Cybersecurity Report Finds Extensive Flaws in Huawei Gear

Ohio-based cybersecurity firm Finite State released a report that documents flaws in Huawei Technologies’ equipment that can be used by hackers. According to the report, these flaws are much more extensive than those found in similar gear from rival companies. The report does not, however, accuse the company of incorporating these flaws deliberately and does not comment on U.S. claims that the Chinese company uses such flaws to conduct espionage. The flaws were found in firmware, which enables a computer’s hardware.

The Wall Street Journal reports that, according to this research, Finite State “used proprietary, automated systems to analyze more than 1.5 million unique files embedded within nearly 10,000 firmware images supporting 558 products within Huawei’s enterprise-networking product lines.”

About 55 percent of the images “encoded into more than 500 variations” of the Huawei devices contained “at least one such exploitable vulnerability” or potential backdoor. Finite State shared its report with “senior officials in multiple government agencies in the U.S. and the U.K., as well as to lawmakers.”

At the White House, an official stated that “this report supports our assessment that since 2009, Huawei has maintained covert access to some of the systems it has installed for international customers.” Huawei said it “welcomed independent research … [but] couldn’t comment on specifics in the Finite State report because it wasn’t shared in full with the company.”

Finite State chief executive Matt Wyckhouse, a computer scientist who co-founded the firm in 2017, reported that his company “did the work pro-bono and not on behalf of any government.” The report, which will be made available to the public this week, compared Huawei’s gear with “high-end network switches from Arista Networks and Juniper Networks … [finding] Huawei’s device had higher risk factors in six of nine categories, generally by a substantial margin.”

One Huawei network switch “registered a 91 percent risk percentile for the number of credentials with hard-coded default passwords,” compared to a 0 percent risk for Arista and Juniper.

Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency director Chris Krebs said the research “added to existing concerns about Huawei equipment and the conclusion that the company hasn’t shown the intent or capability to improve its security practices.” Given that, he added, “we find it an unacceptable risk to use Huawei equipment today and in the future.”

White House officials pointed to vulnerabilities that are “are well-known cybersecurity problems that aren’t difficult to avoid,” suggesting that, “Huawei may be purposely designing its products to include weaknesses.” U.S.-China Economic and Security Review Commission’s Michael Wessel said that “it’s hard to see the range and depth of the vulnerabilities identified by Finite State to be anything other than intentional.”

Sources said that “the U.K.’s National Cyber Security Centre also reviewed the Finite State research … and found it broadly aligned with the technical analysis in the agency’s own report, [which] accused Huawei of repeatedly failing to address known security flaws in its products.”

Related:
Huawei Personnel Worked With China’s Military on Research Projects, Bloomberg, 6/26/19