Attempts by China’s Huawei Technologies to bat away worries by some governments that its network equipment is safe have been tarnished by a report from a U.K. board that judges the cyber risks of the company’s products to critical infrastructure.
In a report issued last week the Huawei Cyber Security Evaluation Centre (HCSEC) Oversight Board said there were no high or medium priority warning signs in 2018, just one low rated finding.
However, the board said there are concerns Huawei’s approach to software development brings “significantly increased risk to UK operators, which requires ongoing management and mitigation.”
In addition, “no material progress” was made on the issues raised in the previous year’s report, which said Huawei’s engineering processes fell short of industry good practice.
As a result, “at present, the Oversight Board has not yet seen anything to give it confidence in Huawei’s capacity to successfully complete the elements of its transformation programme that it has proposed as a means of addressing these underlying defects. The Board will require sustained evidence of better software engineering and cyber security quality verified by HCSEC and NCSC.
“Overall, the Oversight Board can only provide limited assurance that all risks to U.K. national security from Huawei’s involvement in the UK’s critical networks can be sufficiently mitigated long-term.”
The report isn’t a surprise to Ang Cui. CEO of New York-based Red Balloon Security, which makes security solutions for embedded devices. In 2008 he and colleagues published research when they were in university looking at vulnerabilities in devices like routers, including equipment from Huawei and Cisco Systems. Among the findings: “There is way too much stuff to look at to find all the vulnerabilities” in any device.
“Statements like, ‘We have sufficient capabilities to assure this equipment is secure’ are absolutely ridiculous, no one can say that. I don’t think you can find a security professional who can look at this much firmware and say anything close to that with a straight face.”
Nor, he added, is it possible to definitively say if a vulnerability was deliberately or accidentally put in code.
In Huawei’s case, he added in an interview on Tuesday, the Oversight Board report makes it clear examiners would have a hard time finding backdoors because the manufacturer doesn’t have a reliable software build system (see below).
As a result, he wouldn’t advise the Canadian government to allow carriers here to buy 5G network equipment from Huawei until more testing can be done.
Opened at the end of 2010, the evaluation centre is owned by Huawei but gives U.K. security experts from the National Cyber Security Centre (NCSC) the ability to look inside the company’s products and services. The Oversight Board, is chaired by the CEO of the NCSC while the deputy chair is from Huawei.
According to Bloomberg News, a Huawei spokesperson said “the oversight provided for in our mitigation strategy for Huawei’s presence in the U.K. is arguably the toughest and most rigorous in the world. This report does not, therefore, suggest that the U.K. networks are more vulnerable than last year.”
The evaluation centre only deals with technical issues; it doesn’t deal with allegations that Huawei would have to obey the government of China if it was asked to install a backdoor or other ways of interfering with Huawei equipment to help in data breaches.
According to the Globe and Mail, there’s a somewhat similar lab in Canada where security officials can look inside Huawei equipment. That lab doesn’t make public reports.
Huawei officials have recently denied that there is any Chinese national security law that obliges them to help the government, and, they add, the company would ignore any requests.
The issue of security risks has become intense in the last year as wireless network operators around the world have to start deciding on who will be equipment suppliers for the next generation 5G wireless networks. These networks will be so fast and attract new wireless opportunities that they will increase wireless penetration in critical infrastructure. As a result security experts see 5G as potentially expanding security risks.
Whether those risks in the case of Chinese-made 5G routers and switches can be mitigated is a question. The U.S. and Australia have already said no. Other governments, not wanting to limit the options for their carriers — and, arguably, not wanting to burn bridges with China — are still studying the risks. And there are security experts who doubt China would want to compromise Huawei’s reputation just for espionage. Besides, these experts say, there are plenty of other computer vulnerabilities China can exploit.
What’s important to note about the evaluation centre is its work is surrounded by Huawei’s promised transformation plan to improve processes that date back to 2012. However, this year’s report notes there are still underlying software build processes flaws in Huawei’s code that hinder the NCSC’s ability to judge the source code it sees is precisely that used to build the binaries running in the U.K. networks.
So, the report says, it’s hard for security experts to say that those vulnerabilities discovered in one software/firmware build are remediated in another build.
This is a problem with Huawei’s configuration management. The report notes configuration management has improved, but hasn’t been universally applied across product and platform development groups or across configuration item types (such as source code, build tools, build scripts).
Typical problem
Here’s an example of the type of problem the NCSC has run into:
“Huawei continues to use an old and soon-to-be out of mainstream support version of a well-known and widely used real-time operating system supplied by a third party,” the report says. Huawei has purchased a premium long-term support agreement from the vendor to address vulnerabilities in the future, “but the underlying cyber security risks brought about by the single memory space, single user context security model remain. NCSC believes there is currently no credible plan to reduce the risk in the U.K. of the use of this real-time operating system. Huawei’s own equivalent operating system is subject to many of the same Huawei development processes as other components and NCSC currently has insufficient evidence to make a judgment on the software engineering quality and cyber security implications of this component.”
In response, Huawei told the Oversight Board it intends to spend $2 billion over five years to transform its software engineering process.
The report adds that the evaluation centre “has continued to find serious vulnerabilities in the Huawei products examined. Several hundred vulnerabilities and issues were reported to U.K. operators to inform their risk management and remediation in 2018. Some vulnerabilities identified in previous versions of products continue to exist.
The report concludes by saying there are “serious and systematic defects in Huawei’s software engineering and cyber security competence. For this reason, NCSC continues to advise the Oversight Board that it is only appropriate to provide limited technical assurance in the security risk management possible for equipment currently deployed in the UK, since NCSC has not yet seen a credible remediation plan.
“Poor software engineering and cyber security processes lead to security and quality issues, including vulnerabilities. The number and severity of vulnerabilities discovered, along with architectural and build issues, by the relatively small team in HCSEC is a particular concern. If an attacker has knowledge of these vulnerabilities and sufficient access to exploit them, they may be able to affect the operation of the network, in some cases causing it to cease operating correctly. Other impacts could include being able to access user traffic or reconfiguration of the network elements.”
NCSC does not believe that the defects identified are because of Chinese government interference.
[NOTE: This story was updated from the original to include quotes from Ang Cui]