A cybersecurity probe of Huawei Technologies’ networking equipment has concluded the Chinese firm’s gear poses a high risk for users because of security flaws that could be exploited for espionage or by malicious hacking.
The results of the analysis, conducted by Ohio-based cybersecurity firm Finite State, were recently shared with national security agencies in the United States and Britain and are expected to be used by the Trump administration to push Western allies to blacklist Huawei from supplying 5G technology.
“There is a systematic problem at Huawei and that is what we are able to show here,” Finite State chief executive Matt Wyckhouse told The Globe and Mail Wednesday.
“We see a very clear pattern of insecurity. These devices are more vulnerable than other devices we have seen – by a lot. The findings we have are inconsistent with what Huawei is saying publicly about their investments in security," he said.
Huawei has been fighting U.S. efforts to persuade intelligence-sharing partners, including Canada, Britain, Australia and New Zealand, to bar the company from supplying next-generation 5G mobile technology. The U.S., Australia and New Zealand have imposed restrictions on the use of Huawei in 5G networks in their respective countries, but Canada and Britain have not yet made a decision to join in a ban.
“It’s up to every country what they want to do," Mr. Wyckhouse said. “We want to make sure they have the whole story before they make the decision.”
The scale of this analysis has never been undertaken before.
Finite State’s scrutiny centred on the firmware – the software inside equipment – of more than 550 different Huawei products sold to companies for building 5G networks. This includes routers, switches and related gear. The firm analyzed more than 1.5 million files embedded within nearly 10,000 pieces of firmware.
Despite Huawei’s repeated statement that security is a priority for the company, Finite State said researchers found that “Huawei engineers systematically made poor security decisions in building the devices" tested.
Mr. Wyckhouse said it’s a “big problem” when more than half all of the firmware Finite State analyzed contained at least one potential back door, or entrance point, that “can be remotely exploited.”
He said it’s unclear what is behind this sloppiness. “It’s entirely possible that this is just poor quality software engineering and poor quality hardware engineering and lack of understanding of security despite the fact [Huawei is] saying they are investing in it,” he said. “Or things could be done intentionally as well to make it easier for exploitation.”
Finite State said it received no funding for this study.
Michael Wessel, a member for the congressional U.S.-China Economic and Security Review Commission, said it defies logic that the vulnerabilities identified by Finite State were the result of coding errors and sloppiness.
“Almost all of these vulnerabilities were hidden from customers and many could be used to give the manufacturer unfettered access to the company’s equipment,” Mr. Wessel said in a statement to The Globe. “A good portion of the vulnerabilities were hard to detect and, in many cases, circumvented even the highest industry security standards.”
Alykhan Velshi, Huawei Technologies Canada’s vice-president of corporate affairs, was not able to offer immediate comment on the Finite State report.
On average, Finite State said, Huawei devices had 102 known vulnerabilities associated with each firmware.
Canada’s Communications Security Establishment (CSE), which protects the country from cyberespionage and malicious attacks, said it was aware of the Finite State report but was unable to comment on the research done by another organization.
Last year, Canada’s top cybersecurity official dismissed the need to follow the United States and Australia in barring Huawei from 5G wireless networks, saying Ottawa is confident it can manage the risks of allowing the company’s gear in Canadian infrastructure.
Scott Jones, the head of Ottawa’s Canadian Centre for Cyber Security which reports to CSE, said in September, 2018, that the country has a robust system of testing facilities for Huawei equipment and software to prevent security breaches – one he suggested was superior to those of some of Canada’s allies.
The Canadian government has since backtracked and is currently studying the security risks of 5G technology as it decides whether to bar Huawei gear.
Leading Democrat and Republican members of the U.S. Senate intelligence committee as well as Vice-President Mike Pence have publicly appealed to Canada to exclude Huawei networking equipment from 5G networks here.
Canada’s Public Safety Minister Ralph Goodale has said Ottawa won't be rushed into making a decision.
In Canada, two of the country’s biggest wireless carriers – BCE Inc. and Telus Corp. – have declined to reveal whether U.S. national-security officials have asked them to avoid telecommunications equipment made by Huawei when building their 5G mobile technology networks. Rogers Communications Inc., for its part, says it wasn’t contacted.
BCE, Telus and, to a lesser extent, Rogers all use Huawei equipment in their cellular networks, and as the Chinese company has made inroads in the Canadian market in recent years, the carriers have come to rely on it to spur more competitive pricing in an area that requires constant capital investment.
In Canada, as in Britain, there is testing – funded by Huawei – that analyzes the firm’s equipment for possible back doors that could allow Beijing to spy or disable systems. Last July, the British government revealed it had found technical and supply-chain issues with equipment made by Huawei that exposed Britain’s telecom networks to new security risks. In October, the British government sent a letter to telecom firms saying it was reviewing whether the country was too dependent on a single hardware provider. The Financial Times reported that Huawei was the target.