A new report from British intelligence has pointed to flaws in equipment produced by Huawei Technologies that undermined the security of UK telecoms networks.
The sixth annual report from the Huawei Cyber Security Evaluation Centre (HCSEC) oversight board said that "critical, user-facing vulnerabilities" were found in the Chinese supplier's fixed-broadband products, caused by poor code quality and an old operating system.
"UK operators needed to take extraordinary action to mitigate the risk," the report said. The oversight board noted that Huawei repaired the security issue and no exploitation of it was detected.
However, the fix then created a new, different "major issue." The incident was "further evidence that deficiencies in Huawei's engineering processes remain," the report concluded.
The annual reports from the HCSEC have consistently highlighted Huawei's ongoing software engineering shortcomings. The report for 2019 indicated that the impact of this latest vulnerability "is of national significance."
Even more flaws found "This year, the number of vulnerabilities and issues reported to UK operators has risen significantly beyond the number found in 2018," the report added.
HCSEC noted that the new annual report does not cover the changes in government policy that happened in 2020, meaning that it does not take into account new government policy on the use of Huawei equipment.
In July, the UK government decided to ban operators from using Huawei kit in their 5G networks, reversing an earlier decision that allowed Huawei to supply 5G RAN equipment (albeit limited to a 35% market share).
New kit is banned from 2021, with existing equipment to be removed from networks by the end of 2027. The government is also reviewing the vendor's role in supplying fixed broadband networks.
The HCSEC was set up in 2010 to test and monitor Huawei technology, and provide guidelines for the UK government and telecom operator community on the suitability of the Chinese vendor's technology for deployment.
According to Bloomberg, a Huawei spokesman did point out that the supplier is the only one that faces this level of scrutiny.
"Huawei calls for all vendors to be evaluated against an equally robust benchmark, to improve security standards for everyone," the spokesman told the news agency.
Entity list creates problems Like other countries around the world, the UK has come under sustained pressure from the US government to ban equipment from China-based vendors from being used in future 5G networks.
Indeed, US Secretary of State Mike Pompeo went a step further this week, reportedly describing investments by Huawei as "predatory actions" and calling on all countries to ban them.
The HCSEC did also point out that the US decision to place Huawei on its "Entity List" made it harder to carry out its work.
The list is the US Commerce Department's roster of companies and individuals for whom commercial trade is restricted and subject to special license requirements.
"As HCSEC remains part of Huawei UK, HCSEC as an organisation is also on the Entity List as a consequence of the US action," it observed.
While the impact of the listing has so been "manageable," the HCSEC stressed that a long-term solution needed to be found.
— Anne Morris, Contributing Editor, Light Reading
- Brits unleash crack squad to save telecom from Huawei, Ericsson and Nokia
- Europe is showing Huawei the exit
- Ericsson swings into 5G RAN action at Three UK
- Nokia lands 5G deal with BT to start replacing Huawei
- Huawei: China's complaints about fairness ring hollow
- Writing on UK wall for Huawei
— Anne Morris, contributing editor, special to Light Reading