On the heel of news that suspected Chinese state-sponsored hackers broke into telecom giants through IBM and HPE, researchers have revealed that over half the equipment from China’s telecoms giant, Huawei, has “at least one potential backdoor”.
Researchers from IoT security firm Finite State have given a scathing assessment of the state of security in Huawei’s networking device firmware, arguing “there is substantial evidence that zero-day vulnerabilities based on memory corruptions are abundant in Huawei firmware”.
“In summary, if you include known, remote-access vulnerabilities along with possible backdoors, Huawei devices appear to be at high risk of potential compromise,” the firm wrote in a new report.
The conclusions echo recent comments by the Ian Levy, technical director of the UK’s National Cyber Security Centre (NCSC), a unit of spy agency GCHQ.
After assessing Huawei equipment over concerns its 5G gear could be used by China to spy on the country, Levy said Huawei security was “objectively worse” and “shoddy” compared with that of rivals, which include Ericsson, Nokia, and Cisco.
The report on Huawei firmware security also follows one from Reuters on Wednesday revealing that hackers known as Cloud Hopper, who were allegedly working for China’s Ministry of State Security, hacked Ericsson, Fujitsu, Tata, NTT Data, Dimension Data, CSC, and HPE spin-off DXC Technology. The hackers broke into the companies via managed IT service providers HPE and IBM.
Finite State said in its report that, despite Huawei’s public commitments to improve security, the analysis revealed Huawei’s “security posture” is actually “decreasing over time”.
“From a technical supply-chain security standpoint, Huawei devices are some of the worst we’ve ever analyzed,” the company wrote.
It says it has analyzed 1.5 million files within about 10,000 firmware images that are used across 558 Huawei enterprise networking products.
More than 55 percent of firmware images have at least one potential backdoor, according to Finite State. The flaws include hard-coded credentials that could be used as a backdoor, unsafe use of cryptographic keys, and indications of poor software development practices.
Finite State nonetheless found that on average there are 102 known vulnerabilities in each Huawei firmware image, along with evidence of numerous zero-day vulnerabilities.
One of the key problems Finite State found lies in Huawei’s use of and failure to update open-source software components, in particular OpenSSL, a widely-used cryptographic library for shielding communications on the web that’s used to enable HTTPS on websites. As with smartphones, customers using networking equipment rely on vendors to deliver security updates to those components.
It found that the average age of third-party open-source software components in Huawei firmware is 5.36 years and says there are “thousands of instances of components that are more than 10 years old”.
The oldest version of OpenSSL contained in Huawei firmware was released by the open-source project in 1999. The company said it found 389 binaries on Huawei firmware that were vulnerable to Heartbleed, the critical bug disclosed in 2014 that allows an attacker to steal email and other communications that would normally be protected by the Transport Layer Security protocol.
Huawei was not available to respond to the report or dispute the security firm’s conclusions at the time of publishing. The story will be updated if Huawei responds.
More on Huawei and security