A report on Thursday from a British government oversight group found that Chinese telecom-equipment maker Huawei has basic but deeply problematic flaws in its product code that create security risks. The shortcomings, many of which Huawei had previously promised to improve, stem from issues with its software development processes, according to the report. The findings come amid a concerted Trump administration effort to ban Huawei products around the world (particularly in 5G wireless networks), because of concerns that Huawei devices are controlled by the Chinese government or that Huawei would take orders from Beijing to undermine its security protections if asked.
Though the geopolitical discourse has gotten heated, the report concluded that the flaws in Huawei's code are related to "basic engineering competence and cyber security hygiene" and could be exploited by anyone. The report does not conclude that the bugs are intentional backdoors created for the Chinese government. Such broad exposure is still problematic—it could be exploited as well by US espionage agencies and the rest of the Five Eyes, but that’s of less concern to the White House.
"There is no backdoor, because Huawei doesn’t need a backdoor. It has a front door," says James Lewis, a former State Department official and director of the Center for Strategic and International Studies' Technology and Public Policy Program. "The UK government has lots of problems with Chinese hacking. It’s not like there are Swedish hackers breaking in to steal British intellectual property every week. If Huawei was a Swedish company or a Brazilian company or something it wouldn’t be having these troubles. But it's seen as a tool of a very aggressive Chinese government."
US telecom companies have largely eschewed Huawei since a 2012 Congressional report about the national security threat potentially posed by the company's products. And President Trump has been mulling an Executive Order to fully ban the company's equipment. But network operators in other countries, including the UK, have worked to safely incorporate Huawei's effective, low cost wireless equipment. The UK even established the Huawei Cyber Security Evaluation Centre in 2010 to audit Huawei hardware and software as it left the company's factories before shipping to the US.
It was that center’s oversight board that produced Thursday's report. The document noted the difficulty of even establishing whether the code the group audited is actually the same as the code running in Huawei products.
The WIRED Guide to 5G
To a degree, the challenge of assessing risk in Huawei's products relates to larger industry issues of how to accurately vet the integrity of proprietary software. Some of the systemic security vulnerabilities disclosed in the report are painfully basic, but security analysts note that this type of audit would likely reveal embarrassing oversights in most companies' products—even if Huawei’s faults are more egregious.
"Companies obviously prefer not to receive security audits calling out such things, that's why they have internal security standards and quality assurance," says Lukasz Olejnik, an independent cybersecurity adviser and research associate at the University of Oxford's Center for Technology and Global Affairs.
Though the report doesn't conclude that Huawei products include nefarious backdoors, the extent of the problems it uncovers will still likely buoy the White House's efforts to steer the US and its allies away from Huawei. The UK has attempted to safely incorporate Huawei's products into its telecom infrastructure for almost a decade, but the report indicates that the exposure may be too much for the country to mitigate on its own.
"The UK has long tried to decouple the trust and espionage matters from the technical side, arguing that the technical risk is manageable and that there's always some risk anyway," Olejnik says. "But the report seems to undermine past assurances of the UK's ability to manage the Huawei risk."
For its part, Huawei maintains that it is working to strengthen the security protections in its engineering workflow and says that it supports collaboration between industry and international regulators to ensure robust security in telecom networks around the world. "The 2019 HCSEC Oversight Board Report details some concerns about Huawei's software engineering capabilities," the company said in a statement on Thursday. "The issues identified ... provide vital input for the ongoing transformation of our software engineering capabilities." The company has pledged to invest $2 billion in engineering improvements.
After years of promises, though, observers say it is difficult to believe that Huawei will prioritize making significant changes. Especially if the company sees benefits to being buggy-by-design.