Huawei devices pose a high security risk: report
An “unprecedented” large-scale analysis of Huawei firmware conducted by IoT security company Finite State claims to have found that the company’s devices “pose a high risk to their users”.
The analysis, conducted in light of the growing debate over the use of Huawei equipment in global 5G networks, involved an evaluation of the firmware of more than 550 Huawei networking products.
For the research, Finite State set out to evaluate whether fears that Huawei equipment could be used by the Chinese government to facilitate espionage — fears which have already led to the Australian Government banning the use of Huawei equipment in Australian 5G rollouts — are well founded.
Finite State used its technology platform to automatically analyse more than 1.5 million files embedded within 9936 firmware images, the report states. The analysis looked for risks including hard-coded backdoor credentials, unsafe use of cryptographic keys, indicators of insecure software development practices and the presence of known and 0-day vulnerabilities.
According to the report, in virtually every category studied, Huawei devices were found to be less secure than devices from vendors Juniper Networks and Arista.
Analysis found “hundreds of cases” of potential backdoor vulnerabilities, such as hard-coded, default user accounts and passwords, and embedded cryptographic keys. Of all firmware images analysed, 55% had at least one potential backdoor.
On average, the analysis found that each Huawei firmware had an average of 102 known vulnerabilities with “a significant percentage” of these being high or critical vulnerabilities — as well as potentially hundreds of possible zero-day vulnerabilities.
The analysis also found evidence of “highly insecure software development practices” such as “abysmal software configuration management” and millions of calls into unsafe functions.
In addition, the report also includes a brief analysis of the claims that Chinese law requires Huawei to cooperate with national intelligence agencies by facilitating espionage activities.
“Even if Huawei may be technically correct in saying that Chinese law doesn’t explicitly “compel” the installation of backdoors, China’s intelligence and counter-espionage activities tend to be so expansive that these provisions could be used to justify activities extending well beyond China’s borders,” the report concludes.
But it stops short of suggesting that these potential backdoors and other security vulnerabilities have been intentionally added to facilitate spying by the Chinese government, stating that Finite State “cannot prove malicious intent through a technical analysis”.
But media reports have called into question the validity of the report, due in part to the fact that Finite State appears to have been relatively unheard of prior to its publication. The report’s decision to use Juniper Networks and Arista equipment as the point of comparison, rather than equipment from Huawei’s chief rivals such as Nokia and Ericsson, has also raised eyebrows.
These questions did not stop Nokia’s CTO Marcus Weldon from citing the report during an interview with the BBC, during which time he claimed that Nokia equipment is a safer bet than Huawei.
But Nokia subsequently released a statement denying that Weldon’s comments reflect the company’s official position. “Nokia is focused on the integrity of its own products and services and does not have its own assessment of any potential vulnerabilities associated with its competitors,” it states.
Please follow us and share on Twitter and Facebook. You can also subscribe for FREE to our weekly newsletter and quarterly magazine.
Strategies for navigating Java vulnerabilities
Java remains a robust and widely adopted platform for enterprise applications, but staying ahead...
Not all cyber risk is created equal
The key to mitigating cyber exposure lies in preventing breaches before they happen.
How AI can help businesses manage their cyber risks
Artificial intelligence can be a powerful ally in the fight against cyberthreats.