Huawei's involvement in the
UK's disquisitional networks can be sufficiently mitigated long-term. (emphasis original)

So What'southward the Problem?

The HCSEC OB identified multiple key issues. According to the report, Huawei cannot provide software builds that demonstrate binary equivalence beyond its product lines. It can't demonstrate that problems that arise in one build are properly solved in the next through "the normal operation of a sustained engineering process." Information technology cannot provide end-to-end assurance that a particular source code set is precisely the one used to build a detail binary. Its configuration management tools are not consistently used across its various production families, preventing information technology from guaranteeing end-to-end security. VM configuration when starting builds is poor and the builds are not clean. Configuration direction of the build environment is poor-to-nonexistent, with no consequent deployment of toolchain back up. Configuration management of source lawmaking is poor:

Secondly, the integration into the overall product architecture is very poor, with multiple copies and versions of components, plain identically versioned components containing significant differences, circular dependencies between components and some components regressing in version betwixt overall product increments.

Huawei continues to rely on an old and very virtually outdated RTOS Bone (Wind River VxWorks 5.v, an OS that debuted in 2002). Huawei purchased an extended license for VxWorks 5.5, just that license expires in 2020. Huawei has adult its ain OS to supplant VxWorks 5.5, but the HCSEC notes:

Huawei'south ain equivalent operating system is discipline to many of the same Huawei development processes as other components and NCSC currently has insufficient evidence to brand a sentence on the software engineering quality and cyber security implications of this component. Furthermore, information technology employs more modernistic retentivity and security models so integration with the existing product running on the operating system brings risk. This means that moving to this real time operating system may not better the situation long-term, while bringing integration risk to the United kingdom operators… However, NCSC remains concerned near the time elapsed since discovery of this outcome without a apparent programme being presented.

HCSEC has conducted a trend analysis of the diverse fixes and patches Huawei has provided and found them to be inadequate, with the concluding code demonstrating a "pregnant number of major defects." When asked to present a plan for how to address the continued existence of these problems, whatsoever Huawei came up with was judged to be inadequate. The NCSC (National Cyber Security Center, which contributed to the report) has stated, withal, that it believes the defects that riddle Huawei's equipment — and the report is quite damning in this regard — are not the result of "Chinese country role player interference."

In short, Huawei isn't trying to riddle its software or hardware with hole-and-corner back doors, merely it's also actually, actually bad at security. That'snota decision that's hard to fathom, specially given how many companies accept been hit by security breaches or had their own poor practices exposed.

Acme photo credit: Kevin Frayer/Getty Images

Now Read:

  • FBI Allegedly Ran Sting Functioning on Huawei at CES
  • Huawei Caught Passing Off DSLR Photos as Smartphone Selfies
  • Pentagon Halts Military Base Sales of Huawei, ZTE Devices, Citing Security Risks